1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help Please

Discussion in 'Virus & Other Malware Removal' started by Kolby, Apr 6, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    Ok today when I turned on my computer it was extra slow, then the background was changed to a blue picture that said spy ware detected in your computer.

    On top of that there was an anti virus program called WinIfixer downloaded to my desktop.

    Theres tons of things running in my process I have never seen before.

    Help please!
    *edit*

    Now theres a program called spy shredder that installed itself onto my computer that pops up from time to time doing a scan that I cant stop and my only option is to buy the product..

    HiJack this log..

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 6:10:00 PM, on 4/5/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\lxcycoms.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\system32\drivers\spools.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\mrofinu72.exe
    C:\Program Files\webHancer\Programs\whagent.exe
    C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
    C:\WINDOWS\system32\ctfmona.exe
    C:\WINDOWS\system32\alt.exe.exe
    C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCYtime.exe
    C:\PROGRA~1\COMMON~1\STEM32~1\ntvdm.exe
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\aromis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Bat\X_Bat.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\WinIFixer\WinIFixer.exe
    C:\Documents and Settings\Billy\My Documents\Anti-Virus Crap\HiJackThis_v2.exe
    C:\Documents and Settings\Billy\My Documents\Anti-Virus Crap\NoLop.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    O2 - BHO: (no name) - {07F4DBB3-57A8-4392-9073-6BB6BE8A0E51} - C:\WINDOWS\system32\cmuti.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Billy\cftmon.exe
    O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
    O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
    O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\system32\alt.exe.exe
    O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
    O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
    O4 - HKLM\..\Run: [WinIFixer] C:\Program Files\WinIFixer\WinIFixer.exe
    O4 - HKCU\..\Run: [BT000035] C:\windows\abcdefg23.exe
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\Billy\LOCALS~1\Temp\ie.exe
    O4 - HKCU\..\Run: [Daue] "C:\PROGRA~1\COMMON~1\STEM32~1\ntvdm.exe" -vt yazb
    O4 - HKCU\..\Run: [Hckl] "C:\Documents and Settings\Billy\Application Data\W?nSxS\w?wexec.exe"
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
    O4 - HKCU\..\Run: [aromis] C:\WINDOWS\aromis.exe
    O4 - HKCU\..\RunServicesOnce: [BT000037] C:\windows\abcdefg23.exe
    O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user')
    O4 - Startup: Bat - Auto Update.lnk = C:\Program Files\Bat\Bat.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCYYYYYYYYUS
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O10 - Hijacked Internet access by WebHancer
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-45c49cbaf7a58b5a.spaces.l...d/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...te/Coupons.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab55579.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABB4DFE-88F5-40C4-A923-6A735645E98C}: NameServer = 208.54.220.21 209.142.136.85
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: qomkhfg - qomkhfg.dll (file missing)
    O21 - SSODL: EFCbrFa - {64853052-CE2F-9AF8-31AE-47447BD89AFB} - C:\WINDOWS\system32\uyjt.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: hpdj3600 - Unknown owner - C:\DOCUME~1\Billy\LOCALS~1\Temp\hpdj3600.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Wow, what a mess! :eek:

    Do you still need help?

    Please update your version of Hijackthis:
    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
     
  3. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    Well I did a system restore and set it back before all this happened, there still seems to be some problems though, main one right now is that internet page will open randomly on its own, and my internet connection randomly shuts off.

    And there is a process in my task manager called svhost.exe and there is about 7 of them, along with other programs I have no idea what they are.


    Updated HiJack This log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:56:18 AM, on 2008-04-09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\lxcycoms.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qomkhfg.dll (file missing)
    O2 - BHO: (no name) - {CDA98F5F-4A35-8982-3D81-4055D7A7012C} - C:\DOCUME~1\Billy\APPLIC~1\CLOSEP~1\beep grid.exe (file missing)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c cd /d C:\ComboFix\ & Combobatch.bat
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
    O4 - HKCU\..\Run: [BT000035] C:\windows\abcdefg23.exe
    O4 - HKCU\..\RunServicesOnce: [BT000037] C:\windows\abcdefg23.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCYYYYYYYYUS
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-45c49cbaf7a58b5a.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4058/ftp.coupons.com/r3302/Pharmavite/Coupons.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABB4DFE-88F5-40C4-A923-6A735645E98C}: NameServer = 208.54.220.21 209.142.136.85
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: qomkhfg - qomkhfg.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: hpdj3600 - Unknown owner - C:\DOCUME~1\Billy\LOCALS~1\Temp\hpdj3600.exe (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 8662 bytes
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {C3352FCD-CFE5-4F35-831A-19C68DDB7CF4} - C:\WINDOWS\system32\qomkhfg.dll (file missing)
    O2 - BHO: (no name) - {CDA98F5F-4A35-8982-3D81-4055D7A7012C} - C:\DOCUME~1\Billy\APPLIC~1\CLOSEP~1\beep grid.exe (file missing)
    O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c cd /d C:\ComboFix\ & Combobatch.bat
    O4 - HKCU\..\Run: [BT000035] C:\windows\abcdefg23.exe
    O4 - HKCU\..\RunServicesOnce: [BT000037] C:\windows\abcdefg23.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZCYYYYYYYYUS
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...te/Coupons.cab
    O20 - Winlogon Notify: qomkhfg - qomkhfg.dll (file missing)
    O23 - Service: hpdj3600 - Unknown owner - C:\DOCUME~1\Billy\LOCALS~1\Temp\hpdj3600.exe (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)

