Computer Hope
Software => Computer viruses and spyware => Topic started by: kjames on August 06, 2008, 07:35:48 AM
-
i printed out the guidelines and downloaded and renamed the files to pin and will start working through them tonight or tomorrow. is it possible that the virus could be knocking out windows automactic updates as well as explorer, firefox, system restore, etc ? thanks for the help! stay tuned this could be a tough one!
also i think i got the virus through an email downloaded to outlook, is it possible to trace it to a specific email?
thanks again
-
i printed out the guidelines and downloaded and renamed the files to pin and will start working through them tonight or tomorrow.
Are these the guidelines here?:
http://www.computerhope.com/forum/index.php/topic,46313.0.html
also i think i got the virus through an email downloaded to outlook, is it possible to trace it to a specific email?
If you think you got it from your email, it would have to be sent as an attachment.
Look for any recent emails with an attachment.
-
Yes, those are the quidelines i printed... most email's i receive do have attachments so it will be difficult to trace it that way... thank you
-
Once you post the three logs, one of our Malware Specialists will help you from there.
Good Luck ;)
-
here's the first post..thanks again
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/07/2008 at 07:11 PM
Application Version : 4.15.1000
Core Rules Database Version : 3529
Trace Rules Database Version: 1519
Scan type : Complete Scan
Total Scan Time : 01:41:30
Memory items scanned : 452
Memory threats detected : 1
Registry items scanned : 5949
Registry threats detected : 14
File items scanned : 97188
File threats detected : 39
Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\KHFETNOO.DLL
C:\WINDOWS\SYSTEM32\KHFETNOO.DLL
Trojan.Vundo-Variant/Small-GEN
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13555008-AEB1-4B16-A90B-FA199DFD30B4}
HKCR\CLSID\{13555008-AEB1-4B16-A90B-FA199DFD30B4}
HKCR\CLSID\{13555008-AEB1-4B16-A90B-FA199DFD30B4}\InprocServer32
HKCR\CLSID\{13555008-AEB1-4B16-A90B-FA199DFD30B4}\InprocServer32#ThreadingModel
Browser Hijacker.Internet Explorer Zone Hijack
HKU\S-1-5-21-4136965111-1373586170-1542207881-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com
HKU\S-1-5-21-4136965111-1373586170-1542207881-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\amaena.com#*
HKU\S-1-5-21-4136965111-1373586170-1542207881-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com
HKU\S-1-5-21-4136965111-1373586170-1542207881-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\imagesrvr.com#*
Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
Trojan.Media-Codec
C:\Documents and Settings\Kenneth L. James II\Favorites\Online Security Test.url
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\aoprndtws
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKU\S-1-5-21-4136965111-1373586170-1542207881-1006\Software\Microsoft\rdfa
C:\WINDOWS\SYSTEM32\MCRH.TMP
Adware.Tracking Cookie
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\guest@atwola[2].txt
C:\Documents and Settings\Guest\Cookies\guest@belnk[1].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Guest\Cookies\guest@nextag[1].txt
C:\Documents and Settings\Guest\Cookies\guest@partner2profit[2].txt
C:\Documents and Settings\Guest\Cookies\guest@qnsr[2].txt
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt
C:\Documents and Settings\Kenneth L. James II\Cookies\kenneth l. james [email protected][2].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][2].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\kristin@atwola[1].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\kristin@eyewonder[2].txt
C:\Documents and Settings\Kristin\Cookies\kristin@interclick[1].txt
C:\Documents and Settings\Kristin\Cookies\kristin@nextag[2].txt
C:\Documents and Settings\Kristin\Cookies\kristin@partner2profit[1].txt
C:\Documents and Settings\Kristin\Cookies\kristin@pbteen[2].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\[email protected][1].txt
C:\Documents and Settings\Kristin\Cookies\kristin@xiti[1].txt
Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP577\A0079333.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP585\A0080611.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP591\A0082552.DLL
C:\WINDOWS\SYSTEM32\FELRET.DLL
C:\WINDOWS\SYSTEM32\NOOKAQXX.DLL
C:\WINDOWS\SYSTEM32\PLCOPUMM.DLL
C:\WINDOWS\SYSTEM32\QDUFGEFM.DLL
C:\WINDOWS\SYSTEM32\SKUEMBPA.DLL
-
SAS picked up a few things, which should help a bit. If you can also post (or attach) the MBAM and HJT logs, I'll be happy to take a closer look for you.
