Author Topic: Rundll Error - HiJackThis Included (Read 25055 times)

zjt228 · « **on:** September 24, 2007, 04:29:59 PM »

I've been getting this error:

RUNDLL
Error Loading
C:Windows/System32

Here's the logsheet from HiJackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:35 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1140116236\ee\aexplore.exe
C:\Documents and Settings\Zach\Desktop\HiJackThis.exe

zjt228 · « **Reply #1 on:** September 24, 2007, 04:30:40 PM »

Part two:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {612B2903-E451-4738-B05D-48C0187CC963} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [E-Gold] C:\WINDOWS\TEMP\VRR15F.tmp
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\mulhpnix.dll",sitypnow
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: [email protected] = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140100872952

zjt228 · « **Reply #2 on:** September 24, 2007, 04:31:00 PM »

Part three:

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140100857546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O22 - SharedTaskScheduler: clinker - {a4029063-4fe3-422c-ac72-12905c09642a} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12209 bytes

Thanks for any help.

patio · « **Reply #3 on:** September 24, 2007, 05:36:48 PM »

Go to Start/Run and type in sfc /scannow and hit Enter...have your XP CD handy as it will probably ask for it.
Re-boot and see if the error message goes away.

CBMatt · « **Reply #4 on:** September 25, 2007, 12:43:22 AM »

In addition to patio's advice...

1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.

And then, just to be thorough...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.
5. The program normally produces a VBG.txt file. Please locate this file and paste the contents in your next post.

Post these logs along with a new HijackThis log and we'll take it from there.

zjt228 · « **Reply #5 on:** September 25, 2007, 02:42:51 PM »

Heres' the VundoFix file:

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 4:27:58 PM 9/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\mulhpnix.dll
C:\WINDOWS\system32\xinphlum.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xinphlum.ini
C:\WINDOWS\system32\xinphlum.ini Has been deleted!

Performing Repairs to the registry.
Done!

zjt228 · « **Reply #6 on:** September 25, 2007, 03:23:54 PM »

VBG file

[09/25/2007, 17:15:20] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Zach\Desktop\VirtumundoBeGone.exe" )
[09/25/2007, 17:15:26] - Detected System Information:
[09/25/2007, 17:15:26] - Windows Version: 5.1.2600, Service Pack 2
[09/25/2007, 17:15:26] - Current Username: Zach (Admin)
[09/25/2007, 17:15:26] - Windows is in SAFE mode with Networking.
[09/25/2007, 17:15:26] - Searching for Browser Helper Objects:
[09/25/2007, 17:15:26] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/25/2007, 17:15:26] - BHO 2: {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} ()
[09/25/2007, 17:15:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/25/2007, 17:15:26] - No filename found. Continuing.
[09/25/2007, 17:15:26] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[09/25/2007, 17:15:26] - BHO 4: {72BDBFC0-3394-4944-BE07-BC05CF5049BE} ()
[09/25/2007, 17:15:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/25/2007, 17:15:26] - Checking for HKLM\...\Winlogon\Notify\dmscrip
[09/25/2007, 17:15:26] - Key not found: HKLM\...\Winlogon\Notify\dmscrip, continuing.
[09/25/2007, 17:15:26] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/25/2007, 17:15:26] - BHO 6: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[09/25/2007, 17:15:26] - BHO 7: {837B45D6-BF85-457D-AABF-6D2E7815F791} ()
[09/25/2007, 17:15:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/25/2007, 17:15:26] - No filename found. Continuing.
[09/25/2007, 17:15:26] - BHO 8: {A7327C09-B521-4EDB-8509-7D2660C9EC98} (Viewpoint Toolbar BHO)
[09/25/2007, 17:15:26] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/25/2007, 17:15:26] - BHO 10: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[09/25/2007, 17:15:26] - BHO 11: {C2F579EF-880D-4E08-8978-970BF0577F91} ()
[09/25/2007, 17:15:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/25/2007, 17:15:26] - Checking for HKLM\...\Winlogon\Notify\awtqo
[09/25/2007, 17:15:26] - Key not found: HKLM\...\Winlogon\Notify\awtqo, continuing.
[09/25/2007, 17:15:26] - Finished Searching Browser Helper Objects
[09/25/2007, 17:15:26] - Finishing up...
[09/25/2007, 17:15:26] - Nothing found! Exiting...

zjt228 · « **Reply #7 on:** September 25, 2007, 03:25:36 PM »

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:14 PM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1140116236\ee\aexplore.exe
C:\Documents and Settings\Zach\Desktop\HiJackThis.exe

zjt228 · « **Reply #8 on:** September 25, 2007, 03:26:11 PM »

Part 2:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {C2F579EF-880D-4E08-8978-970BF0577F91} - C:\WINDOWS\system32\awtqo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [E-Gold] C:\WINDOWS\TEMP\VRR15F.tmp
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\jkcwmoxr.dll",sitypnow
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: [email protected] = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

zjt228 · « **Reply #9 on:** September 25, 2007, 03:26:38 PM »

Part 3:

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140100872952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140100857546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O22 - SharedTaskScheduler: clinker - {a4029063-4fe3-422c-ac72-12905c09642a} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12209 bytes

Thanks again!

zjt228 · « **Reply #10 on:** October 02, 2007, 07:07:38 PM »

Ugh, my computer just started randomly restarting the past few days....here's another HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:56 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\aol\1140116236\ee\aexplore.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Documents and Settings\Zach\Desktop\HiJackThis.exe

zjt228 · « **Reply #11 on:** October 02, 2007, 07:08:31 PM »

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {A8FA1E1D-29FD-4E81-9690-C75B4E3108A0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {F2E88892-E725-48CD-B171-8E20B4C221CE} - C:\WINDOWS\system32\awtqo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [E-Gold] C:\WINDOWS\TEMP\VRR15F.tmp
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\klkjavix.dll",sitypnow
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: [email protected] = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

zjt228 · « **Reply #12 on:** October 02, 2007, 07:09:20 PM »

O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140100872952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140100857546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O22 - SharedTaskScheduler: clinker - {a4029063-4fe3-422c-ac72-12905c09642a} - (no file)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 12434 bytes

CBMatt · « **Reply #13 on:** October 03, 2007, 09:03:06 AM »

Go ahead and check out this page...
http://www.bleepingcomputer.com/files/smitfraudfix.php

Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.