    Close all applications and browser windows before you click "fix checked".



    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\windows\abcdefg23.exe
      
      
    • Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.


    Please perform a scan with Kaspersky Webscan Online Virus Scanner
    • Read the Requirements and Privacy statement, then select "Accept".
    • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    • When the download is complete it will say ready, click "Next".
    • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    • Click "OK".
    • Under "Select a target to scan", click on "My Computer".
    • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  5. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    ok, Ive dona all but the last one, which I will post this afternoon after Ive downloaded it and ran it.

    Ive attached the logs.
     

    Attached Files:

  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Use Secunia software inspector & update checker to update your java and any other out of date applications.

    Also go to add/remove programs and remove all old versions of Java.

    I will look forward to the Kaspersky scan log.
     
  7. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    kaspersky scan log.


    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    2008-04-13 11:43:33 AM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 13/04/2008
    Kaspersky Anti-Virus database records: 701234
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    J:\
    K:\

    Scan Statistics:
    Total number of scanned objects: 138209
    Number of viruses found: 49
    Number of infected objects: 124
    Number of suspicious objects: 0
    Duration of the scan process: 01:46:08

    Infected Object Name / Virus Name / Last Action
    C:\1E1.tmp Infected: Trojan-Spy.Win32.Zbot.arw skipped
    C:\1E2.tmp Infected: Trojan-Spy.Win32.Zbot.arw skipped
    C:\C.tmp Infected: Trojan-Spy.Win32.Zbot.avh skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\528c1f9e97d4fda356b59a290e92aac9_d074e963-e145-4023-a9fd-62e8487f6c10 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8b3aaff1845838f5fa96789a2331a2b4_d074e963-e145-4023-a9fd-62e8487f6c10 Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/retadpu1000106.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip/kpdsrngl.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch2.zip/dwdsrngt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch2.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
    C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\21\23268f15-22e2cea4/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\21\23268f15-22e2cea4/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\21\23268f15-22e2cea4/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\21\23268f15-22e2cea4 ZIP: infected - 3 skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-2ef7e10a/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-2ef7e10a/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-2ef7e10a/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-2ef7e10a ZIP: infected - 3 skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b/NewSecurityClassLoader.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b/NewURLClassLoader.class Infected: Exploit.Java.ByteVerify skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b ZIP: infected - 4 skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-276ae06d/Counter.class Infected: Trojan.Java.ClassLoader.i skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-276ae06d/VerifierBug.class Infected: Trojan.Java.ClassLoader.k skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-276ae06d/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-276ae06d ZIP: infected - 3 skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\42\671473ea-1d07f393/Matrix.class Infected: Trojan-Downloader.Java.OpenStream.c skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\42\671473ea-1d07f393/Counter.class Infected: Trojan.Java.ClassLoader.h skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\42\671473ea-1d07f393/Parser.class Infected: Trojan.Java.ClassLoader.d skipped
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\42\671473ea-1d07f393 ZIP: infected - 3 skipped
    C:\Documents and Settings\Billy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-12-2008( 22-11-57 ).LOG Object is locked skipped
    C:\Documents and Settings\Billy\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Identities\{F94C907D-6128-43E3-941D-B002886389EB}\Microsoft\Outlook Express\Deleted Items.dbx/[From "kolby sisk" <[email protected]>][Date Sat, 9 Jul 2005 19:28:05 -0500]/pkvideo.exe Infected: not-a-virus:Monitor.Win32.Ardamax.20 skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Identities\{F94C907D-6128-43E3-941D-B002886389EB}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 1 skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Identities\{F94C907D-6128-43E3-941D-B002886389EB}\Microsoft\Outlook Express\Inbox.dbx/[From from <[email protected]> forward (org good) [db-null]][Date Sat, 12 Aug 2006 17:21:15 +0300]/html Infected: Trojan-Spy.HTML.Bayfraud.kx skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Identities\{F94C907D-6128-43E3-941D-B002886389EB}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1 skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\Application Data\Microsoft\Zune\CurrentDatabase_365.wmdb Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\History\History.IE5\MSHist012008041320080414\index.dat Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\Temp\hpotdd002.log Object is locked skipped
    C:\Documents and Settings\Billy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe/WISE0044.BIN/stream/data0005 Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
    C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe/WISE0044.BIN/stream Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
    C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe/WISE0044.BIN Infected: not-a-virus:AdWare.Win32.Mostofate.aa skipped
    C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe WiseSFX: infected - 3 skipped
    C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe WiseSFXDropper: infected - 3 skipped
    C:\Documents and Settings\Billy\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Billy\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Billy\Shared\06 Track 6.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
    C:\Documents and Settings\Billy\Shared\aaron carter- girl you shine.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
    C:\Documents and Settings\Billy\Shared\atreyu falling down.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
    C:\Documents and Settings\Billy\Shared\its about love - medic droid.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
    C:\Documents and Settings\Billy\Shared\jonas brother how we roll.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
    C:\Documents and Settings\Billy\Shared\matchbox romance - the promise.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
    C:\Documents and Settings\Billy\Shared\realize colbie calliet.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
    C:\Documents and Settings\Billy\Shared\rob zombie - i am hell.wm Infected: Trojan-Downloader.WMA.Wimad.m skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\NoLopBackups\Snapsnet.exe.infected/data0005 Infected: Trojan-Downloader.Win32.VB.bgd skipped