-
thanks cbmatt, here's mbam
Malwarebytes' Anti-Malware 1.24
Database version: 1031
Windows 5.1.2600 Service Pack 2
10:56:07 PM 8/7/2008
mbam-log-8-7-2008 (22-56-07).txt
Scan type: Quick Scan
Objects scanned: 73024
Time elapsed: 17 minute(s), 39 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\jgimxuyv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\khfETnoO.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser
Helper Objects\{683df58f-1293-47e4-9a46-08ecf91e4a11} (Trojan.Vundo) -> Delete
on reboot.
HKEY_CLASSES_ROOT\CLSID\{683df58f-1293-47e4-9a46-08ecf91e4a11} (Trojan.Vundo) ->
Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and
deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) ->
Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and
deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined
and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1029b77a
(Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm131a84e6
(Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages
(Trojan.Vundo) -> Data: c:\windows\system32\khfetnoo -> Quarantined and deleted
successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages
(Trojan.Vundo) -> Data: c:\windows\system32\khfetnoo -> Delete on reboot.
Folders Infected:
C:\Program Files\xloadnet (Adware.Agent) -> Quarantined and deleted
successfully.
Files Infected:
C:\WINDOWS\system32\khfETnoO.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\OonTEfhk.ini (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\OonTEfhk.ini2 (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\jgimxuyv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vyuxmigj.ini (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\ochignyy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yyngihco.ini (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\cnrkhcqv.exe (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\webmwbcf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted
successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM131a84e6.xml (Trojan.Vundo) -> Quarantined and deleted
successfully.
C:\WINDOWS\BM131a84e6.txt (Trojan.Vundo) -> Quarantined and deleted
successfully.
-
mbam could not delete all, i just rebooted..
-
Hi jack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:46 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows
Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -
C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DADS]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DADS" /O15 "\\DADS\EPSONSty" /M "Stylus
CX3800"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support
Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support
Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe
/runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe"
/startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support
Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -
C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) -
http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.
cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) -
http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application
Object) -
http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetE
ngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) -
http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -
http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5348/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program
Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: hgGvvTJC - hgGvvTJC.dll (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program
Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program
Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. -
C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program
Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter)
(sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support
Center\bin\sprtsvc.exe
--
End of file - 10158 bytes
INBOX: Email 1 of 18 Move to Folder INBOX Draft Screened Mail SentMail Trash Back to Top | < Previous | Next > Navigation
Message CenterINBOX 12Draft Screened Mail SentMail Trash
[empty]My Folders
[edit]Address BookMailbox ManagerPreferencesVoice Mail
-
I'm being called out to fix a friend's computer and I can't deal with your log just yet because you have Word Wrap enabled in Notepad, which makes your log difficult to read. But as soon as I get back, I'll sort through it and get back to you with my findings.
-
cb, i'm not sure what all the stpes did, but cpu seem to be working better and windows updates is working too... let me know if you want me to try and post the logs another way..thanks again
-
Hey there, I actually just got through with taking a better look at your log. Before we get started, go ahead and open Notepad and then click on Format and uncheck Word Wrap.
Now, with that taken care of, let's make sure Vundo's gone...
1. Download VundoFix (http://www.atribune.org/ccount/click.php?id=4) and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.
And then, just to be thorough...
1. Download VirtumundoBeGone (http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe) and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.
5. The program normally produces a VBG.txt file. Please locate this file and paste the contents in your next post.
And now for your HijackThis log...
Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O20 - Winlogon Notify: hgGvvTJC - hgGvvTJC.dll (file missing)
Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode (http://www.computerhope.com/issues/chsafe.htm) and enable hidden files and folders (http://www.computerhope.com/issues/ch000516.htm).
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...
FunWebProducts
MySearch or MyWay
Please note any other programs that you dont recognize in that list in your next response.