I would then like for you to to do the following...
1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files. Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file. Please locate this file and paste the contents in your next post.

And then, just to be thorough...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.
5. The program normally produces a VBG.txt file. Please locate this file and paste the contents in your next post.

After you have done that, we can then address your log... Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file. Open HijackThis and scan again. Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {F2E88892-E725-48CD-B171-8E20B4C221CE} - C:\WINDOWS\system32\awtqo.dll

O4 - HKLM\..\Run: [E-Gold] C:\WINDOWS\TEMP\VRR15F.tmp
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\klkjavix.dll",sitypnow
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML

O22 - SharedTaskScheduler: clinker - {a4029063-4fe3-422c-ac72-12905c09642a} - (no file)

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Now, close all windows (including this one) besides HijackThis, then click Fix Checked. Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

Video ActiveX Access
Viewpoint

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following folder(s) if present...

C:\Program Files\Video ActiveX Access
C:\Program Files\Viewpoint

Navigate to and delete the following file(s) if present...

C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\dmscrip.dll
C:\WINDOWS\system32\klkjavix.dll

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up. Let me know how everything's running now and if you had any problems following my steps.

zjt228 · « **Reply #14 on:** October 03, 2007, 10:34:37 PM »

Thanks a ton, I will get on this tomorrow.

unlovedwarrior · « **Reply #15 on:** October 03, 2007, 11:51:33 PM »

thats a trojan horse.. use superantispyware to remove it after you follow chris's advice

zjt228 · « **Reply #16 on:** October 05, 2007, 12:35:27 PM »

New HiJack log

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\AIM6\aolsoftware.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OneStepSearch\onestep.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\aol\1140116236\ee\aexplore.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Documents and Settings\Zach\Desktop\HiJackThis.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} - (no file)
O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A8FA1E1D-29FD-4E81-9690-C75B4E3108A0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

zjt228 · « **Reply #17 on:** October 05, 2007, 12:35:41 PM »

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: [email protected] = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140100872952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140100857546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: OneStep Search Service - OneStepSearch.net, Inc. - C:\Program Files\OneStepSearch\onestep.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10861 bytes

zjt228 · « **Reply #18 on:** October 05, 2007, 12:36:15 PM »

Virtumondo Log

[10/05/2007, 11:31:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Zach\Desktop\VirtumundoBeGone.exe" )
[10/05/2007, 11:31:25] - Detected System Information:
[10/05/2007, 11:31:25] - Windows Version: 5.1.2600, Service Pack 2
[10/05/2007, 11:31:25] - Current Username: Zach (Admin)
[10/05/2007, 11:31:25] - Windows is in SAFE mode with Networking.
[10/05/2007, 11:31:25] - Searching for Browser Helper Objects:
[10/05/2007, 11:31:25] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[10/05/2007, 11:31:25] - BHO 2: {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} ()
[10/05/2007, 11:31:25] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/05/2007, 11:31:26] - No filename found. Continuing.
[10/05/2007, 11:31:26] - BHO 3: {72BDBFC0-3394-4944-BE07-BC05CF5049BE} ()
[10/05/2007, 11:31:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/05/2007, 11:31:26] - Checking for HKLM\...\Winlogon\Notify\dmscrip
[10/05/2007, 11:31:26] - Key not found: HKLM\...\Winlogon\Notify\dmscrip, continuing.
[10/05/2007, 11:31:26] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/05/2007, 11:31:26] - BHO 5: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
[10/05/2007, 11:31:26] - BHO 6: {A8FA1E1D-29FD-4E81-9690-C75B4E3108A0} ()
[10/05/2007, 11:31:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/05/2007, 11:31:26] - No filename found. Continuing.
[10/05/2007, 11:31:26] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[10/05/2007, 11:31:26] - BHO 8: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[10/05/2007, 11:31:26] - BHO 9: {D377A374-A49E-4CFE-B00A-F0CCD1B80B10} ()
[10/05/2007, 11:31:26] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/05/2007, 11:31:26] - Checking for HKLM\...\Winlogon\Notify\awtqo
[10/05/2007, 11:31:26] - Key not found: HKLM\...\Winlogon\Notify\awtqo, continuing.
[10/05/2007, 11:31:26] - Finished Searching Browser Helper Objects
[10/05/2007, 11:31:26] - Finishing up...
[10/05/2007, 11:31:26] - Nothing found! Exiting...

zjt228 · « **Reply #19 on:** October 05, 2007, 12:37:14 PM »

VundoFix log

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:20:52 AM 10/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\thlhxrnt.ini
C:\WINDOWS\system32\tnrxhlht.dll
C:\WINDOWS\system32\xnxmhehb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\thlhxrnt.ini
C:\WINDOWS\system32\thlhxrnt.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tnrxhlht.dll
C:\WINDOWS\system32\tnrxhlht.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xnxmhehb.dll
C:\WINDOWS\system32\xnxmhehb.dll Has been deleted!

Performing Repairs to the registry.
Done!