    C:\NoLopBackups\Snapsnet.exe.infected NSIS: infected - 1 skipped
    C:\NoLopBackups\Wndbc7.tmp.infected Infected: Trojan.Win32.Dialer.qn skipped
    C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI/Cabs.w1.cab/loadadv458.exe Infected: Trojan-Downloader.Win32.Agent.xq skipped
    C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI/Cabs.w1.cab Infected: Trojan-Downloader.Win32.Agent.xq skipped
    C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI Embedded: infected - 2 skipped
    C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp\D-Helper Web Driver\Setup.exe Object is locked skipped
    C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp\D-Helper Web Driver\Setup.ini Object is locked skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\ddaby.dll.vir Infected: Packed.Win32.Monder.gen skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\fteylgcr.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\jkkjj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vr skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\mxvyxiyl.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\saoeauaf.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\ssqrs.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.vr skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\sstqo.dll.vir Infected: Packed.Win32.Monder.gen skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\sudabpuk.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\ugyqkbgd.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\vjodmyjl.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\xxjkkxkl.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\yrfmncfn.dll.vir Infected: Trojan.Win32.BHO.hj skipped
    C:\qoobox\Quarantine\catchme2007-09-16_130205.15.zip/qommjhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\qoobox\Quarantine\catchme2007-09-16_130205.15.zip ZIP: infected - 1 skipped
    C:\qoobox\Quarantine\catchme2007-09-24_ 64025.43.zip/qomkhfg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\qoobox\Quarantine\catchme2007-09-24_ 64025.43.zip ZIP: infected - 1 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605\A0522974.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605\A0522989.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605\A0524029.dll Infected: Trojan-Downloader.Win32.Mutant.ig skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605\A0524035.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605\A0524036.sys Infected: Trojan.Win32.Agent.gxi skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605\A0524046.exe Infected: Trojan-Spy.Win32.Zbot.arw skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524057.sys Infected: Trojan.Win32.Agent.gxi skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524058.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524081.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.l skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524082.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.k skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524083.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.j skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524110.exe Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524146.dll Infected: not-a-virus:FraudTool.Win32.AntiVirPro.g skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524148.exe Infected: not-a-virus:FraudTool.Win32.AntiVirPro.g skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524153.exe Infected: Email-Worm.Win32.Zhelatin.ww skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524154.exe Infected: Trojan.Win32.Agent.jdn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524155.exe Infected: Email-Worm.Win32.Zhelatin.ww skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524156.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524159.exe Infected: Trojan.Win32.Patched.aa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524160.exe Infected: Trojan.Win32.Patched.aa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524162.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524163.exe Infected: Worm.Win32.Socks.bn skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524171.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524171.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.w skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524171.exe NSIS: infected - 2 skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524172.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524178.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524178.exe NSIS: infected - 1 skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524179.exe Infected: Trojan-Downloader.Win32.Agent.kwg skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524184.sys Infected: Rootkit.Win32.Agent.ahe skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524193.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524195.dll Infected: not-a-virus:AdWare.Win32.Rabio.m skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524198.exe Infected: Trojan-Downloader.Win32.Homles.au skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524294.exe Infected: Trojan-Spy.Win32.Zbot.avh skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524297.dll Infected: Trojan-Downloader.Win32.Mutant.ig skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524300.exe Infected: Trojan-Spy.Win32.Zbot.arw skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524302.exe Infected: Trojan.Win32.Patched.aa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524303.exe Infected: Trojan.Win32.Patched.aa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524304.exe Infected: Trojan.Win32.Patched.aa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524305.exe Infected: Trojan.Win32.Patched.aa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\A0524306.dll Infected: Trojan-Downloader.Win32.Agent.mbw skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\snapshot\MFEX-1.DAT Infected: Trojan-Downloader.Win32.Mutant.hm skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP612\A0525505.sys Infected: Trojan-Downloader.Win32.Agent.lxa skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP612\A0525507.dll Infected: Packed.Win32.Monder.gen skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP612\A0525508.dll Infected: Packed.Win32.Monder.gen skipped
    C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP614\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\f02WtR(2)\f02WtR1065.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\hbinter.exe/data.rar/targetsaver.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
    C:\WINDOWS\system32\hbinter.exe/data.rar Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
    C:\WINDOWS\system32\hbinter.exe RarSFX: infected - 2 skipped
    C:\WINDOWS\system32\hqwoeumdxt\lolz.exe Infected: Trojan-Clicker.Win32.Small.lk skipped
    C:\WINDOWS\system32\hqwoeumdxt\wee.exe Infected: Trojan-Clicker.Win32.Small.lk skipped
    C:\WINDOWS\system32\jbbakflf.dll Infected: Packed.Win32.Monder.gen skipped
    C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\WLCtrl32.dl_ Infected: Trojan-Downloader.Win32.Mutant.hm skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    H:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP614\change.log Object is locked skipped