Navigate to and delete the following file(s) if present...
C:\WINDOWS\system32\hgGvvTJC.dll (This file should be gone, but look for it just in case.)
Once you've done all of this, reboot into Normal Mode and post a new HijackThis log (along with the VundoFix and VGB logs) so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.
-
matt, i wont be at my cpu til tomorrow, but vundofix found nothing and none of the requested files or programs were there either... am i clean? i'll get u one more hijack log tomorrow....thanks again!
-
one more thing, should i remove any of the tools i downloaded? (hijack, ccleaner, etc)
-
You're doing good so far. I'm not quite ready to give you the clean bill of health, but we should be close. I just want to check a couple more things...
Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.
Go ahead and post that log along with a new HijackThis log. When we're done with everything, you'll be able to remove these tools.
-
ComboFix 08-08-08.07 - Kenneth L. James II 2008-08-09 7:31:33.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.340 [GMT -4:00]
Running from: C:\cf2332\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Kenneth L. James II\Application Data\inst.exe
C:\Documents and Settings\Kristin\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Program Files\Altnet
C:\WINDOWS\system32\aepeolid.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\bwmitnji.dll
C:\WINDOWS\system32\fmtujkfb.ini
C:\WINDOWS\system32\fvtqkihe.ini
C:\WINDOWS\system32\gpidridc.ini
C:\WINDOWS\system32\jpnnjm.dll
C:\WINDOWS\system32\khsshmnl.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nkpejpgh.ini
C:\WINDOWS\system32\pekilt.dll
C:\WINDOWS\system32\pomoscds.dll
C:\WINDOWS\system32\prcnsz.dll
C:\WINDOWS\system32\pvskwykr.ini
C:\WINDOWS\system32\skhhfwwf.ini
C:\WINDOWS\system32\srylkl.dll
C:\WINDOWS\system32\tmrsqopu.dll
C:\WINDOWS\system32\yiwsmjmo.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-09 to 2008-08-09 )))))))))))))))))))))))))))))))
.
2008-08-09 07:29 . 2008-08-09 07:29 <DIR> d-------- C:\cf2332
2008-08-09 07:17 . 2008-08-09 07:17 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-08 08:25 . 2008-08-08 08:25 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 08:25 . 2008-08-08 08:25 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 08:25 . 2008-08-08 08:25 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 08:25 . 2008-08-08 08:25 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 08:22 . 2008-08-08 08:25 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-08 08:17 . 2008-08-08 08:44 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-08-08 08:14 . 2008-08-08 08:14 <DIR> d-------- C:\WINDOWS\EHome
2008-08-08 08:07 . 2008-04-13 20:12 1,737,856 --------- C:\WINDOWS\system32\mtxparhd.dll
2008-08-08 08:06 . 2008-04-13 20:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-08-08 08:05 . 2008-04-13 20:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-08-08 08:05 . 2008-04-13 20:11 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-08-08 08:05 . 2008-04-13 20:11 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-08-08 08:05 . 2008-04-13 20:11 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-08-08 08:05 . 2008-04-13 20:11 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-08-08 08:05 . 2008-04-13 20:11 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-08-08 08:05 . 2008-04-13 20:11 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-08-08 08:05 . 2008-04-13 20:11 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-08-08 07:35 . 2008-08-08 07:35 <DIR> d-------- C:\Program Files\Sun
2008-08-08 07:34 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-08 07:32 . 2008-08-08 07:34 <DIR> d-------- C:\Program Files\Java
2008-08-08 07:31 . 2008-08-08 07:31 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-07 23:07 . 2008-08-07 23:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 22:36 . 2008-08-07 22:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-07 22:36 . 2008-08-07 22:36 <DIR> d-------- C:\Documents and Settings\Kenneth L. James II\Application Data\Malwarebytes