CBMatt · « **Reply #20 on:** October 06, 2007, 01:13:22 AM »

Your log looks a lot cleaner now. How are things running? Are you still having problems?

zjt228 · « **Reply #21 on:** October 07, 2007, 03:49:22 PM »

Actually yeah, I don't get it. I still had my computer randomly re-start and something is also affecting my internet connection now, it's been out for about a day and right now I'm surprised it's even working.

Still running slow and I think I might have accidently deleted something from Nero in the registry because I get an "nmBg Monitor error."

I don't know what the h**l is going on, everything seems fine from the log files.

Oh, and I really do appreciate all the help so far, thank you.

zjt228 · « **Reply #22 on:** October 07, 2007, 04:00:01 PM »

Just in case...new HiJack log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:53 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\OneStepSearch\onestep.exe
C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Zach\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} - (no file)
O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A8FA1E1D-29FD-4E81-9690-C75B4E3108A0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

zjt228 · « **Reply #23 on:** October 07, 2007, 04:00:13 PM »

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\RunOnce: [vmc] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\vmc.dll
O4 - HKLM\..\RunOnce: [Falcon] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Falcon.dll
O4 - HKLM\..\RunOnce: [mswm] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\mswm.dll
O4 - HKLM\..\RunOnce: [NetMD] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\NetMD.dll
O4 - HKLM\..\RunOnce: [SPTISRVps] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SPTISR~1.DLL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: [email protected] = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140100872952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140100857546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11190 bytes

zjt228 · « **Reply #24 on:** October 07, 2007, 06:32:47 PM »

I also noticed this entry will NOT delete:

O2 - BHO: (no name) - {72BBDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\\WINDOWS\system32\dmscrip.dll

I even tried to delete it manually and it doesn't work.

I have also received errors from these processes:

LogOnHook
reader_Sl
NetMDSB

CBMatt · « **Reply #25 on:** October 08, 2007, 01:49:57 AM »

Here, let's giving something else a try... Download ComboFix and save it to your desktop. Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says. Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt. Go ahead and post that here. Note: Don't click on the window while it's running; this may cause stalls.

zjt228 · « **Reply #26 on:** October 08, 2007, 03:00:11 PM »

ComboFix log

ComboFix 07-10-07.2 - Zach 2007-10-08 16:38:19.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.726 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\d.exe
C:\Documents and Settings\Guest\Desktop\internet.lnk
C:\Documents and Settings\Mom\Application Data\Starware
C:\Documents and Settings\Mom\Desktop\internet.lnk
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\cs\persist.dbs
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bjsjswvx.dll
C:\WINDOWS\system32\doymvccn.ini
C:\WINDOWS\system32\fbnndjau.dll
C:\WINDOWS\system32\fxpcyljv.dll
C:\WINDOWS\system32\gemdocyu.dll
C:\WINDOWS\system32\ghcvvtvj.ini
C:\WINDOWS\system32\grgetlct.ini
C:\WINDOWS\system32\gurmeydk.ini
C:\WINDOWS\system32\hdajhfux.dll
C:\WINDOWS\system32\isjmkdiw.dll
C:\WINDOWS\system32\jvtvvchg.dll
C:\WINDOWS\system32\kdyemrug.dll
C:\WINDOWS\system32\nccvmyod.dll
C:\WINDOWS\system32\tcltegrg.dll
C:\WINDOWS\system32\uajdnnbf.ini
C:\WINDOWS\system32\uycodmeg.ini
C:\WINDOWS\system32\vjlycpxf.ini
C:\WINDOWS\system32\widkmjsi.ini
C:\WINDOWS\system32\xufhjadh.ini
C:\WINDOWS\system32\xvwsjsjb.ini
C:\wsusupd.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_LDRSVC
-------\ldrsvc