    Scan process completed.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\1E1.tmp
      C:\1E2.tmp
      C:\C.tmp
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip
      C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch2.zip
      C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\21\23268f15-22e2cea4
      C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-2ef7e10a
      C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b
      C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-276ae06d
      C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\42\671473ea-1d07f393
      C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe
      C:\Documents and Settings\Billy\Shared\06 Track 6.wma
      C:\Documents and Settings\Billy\Shared\aaron carter- girl you shine.wm
      C:\Documents and Settings\Billy\Shared\atreyu falling down.mp3
      C:\Documents and Settings\Billy\Shared\its about love - medic droid.wm
      C:\Documents and Settings\Billy\Shared\jonas brother how we roll.mp3
      C:\Documents and Settings\Billy\Shared\matchbox romance - the promise.wm
      C:\Documents and Settings\Billy\Shared\realize colbie calliet.mp3
      C:\Documents and Settings\Billy\Shared\rob zombie - i am hell.wm
      C:\NoLopBackups\Snapsnet.exe.infected
      C:\NoLopBackups\Wndbc7.tmp.infected
      C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI
      C:\WINDOWS\system32\f02WtR(2)\f02WtR1065.exe
      C:\WINDOWS\system32\hbinter.exe
      C:\WINDOWS\system32\hqwoeumdxt
      C:\WINDOWS\system32\jbbakflf.dll
      C:\WINDOWS\system32\WLCtrl32.dl_
      
      
    • Return to OTMoveIt2, right click in the Paste Custom List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post with a new hijackthis log.
     