2008-08-07 22:36 . 2008-08-07 22:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-07 22:36 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-07 22:36 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 17:25 . 2008-08-07 17:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-07 17:24 . 2008-08-07 17:24 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-08-07 17:24 . 2008-08-07 17:24 <DIR> d-------- C:\Documents and Settings\Kenneth L. James II\Application Data\SUPERAntiSpyware.com
2008-08-07 17:16 . 2008-08-07 17:16 <DIR> d-------- C:\Program Files\CCleaner
2008-07-31 23:31 . 2008-07-31 23:31 131 --a------ C:\Documents and Settings\Kenneth L. James II\reset.cmd
2008-07-29 09:59 . 2008-08-09 07:14 10,837 --a------ C:\WINDOWS\system32\Config.MPF
2008-07-29 09:58 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-07-29 09:54 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-07-29 09:54 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-07-29 09:54 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-07-29 09:54 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-07-29 09:54 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-07-29 09:54 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-07-29 09:09 . 2008-07-29 09:09 <DIR> d-------- C:\Documents and Settings\Kenneth L. James II\Application Data\McAfee
2008-07-27 15:08 . 2008-07-27 15:08 <DIR> d-------- C:\Documents and Settings\Kenneth L. James II\Application Data\MSNInstaller
2008-07-24 22:29 . 2008-07-24 22:29 <DIR> d-------- C:\VundoFix Backups
2008-07-24 18:25 . 2008-07-24 18:25 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-24 17:20 . 2008-07-29 09:53 <DIR> d-------- C:\Program Files\McAfee.com
2008-07-24 17:20 . 2008-07-24 17:26 <DIR> d-------- C:\Program Files\McAfee
2008-07-24 17:20 . 2008-07-29 09:54 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-07-22 10:59 . 2008-07-22 10:59 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-07-17 12:13 . 2008-07-17 12:14 <DIR> d-------- C:\Program Files\Dell Support Center
2008-07-17 09:36 . 2008-07-17 09:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-07-17 09:36 . 2008-07-17 09:36 1,409 --a------ C:\WINDOWS\QTFont.for
2008-07-17 08:05 . 2008-07-17 08:12 <DIR> d-------- C:\WINDOWS\system32\aumsDK01
2008-07-17 08:05 . 2008-07-17 08:05 <DIR> d-------- C:\Temp\zpv201
2008-07-17 08:05 . 2008-07-17 08:05 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-09 11:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-09 11:15 --------- d-----w C:\Program Files\YPOPs
2008-08-08 11:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-08 11:36 --------- d-----w C:\Documents and Settings\Kenneth L. James II\Application Data\Lavasoft
2008-08-07 21:31 --------- d-----w C:\Program Files\Google
2008-08-07 21:23 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 21:12 --------- d-----w C:\Program Files\Common Files\SupportSoft
2008-08-07 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-07-29 13:01 --------- d-----w C:\Program Files\Yahoo!
2008-07-29 13:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-29 12:56 --------- d-----w C:\Program Files\Jasc Software Inc
2008-07-24 22:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-07-24 21:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 21:00 --------- d-----w C:\Program Files\Symantec
2008-07-23 22:07 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-23 22:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-22 15:04 --------- d-----w C:\Program Files\ComcastToolbar
2008-07-22 15:04 --------- d-----w C:\Documents and Settings\Kenneth L. James II\Application Data\ComcastToolbar
2008-07-05 12:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Comcast
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 12:19 --------- d-----w C:\Documents and Settings\Kristin\Application Data\COMCASTTOOLBAR
2008-06-13 12:18 --------- d-----w C:\Documents and Settings\Kristin\Application Data\Yahoo!