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 16:37   51,420   --a------   C:\dcksdix.exe
2007-10-08 16:37   50,176   --a------   C:\WINDOWS\system32\btasv.dll
2007-10-08 16:37   25,600   --a------   C:\WINDOWS\system32\drivers\df401e41.sys
2007-10-08 16:37   1,918   --a------   C:\WINDOWS\system32\conf.dat
2007-10-08 16:22   62,464   --a------   C:\WINDOWS\NirCmd.exe
2007-10-07 21:47   <DIR>   d--------   C:\Program Files\iTunes
2007-10-07 21:47   <DIR>   d--------   C:\Program Files\iPod
2007-10-07 21:45   <DIR>   d--------   C:\Program Files\Apple Software Update
2007-10-07 21:41   <DIR>   d--------   C:\Program Files\QuickTime
2007-10-07 20:24   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\McAfee
2007-10-07 19:59   <DIR>   d--------   C:\WINDOWS\system32\NtmsData
2007-10-07 19:56   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\MailFrontier
2007-10-07 15:31   512   --a------   C:\ScanSectorLog.dat
2007-10-07 13:07   37,920   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-07 13:07   1,175,584   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-06 16:26   32,256   --a------   C:\whekdwjb.exe
2007-10-06 16:26   25,600   --a------   C:\WINDOWS\system32\drivers\7de30189.sys
2007-10-06 16:26   25,088   --a------   C:\WINDOWS\system32\sipov.dll
2007-10-06 16:23   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\McAfee
2007-10-06 11:33   158,432   --a------   C:\WINDOWS\system32\71151f2.sys
2007-10-05 16:35   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\Uniblue
2007-10-05 16:17   112,292   --a------   C:\cc_20071005_1617.reg
2007-10-05 15:42   5,120      C:\WINDOWS\system32\drivers\wbkpwguh.dat
2007-10-05 15:42   17,664      C:\WINDOWS\system32\drivers\ctnluuwh.dat
2007-10-05 11:01   158,432   --a------   C:\WINDOWS\system32\6181b4a9.sys
2007-10-05 10:58   158,432   --a------   C:\WINDOWS\system32\b728bbdf.sys
2007-10-05 10:58   158,432   --a------   C:\WINDOWS\system32\51efee4c.sys
2007-10-05 10:56   158,432   --a------   C:\WINDOWS\system32\27a88faa.sys
2007-10-05 10:54   65,024   --a------   C:\hmwbeiik.exe
2007-10-05 10:41   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-10-05 10:41   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\SUPERAntiSpyware.com
2007-10-05 10:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-04 10:35   158,432   --a------   C:\WINDOWS\system32\ccedba40.sys
2007-10-04 00:53   158,432   --a------   C:\WINDOWS\system32\112e9cd5.sys
2007-10-03 16:05   39,452   --a------   C:\qewtcr.exe
2007-10-01 08:53   158,432   --a------   C:\WINDOWS\system32\5516a3.sys
2007-09-27 07:46   158,432   --a------   C:\WINDOWS\system32\7c82ea07.sys
2007-09-26 22:05   153   --a------   C:\WINDOWS\system32\delFSF.bat
2007-09-26 16:53   58,155   --a------   C:\pgwgygwn.exe
2007-09-26 16:53   39,452   --a------   C:\uvbbeuu.exe
2007-09-25 16:36   58,155   --a------   C:\nawf.exe
2007-09-25 16:36   206,866   --a------   C:\slrce.exe
2007-09-25 16:27   <DIR>   d--------   C:\VundoFix Backups
2007-09-24 17:40   591,136   --a------   C:\Program Files\DMSetup-Serial.exe
2007-09-23 22:21   <DIR>   d--------   C:\Program Files\CCleaner
2007-09-23 22:04   <DIR>   d--------   C:\Program Files\Windows Defender
2007-09-23 20:51   <DIR>   d--------   C:\WINDOWS\pss
2007-09-23 20:42   1,476,658   ---hs----   C:\WINDOWS\system32\oqtwa.bak2
2007-09-23 19:10   1,976,534   ---hs----   C:\WINDOWS\system32\oqtwa.bak1
2007-09-23 15:59   1,978,634   ---hs----   C:\WINDOWS\system32\hhkmp.bak2
2007-09-23 15:03   57,856   --a------   C:\WINDOWS\system32\bootvi.dll
2007-09-22 16:14   1,976,494   ---hs----   C:\WINDOWS\system32\hhkmp.bak1
2007-09-22 15:54   107,409   --a------   C:\WINDOWS\system32\dmscrip.dll
2007-09-22 15:53   57,856   --a------   C:\WINDOWS\system32\drmclie.dll
2007-09-22 14:33   1,977,762   ---hs----   C:\WINDOWS\system32\kjkkj.ini2
2007-09-22 14:27   1,977,950   ---hs----   C:\WINDOWS\system32\kjkkj.bak2
2007-09-22 11:36   1,976,494   ---hs----   C:\WINDOWS\system32\kjkkj.bak1
2007-09-22 11:16   88,064   --a------   C:\WINDOWS\system32\cmcfg3.dll
2007-09-22 11:15   17,280   --a------   C:\WINDOWS\system32\drivers\ctnluuwh.sys

zjt228 · « **Reply #27 on:** October 08, 2007, 03:02:14 PM »

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 16:23   ---------   d--------   C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-08 05:26   6692   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-08 05:26   4412   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-07 14:38   ---------   d--------   C:\Program Files\McAfee
2007-10-07 11:17   ---------   d--------   C:\Program Files\FinePixViewer
2007-10-06 11:27   ---------   d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-05 11:10   ---------   d--------   C:\Program Files\Viewpoint
2007-10-05 11:10   ---------   d--------   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-03 16:41   ---------   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 16:36   ---------   d--------   C:\Program Files\DoctorCleaner
2007-09-30 12:53   ---------   d--------   C:\Program Files\Common Files\Ahead
2007-09-30 12:15   ---------   d--------   C:\Documents and Settings\Zach\Application Data\Ahead
2007-09-30 09:24   ---------   d--------   C:\Program Files\OneStepSearch
2007-09-30 09:23   ---------   d--------   C:\Program Files\LimeWire
2007-09-30 09:21   ---------   d--------   C:\Program Files\foobar2000
2007-09-30 09:10   ---------   d--------   C:\Program Files\AC3Filter
2007-09-23 15:33   ---------   d--------   C:\Program Files\Bonjour
2007-09-22 14:46   ---------   d--------   C:\Program Files\Xvid
2007-09-22 14:46   ---------   d--------   C:\Program Files\Hardwood Euchre
2007-09-22 14:46   ---------   d--------   C:\Program Files\AudioRetoucher
2007-09-22 14:46   ---------   d--------   C:\Program Files\Audacity
2007-09-16 20:01   ---------   d--------   C:\Documents and Settings\Zach\Application Data\foobar2000
2007-08-14 20:40   ---------   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-13 17:13   ---------   d--------   C:\Program Files\Google
2007-08-13 14:16   ---------   d--------   C:\Program Files\RegistryCleanerXP
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   271224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19   207736   --a------   C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DC7C70A-B95D-4E0F-B49D-1C5D618D936C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72BDBFC0-3394-4944-BE07-BC05CF5049BE}]
2004-08-04 03:56   107409   --a------   C:\WINDOWS\system32\dmscrip.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FA1E1D-29FD-4E81-9690-C75B4E3108A0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50F976-592A-47a4-81C7-AD34D5A3A947}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe" [2006-05-09 20:24]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 08:39 C:\WINDOWS\SOUNDMAN.EXE]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 12:57]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"NWEReboot"="" []
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-10-05 16:04]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
[email protected] - C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe [2007-03-21 17:48:41]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-13 17:13:16]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-02-18 13:04:30]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 rlgujhvq;rlgujhvq;C:\WINDOWS\system32\drivers\ctnluuwh.dat
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 df401e41.sys;df401e41.sys;\??\C:\WINDOWS\system32\drivers\df401e41.sys
R2 DVDAccss;DVDAccss;C:\WINDOWS\system32\drivers\DVDAccss.sys
S4 OneStep Search Service;OneStep Search Service;"C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service