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-01 13:38 47,360 ----a-w C:\Documents and Settings\Kenneth L. James II\Application Data\pcouffin.sys
2008-05-09 23:23 135,168 ----a-w C:\WINDOWS\system32\SET55.tmp
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\system32\dllcache\wshext.dll
2008-05-09 10:53 512,000 ----a-w C:\WINDOWS\system32\SET5B.tmp
2008-05-09 10:53 512,000 ------w C:\WINDOWS\system32\dllcache\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\SET58.tmp
2008-05-09 10:53 430,080 ------w C:\WINDOWS\system32\dllcache\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\system32\dllcache\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\SET59.tmp
2008-05-09 10:53 172,032 ------w C:\WINDOWS\system32\dllcache\scrrun.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 16:56 160496 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-06-16 07:03 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 07:03 81920]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"Auto EPSON Stylus CX3800 Series on DADS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-07 15:00 98304]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-06-21 13:40 172032]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 09:23 202544]
C:\Documents and Settings\Kenneth L. James II\Start Menu\Programs\Startup\
YPOPs.lnk - C:\Program Files\YPOPs\YPOPs.exe [2008-07-28 23:03:26 1327104]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2003-08-29 16:33:24 499779]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2007-03-15 11:09 460784 C:\Program Files\DellSupport\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2007-11-15 09:23 202544 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
--a------ 2007-11-15 09:24 16384 C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2002-01-08 12:24 401496 C:\Program Files\Microsoft ActiveSync\wcescomm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2004-05-12 15:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2004-02-12 13:38 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 20:12 1695232 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-08-23 11:42 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2005-08-23 11:42 26112 C:\Program Files\Real\RealPlayer\realplay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 20:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2006-08-20 16:20]
R3 uscsc108;uscsc108;C:\WINDOWS\system32\DRIVERS\uscsc108.sys [2003-03-09 19:41]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-08-06 C:\WINDOWS\Tasks\dfrg.job
- C:\WINDOWS\system32\dfrg.msc [2004-08-04 06:00]
2008-07-24 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
2008-08-09 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-OCAudioIni - C:\Program Files\One-click Audio Converter\OCAudioIni.exe
MSConfigStartUp-xloadnet - C:\Program Files\xloadnet\xloadnet.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Kenneth L. James II\Application Data\Mozilla\Firefox\Profiles\jercr24b.default\
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - C:\Program Files\Google\Google Updater\2.2.1172.2021\npCIDetect11.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 07:36:35
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-09 7:39:02
ComboFix-quarantined-files.txt 2008-08-09 11:38:15
Pre-Run: 5,340,323,840 bytes free
Post-Run: 5,661,806,592 bytes free
264 --- E O F --- 2008-08-09 11:27:30
-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:46:54 AM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX3800 Series on DADS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P39 "Auto EPSON Stylus CX3800 Series on DADS" /O15 "\\DADS\EPSONSty" /M "Stylus CX3800"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/DataServer/Pub/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/FujifilmUploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5348/mcfscan.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
--
End of file - 9391 bytes
-
Your HJT looks clean. I would run keep running the SUPERAntiSpyware and MBAM scans, but you should be okay.
To uninstall ComboFix, simply go to Start > Run and type in combofix /u (note the space between "combofix" and "/u") and click on OK. As for VundoFix and VirtumondoBeGone, you can simply delete them. You can also uninstall HijackThis if you'd like, but I would keep it.
Next, reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: - SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) to help prevent spyware from installing in the first place.
- SpywareGuard (http://www.javacoolsoftware.com/spywareguard.html) to catch and block spyware before it can execute.
- IESpy-Ad (http://www.bleepingcomputer.com/tutorials/tutorial53.html) to block access to malicious websites so you cannot be redirected to them from an infected site or email.
To keep your operating system up to date visit here monthly: - Microsoft Windows Update (http://windowsupdate.microsoft.com)
And to keep your system clean run these free malware scanners weekly:
- AdAware SE Personal (http://www.lavasoft.com/)
- Spybot Search & Destroy (http://www.safer-networking.org/en/mirrors/index.html)
And be aware of what emails you open and websites you visit.
To learn more about how to protect yourself while on the internet, read this article by Tony Klein: So how did I get infected in the first place? (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
-
Matt, thanks! cpu seems to be working well... i downloaded the programs you reccommended... should i remove mcafee (free with internet) and windows defender (downloaded it for XP)?
-
That's up to you, really. I think McAfee is subpar, but if you want to keep it, then feel free. However, if you wish to remove McAfee, then you should follow the instructions on this page (http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033). As a replacement, Avast! and AVG are good free programs.
As for Windows Defender...I would that SUPERAntiSpyware is a much better program, but it is okay to have both programs (just don't run them at the same time), so the decision is yours.