.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 01:46:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-15 05:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-01 05:01:22 C:\WINDOWS\Tasks\McQcTask.job"
"2007-10-08 20:47:12 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 16:45:24
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 16:50:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 16:50
.
   --- E O F ---

On start up, I still get the Nero NMBg Error, the McAfee LogOnHook error, a Zone Alarm trial, and a lot of crap relating to the "MG Secure Module." There is an automatic attempted installation that takes place while the computer is loading, and no matter how many times you click "finish" it keeps restarting itself.

CBMatt · « **Reply #28 on:** October 09, 2007, 06:12:23 AM »

We've still got a little bit of work to do, but we should be getting close. Below is a quote box with some text. Please copy everything inside of the box...

Quote

File::
C:\WINDOWS\system32\btasv.dll
C:\whekdwjb.exe
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\drivers\wbkpwguh.dat
C:\WINDOWS\system32\drivers\ctnluuwh.dat
C:\hmwbeiik.exe
C:\qewtcr.exe
C:\pgwgygwn.exe
C:\uvbbeuu.exe
C:\nawf.exe
C:\slrce.exe
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\bootvi.dll
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\dmscrip.dll
C:\WINDOWS\system32\drmclie.dll
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\drivers\ctnluuwh.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DC7C70A-B95D-4E0F-B49D-1C5D618D936C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72BDBFC0-3394-4944-BE07-BC05CF5049BE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FA1E1D-29FD-4E81-9690-C75B4E3108A0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50F976-592A-47a4-81C7-AD34D5A3A947}]

Paste the contents into Notepad and save the file as CFScript.txt. Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot) post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Quote from: zjt228 on October 08, 2007, 03:02:14 PM

On start up, I still get the Nero NMBg Error, the McAfee LogOnHook error, a Zone Alarm trial, and a lot of crap relating to the "MG Secure Module." There is an automatic attempted installation that takes place while the computer is loading, and no matter how many times you click "finish" it keeps restarting itself.

If you're still having problems with Nero, McAfee, and ZoneAlarm, you may need to reinstall them. MG Secure Module appears to be related to SonicStage. Do you have this program on your computer? Also, which program is trying to install itself? If you continue to receive error messages, please write down exactly what they say.

zjt228 · « **Reply #29 on:** October 09, 2007, 09:29:32 AM »

New ComboFix log:

ComboFix 07-10-07.2 - Zach 2007-10-09 11:20:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.514 [GMT -4:00]
Running from: C:\Documents and Settings\Zach\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Zach\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-09 to 2007-10-09 )))))))))))))))))))))))))))))))
.

2007-10-08 16:58   1   --a------   C:\WINDOWS\system32\rc.dat
2007-10-08 16:58   1   --a------   C:\WINDOWS\system32\ps1.dat
2007-10-08 16:58   1   --a------   C:\WINDOWS\system32\cookie1.dat
2007-10-08 16:37   51,420   --a------   C:\dcksdix.exe
2007-10-08 16:37   50,176   --a------   C:\WINDOWS\system32\btasv.dll
2007-10-08 16:37   25,600   --a------   C:\WINDOWS\system32\drivers\df401e41.sys
2007-10-08 16:37   1,918   --a------   C:\WINDOWS\system32\conf.dat
2007-10-08 16:22   51,200   --a------   C:\WINDOWS\NirCmd.exe
2007-10-07 21:47   <DIR>   d--------   C:\Program Files\iTunes
2007-10-07 21:47   <DIR>   d--------   C:\Program Files\iPod
2007-10-07 21:45   <DIR>   d--------   C:\Program Files\Apple Software Update
2007-10-07 21:41   <DIR>   d--------   C:\Program Files\QuickTime
2007-10-07 20:24   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\McAfee
2007-10-07 19:59   <DIR>   d--------   C:\WINDOWS\system32\NtmsData
2007-10-07 19:56   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\MailFrontier
2007-10-07 15:31   512   --a------   C:\ScanSectorLog.dat
2007-10-07 13:07   44,320   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-07 13:07   1,175,584   --ahs----   C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-06 16:26   32,256   --a------   C:\whekdwjb.exe
2007-10-06 16:26   25,600   --a------   C:\WINDOWS\system32\drivers\7de30189.sys
2007-10-06 16:26   25,088   --a------   C:\WINDOWS\system32\sipov.dll
2007-10-06 16:23   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\McAfee
2007-10-06 11:33   158,432   --a------   C:\WINDOWS\system32\71151f2.sys
2007-10-05 16:35   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\Uniblue
2007-10-05 16:17   112,292   --a------   C:\cc_20071005_1617.reg
2007-10-05 15:42   5,120      C:\WINDOWS\system32\drivers\wbkpwguh.dat
2007-10-05 15:42   17,664      C:\WINDOWS\system32\drivers\ctnluuwh.dat
2007-10-05 11:01   158,432   --a------   C:\WINDOWS\system32\6181b4a9.sys
2007-10-05 10:58   158,432   --a------   C:\WINDOWS\system32\b728bbdf.sys
2007-10-05 10:58   158,432   --a------   C:\WINDOWS\system32\51efee4c.sys
2007-10-05 10:56   158,432   --a------   C:\WINDOWS\system32\27a88faa.sys
2007-10-05 10:54   65,024   --a------   C:\hmwbeiik.exe
2007-10-05 10:41   <DIR>   d--------   C:\Program Files\SUPERAntiSpyware
2007-10-05 10:41   <DIR>   d--------   C:\Documents and Settings\Zach\Application Data\SUPERAntiSpyware.com
2007-10-05 10:41   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-04 10:35   158,432   --a------   C:\WINDOWS\system32\ccedba40.sys
2007-10-04 00:53   158,432   --a------   C:\WINDOWS\system32\112e9cd5.sys
2007-10-03 16:05   39,452   --a------   C:\qewtcr.exe
2007-10-01 08:53   158,432   --a------   C:\WINDOWS\system32\5516a3.sys
2007-09-27 07:46   158,432   --a------   C:\WINDOWS\system32\7c82ea07.sys
2007-09-26 22:05   153   --a------   C:\WINDOWS\system32\delFSF.bat
2007-09-26 16:53   58,155   --a------   C:\pgwgygwn.exe
2007-09-26 16:53   39,452   --a------   C:\uvbbeuu.exe
2007-09-25 16:36   58,155   --a------   C:\nawf.exe
2007-09-25 16:36   206,866   --a------   C:\slrce.exe
2007-09-25 16:27   <DIR>   d--------   C:\VundoFix Backups
2007-09-24 17:40   591,136   --a------   C:\Program Files\DMSetup-Serial.exe
2007-09-23 22:21   <DIR>   d--------   C:\Program Files\CCleaner
2007-09-23 22:04   <DIR>   d--------   C:\Program Files\Windows Defender
2007-09-23 20:51   <DIR>   d--------   C:\WINDOWS\pss
2007-09-23 20:42   1,476,658   ---hs----   C:\WINDOWS\system32\oqtwa.bak2
2007-09-23 19:10   1,976,534   ---hs----   C:\WINDOWS\system32\oqtwa.bak1
2007-09-23 15:59   1,978,634   ---hs----   C:\WINDOWS\system32\hhkmp.bak2
2007-09-23 15:03   57,856   --a------   C:\WINDOWS\system32\bootvi.dll
2007-09-22 16:14   1,976,494   ---hs----   C:\WINDOWS\system32\hhkmp.bak1
2007-09-22 15:54   107,409   --a------   C:\WINDOWS\system32\dmscrip.dll
2007-09-22 15:53   57,856   --a------   C:\WINDOWS\system32\drmclie.dll
2007-09-22 14:33   1,977,762   ---hs----   C:\WINDOWS\system32\kjkkj.ini2
2007-09-22 14:27   1,977,950   ---hs----   C:\WINDOWS\system32\kjkkj.bak2
2007-09-22 11:36   1,976,494   ---hs----   C:\WINDOWS\system32\kjkkj.bak1
2007-09-22 11:16   88,064   --a------   C:\WINDOWS\system32\cmcfg3.dll
2007-09-22 11:15   17,280   --a------   C:\WINDOWS\system32\drivers\ctnluuwh.sys

zjt228 · « **Reply #30 on:** October 09, 2007, 09:30:06 AM »

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 11:20   ---------   d--------   C:\Program Files\AC3Filter
2007-10-08 16:23   ---------   d--------   C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-08 05:26   6692   --ahs----   C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-08 05:26   4412   --ahs----   C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-07 14:38   ---------   d--------   C:\Program Files\McAfee
2007-10-07 11:17   ---------   d--------   C:\Program Files\FinePixViewer
2007-10-06 11:27   ---------   d--------   C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-05 11:10   ---------   d--------   C:\Program Files\Viewpoint
2007-10-05 11:10   ---------   d--------   C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-03 16:41   ---------   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 16:36   ---------   d--------   C:\Program Files\DoctorCleaner
2007-09-30 12:53   ---------   d--------   C:\Program Files\Common Files\Ahead
2007-09-30 12:15   ---------   d--------   C:\Documents and Settings\Zach\Application Data\Ahead
2007-09-30 09:24   ---------   d--------   C:\Program Files\OneStepSearch
2007-09-30 09:23   ---------   d--------   C:\Program Files\LimeWire
2007-09-30 09:21   ---------   d--------   C:\Program Files\foobar2000
2007-09-23 15:33   ---------   d--------   C:\Program Files\Bonjour
2007-09-22 14:46   ---------   d--------   C:\Program Files\Xvid
2007-09-22 14:46   ---------   d--------   C:\Program Files\Hardwood Euchre
2007-09-22 14:46   ---------   d--------   C:\Program Files\AudioRetoucher
2007-09-22 14:46   ---------   d--------   C:\Program Files\Audacity
2007-09-16 20:01   ---------   d--------   C:\Documents and Settings\Zach\Application Data\foobar2000
2007-08-14 20:40   ---------   d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-08-13 17:13   ---------   d--------   C:\Program Files\Google
2007-08-13 14:16   ---------   d--------   C:\Program Files\RegistryCleanerXP
2007-07-30 19:19   92504   --a------   C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19   549720   --a------   C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19   53080   --a------   C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19   43352   --a------   C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19   325976   --a------   C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19   271224   --a------   C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19   207736   --a------   C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19   203096   --a------   C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19   1712984   --a------   C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18   33624   --a------   C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-08_16.49.41.78 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-28 13:06:08 C:\WINDOWS\catchme.exe
----a-w 163,328 2007-03-13 14:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE
----a-w 279,552 2007-10-05 14:07:31 C:\WINDOWS\system32\swreg.exe
---h--w 4,212 2007-10-08 23:49:44 C:\WINDOWS\system32\zllictbl.dat
----a-w 32,768 2007-10-09 15:09:46 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-09 15:09:46 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-09 15:09:46 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 4,608 2007-10-09 12:35:13 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DRE6P41D\dl[1].exe
----a-w 4,608 2007-10-09 15:10:57 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DRE6P41D\dl[2].exe
----a-w 4,608 2007-10-08 23:22:50 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVD5RRQ8\dl[1].exe
----a-w 4,608 2007-10-08 23:48:46 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVD5RRQ8\dl[2].exe
----a-w 23,552 2007-10-09 15:11:00 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVD5RRQ8\rename[1].exe
----a-w 397,312 2003-09-03 07:30:14 C:\WINDOWS\Temp\{6F1974D6-4249-43B6-88B0-9A9B8A33956C}\ISRT.DLL
----a-w 299,008 2003-09-03 09:53:48 C:\WINDOWS\Temp\{6F1974D6-4249-43B6-88B0-9A9B8A33956C}\_ISRES.DLL
----a-w 12,288 2007-10-09 15:17:22 C:\WINDOWS\Temp\{6F1974D6-4249-43B6-88B0-9A9B8A33956C}\_ISUSER.DLL

zjt228 · « **Reply #31 on:** October 09, 2007, 09:30:22 AM »

.
----a-w 149,504 2007-09-28 13:06:08 C:\WINDOWS\catchme.exe
----a-w 178,176 2007-03-13 14:57:10 C:\WINDOWS\erdnt\subs\ERDNT.EXE
----a-w 293,888 2007-10-05 14:07:31 C:\WINDOWS\system32\swreg.exe
---h--w 4,212 2007-10-08 20:46:38 C:\WINDOWS\system32\zllictbl.dat
----a-w 32,768 2007-10-08 20:43:47 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
----a-w 32,768 2007-10-08 20:43:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 49,152 2007-10-08 20:43:47 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
----a-w 19,456 2007-10-05 15:03:23 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DRE6P41D\dl[1].exe
----a-w 4,608 2007-10-06 20:25:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DRE6P41D\dl[2].exe
----a-w 24,904 2007-09-29 11:56:44 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVD5RRQ8\dl[1].exe
----a-w 24,904 2007-09-29 12:47:14 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\UVD5RRQ8\dl[2].exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DC7C70A-B95D-4E0F-B49D-1C5D618D936C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72BDBFC0-3394-4944-BE07-BC05CF5049BE}]
2004-08-04 03:56 107409 --a------ C:\WINDOWS\system32\dmscrip.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FA1E1D-29FD-4E81-9690-C75B4E3108A0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50F976-592A-47a4-81C7-AD34D5A3A947}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe" [2006-05-09 20:24]
"SoundMan"="SOUNDMAN.EXE" [2004-09-16 08:39 C:\WINDOWS\SOUNDMAN.EXE]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-07 12:57]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"NWEReboot"="" []
"ezShieldProtector for Px"="C:\WINDOWS\system32\ezSP_Px.exe" [2002-08-20 11:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-04 02:33]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 13:59]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 11:22]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-10-05 16:04]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 17:17]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"vmc"=C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\vmc.dll
"Falcon"=C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Falcon.dll
"mswm"=C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\mswm.dll
"NetMD"=C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\NetMD.dll
"SPTISRVps"=C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SPTISR~1.DLL

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
[email protected] - C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe [2007-03-21 17:48:41]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-13 17:13:16]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 05:01:04]
VIA RAID TOOL.lnk - C:\Program Files\VIA\RAID\raid_tool.exe [2006-02-18 13:04:30]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 rlgujhvq;rlgujhvq;C:\WINDOWS\system32\drivers\ctnluuwh.dat
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 df401e41.sys;df401e41.sys;\??\C:\WINDOWS\system32\drivers\df401e41.sys
R2 DVDAccss;DVDAccss;C:\WINDOWS\system32\drivers\DVDAccss.sys
S4 OneStep Search Service;OneStep Search Service;"C:\Program Files\OneStepSearch\onestep.exe" "C:\Program Files\OneStepSearch\onestep.dll" Service

.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 01:46:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-15 05:34:29 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2007-10-01 05:01:22 C:\WINDOWS\Tasks\McQcTask.job"
"2007-10-09 15:13:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-09 11:24:35
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-09 11:27:01
C:\ComboFix-quarantined-files.txt ... 2007-10-09 11:26
C:\ComboFix2.txt ... 2007-10-08 16:50
.
--- E O F ---

zjt228 · « **Reply #32 on:** October 09, 2007, 09:32:20 AM »

New HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:46 AM, on 10/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\TEMP\VRR5.tmp
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
c:\program files\common files\aol\1140116236\ee\aexplore.exe
C:\WINDOWS\system32\MsiExec.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe
C:\Documents and Settings\Zach\Desktop\HiJackThis.exe

zjt228 · « **Reply #33 on:** October 09, 2007, 09:33:20 AM »

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2DC7C70A-B95D-4E0F-B49D-1C5D618D936C} - (no file)
O2 - BHO: (no name) - {72BDBFC0-3394-4944-BE07-BC05CF5049BE} - C:\WINDOWS\system32\dmscrip.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {A8FA1E1D-29FD-4E81-9690-C75B4E3108A0} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: Flash Module - {DF50F976-592A-47a4-81C7-AD34D5A3A947} - btasv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1140116236\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [vmc] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\vmc.dll
O4 - HKLM\..\RunOnce: [Falcon] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Falcon.dll
O4 - HKLM\..\RunOnce: [mswm] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\mswm.dll
O4 - HKLM\..\RunOnce: [NetMD] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\NetMD.dll
O4 - HKLM\..\RunOnce: [SPTISRVps] C:\PROGRA~1\COMMON~1\SONYSH~1\OpenMG\Regsvr32.exe /s C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\SPTISR~1.DLL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: [email protected] = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1140100872952
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1140100857546
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/06101102/qsp2ie06101001.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10839 bytes

zjt228 · « **Reply #34 on:** October 09, 2007, 10:21:08 AM »

Here's some screens of the error messages I get on start up:

zjt228 · « **Reply #35 on:** October 11, 2007, 09:40:49 AM »

Still getting all of these errors, the only way I'm online now is running through safe mode.

CBMatt · « **Reply #36 on:** October 11, 2007, 12:33:38 PM »

I hate to be repetetive, but the CFScript doesn't appear to have worked, so please try these steps again...

Quote from: CBMatt on October 09, 2007, 06:12:23 AM

We've still got a little bit of work to do, but we should be getting close. Below is a quote box with some text. Please copy everything inside of the box...

Quote
File::
C:\WINDOWS\system32\btasv.dll
C:\whekdwjb.exe
C:\WINDOWS\system32\sipov.dll
C:\WINDOWS\system32\drivers\wbkpwguh.dat
C:\WINDOWS\system32\drivers\ctnluuwh.dat
C:\hmwbeiik.exe
C:\qewtcr.exe
C:\pgwgygwn.exe
C:\uvbbeuu.exe
C:\nawf.exe
C:\slrce.exe
C:\WINDOWS\system32\oqtwa.bak2
C:\WINDOWS\system32\oqtwa.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\bootvi.dll
C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\dmscrip.dll
C:\WINDOWS\system32\drmclie.dll
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\kjkkj.bak2
C:\WINDOWS\system32\kjkkj.bak1
C:\WINDOWS\system32\drivers\ctnluuwh.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DC7C70A-B95D-4E0F-B49D-1C5D618D936C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72BDBFC0-3394-4944-BE07-BC05CF5049BE}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FA1E1D-29FD-4E81-9690-C75B4E3108A0}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50F976-592A-47a4-81C7-AD34D5A3A947}]

Paste the contents into Notepad and save the file as CFScript.txt. Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot) post the contents of Combofix.txt in your next reply together with a new HijackThis log.

You could also try deleting the files manually in Safe Mode. However, you may not be successful with a few of them.

zjt228 · « **Reply #37 on:** October 11, 2007, 02:12:13 PM »

Thanks, I'll try and report back.

zjt228 · « **Reply #38 on:** October 11, 2007, 04:06:11 PM »

ComboFix does not work on my computer anymore.
It was working until I got a two errors and it just closed out, my clock is still set on military time.

It appears this isn't going to work, I might as well just wipe the system clean, but I need a way to back up my files since Nero isn't working, any ideas?

CBMatt · « **Reply #39 on:** October 12, 2007, 08:44:26 AM »

Unfortunately, I'm leaving for the weekend, so I can't help out as much as I want to. If you would like to try reformatting your computer, download a program such as CDBurnerXP Pro and try running it in Safe Mode. If it won't allow you to burn CD's, you could slave your hard drive in another computer in order to backup your important files. Keep in mind, however, that there would be a risk of infecting the other computer. Because I there isn't a lot I can do for you at the moment (and I sincerely apologize for that), you may want to start a new thread, either in this section or in the Windows section. That way, you will have a better chance of getting the attention you need. I wish you the best of luck, and if I can, I'll try to check in while I'm gone to see if I can offer anymore help.

zjt228 · « **Reply #40 on:** October 12, 2007, 10:08:28 AM »

Thank you for all the help and advice you've given so far!

oddjob · « **Reply #41 on:** October 12, 2007, 11:46:38 AM »

Hi zjt228

I don't know if yuo've reformatted but, if you have done that before you read this, then don't bother going further.

On the time thing, ComboFix has been known to somehow affect the clock and result in the military setting. Go to Control Panel - Regional and Language and change it back there.

If CF doesn't work for you now I suggest you delete the copy of CF you have and download a fresh copy from a legit source. I stress this last bit as there are sites popping up hosting the tool without the program author's permission.

Get it here ....

http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

When download/installed again try CBMatt's fix of dragging the malware files into CFScript.

Post a fresh HJT log after this with another update on how things are going.

Good luck.

OJ

zjt228 · « **Reply #42 on:** October 12, 2007, 10:10:10 PM »

Ugh, still nothing.

ComboFix started and then crashed again.

patio · « **Reply #43 on:** October 13, 2007, 08:22:16 AM »

Turn off all background (tray) apps and try ComboFix again...

zjt228 · « **Reply #44 on:** October 13, 2007, 09:58:44 AM »

How would I do that?

patio · « **Reply #45 on:** October 13, 2007, 05:02:46 PM »

Right clik each icon in the tray area and select Exit.

zjt228 · « **Reply #46 on:** October 16, 2007, 05:11:23 PM »

Blah, still nothing.

Computer Hope Forum

News:

Author Topic: Rundll Error - HiJackThis Included (Read 25055 times)

zjt228

zjt228

zjt228

patio

CBMatt

zjt228

zjt228

zjt228

zjt228

zjt228

zjt228

zjt228

zjt228

CBMatt

zjt228

unlovedwarrior

zjt228

zjt228

zjt228

zjt228

CBMatt

zjt228

zjt228

zjt228

zjt228

CBMatt

zjt228

zjt228

CBMatt

zjt228

zjt228

zjt228

zjt228

zjt228

zjt228

zjt228

CBMatt

zjt228

zjt228

CBMatt

zjt228

oddjob

zjt228

patio

zjt228

patio

zjt228