  9. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    Results

    C:\1E1.tmp moved successfully.
    C:\1E2.tmp moved successfully.
    C:\C.tmp moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch1.zip moved successfully.
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZenoSearch2.zip moved successfully.
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\21\23268f15-22e2cea4 moved successfully.
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\24\3e021ed8-2ef7e10a moved successfully.
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\34\3110eaa2-42fca70b moved successfully.
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\39\4ae1eea7-276ae06d moved successfully.
    C:\Documents and Settings\Billy\Application Data\Sun\Java\Deployment\cache\6.0\42\671473ea-1d07f393 moved successfully.
    C:\Documents and Settings\Billy\My Documents\Installers\BearShareV6.exe moved successfully.
    C:\Documents and Settings\Billy\Shared\06 Track 6.wma moved successfully.
    C:\Documents and Settings\Billy\Shared\aaron carter- girl you shine.wm moved successfully.
    File/Folder C:\Documents and Settings\Billy\Shared\atreyu falling down.mp3 not found.
    C:\Documents and Settings\Billy\Shared\its about love - medic droid.wm moved successfully.
    File/Folder C:\Documents and Settings\Billy\Shared\jonas brother how we roll.mp3 not found.
    C:\Documents and Settings\Billy\Shared\matchbox romance - the promise.wm moved successfully.
    C:\Documents and Settings\Billy\Shared\realize colbie calliet.mp3 moved successfully.
    C:\Documents and Settings\Billy\Shared\rob zombie - i am hell.wm moved successfully.
    C:\NoLopBackups\Snapsnet.exe.infected moved successfully.
    C:\NoLopBackups\Wndbc7.tmp.infected moved successfully.
    C:\Program Files\Common Files\Wise Installation Wizard\WISCDEBF9E7BCEB43A7986CE66377C28ABC_1_0_0.MSI moved successfully.
    C:\WINDOWS\system32\f02WtR(2)\f02WtR1065.exe moved successfully.
    C:\WINDOWS\system32\hbinter.exe moved successfully.
    C:\WINDOWS\system32\hqwoeumdxt moved successfully.
    LoadLibrary failed for C:\WINDOWS\system32\jbbakflf.dll
    C:\WINDOWS\system32\jbbakflf.dll NOT unregistered.
    C:\WINDOWS\system32\jbbakflf.dll moved successfully.
    C:\WINDOWS\system32\WLCtrl32.dl_ moved successfully.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04132008_150050
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Post a new hijackthis log and let me know if you are having any problems.
     
  11. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    So far everything seems to be fine, I'll let you know if anything unexpected happens.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:06:30 PM, on 2008-04-13
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\lxcycoms.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\RunServicesOnce: [BT000037] C:\windows\abcdefg23.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-45c49cbaf7a58b5a.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABB4DFE-88F5-40C4-A923-6A735645E98C}: NameServer = 208.54.220.21 209.142.136.85
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7509 bytes
     
  12. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    Also is it normal that there are about 7 C:\WINDOWS\System32\svchost.exe running in my process?
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\RunServicesOnce: [BT000037] C:\windows\abcdefg23.exe

    Close all applications and browser windows before you click "fix checked".



    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      [b]C:\windows\abcdefg23.exe[/b]
    • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt2
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
    • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
     
  14. Kolby

    Kolby Thread Starter

    Joined:
    Sep 12, 2007
    Messages:
    28
    ok, DrWeb log..

    FIND3M.bat;C:\ComboFix;Probably SCRIPT.Virus;Incurable.Moved.;
    Process.exe;C:\Documents and Settings\Billy\My Documents\Anti-Virus Crap\SDFix\apps;Tool.Prockill;Incurable.Moved.;
    WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
    MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
    mirc.chm\ctcp_events.htm;C:\Program Files\mIRC\mirc.chm;IRC.Generic.32;;
    mirc.chm;C:\Program Files\mIRC;Archive contains infected objects;Moved.;
    mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;Incurable.Moved.;
    Setup.exe;C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp\D-Helper Web Driver;Adware.Dialhelp;Incurable.Moved.;
    ddaby.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based;Incurable.Moved.;
    fteylgcr.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    gmrdnira.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    mxvyxiyl.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    saoeauaf.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    sstqo.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.based;Incurable.Moved.;
    sudabpuk.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    ugyqkbgd.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    vjodmyjl.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    vxgjwpgj.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    woghasbh.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    xxjkkxkl.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    yivtpyoj.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    yrfmncfn.dll.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
    f02WtR1065.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR;Trojan.DownLoader.24715;Deleted.;
    Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
    A0523027.bat;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605;Probably SCRIPT.Virus;Incurable.Moved.;
    A0524013.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605;Trojan.Packed.142;Deleted.;
    A0524029.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605;Trojan.DownLoader.54123;Deleted.;
    A0524036.sys;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP605;Trojan.NtRootKit.927;Deleted.;
    A0524057.sys;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.NtRootKit.927;Deleted.;
    A0524088.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Packed.142;Deleted.;
    A0524153.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Packed.426;Deleted.;
    A0524154.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.DownLoader.55671;Deleted.;
    A0524155.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Packed.426;Deleted.;
    A0524159.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Starter.384;Cured.;
    A0524160.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Starter.384;Cured.;
    A0524161.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Packed.142;Deleted.;
    A0524166.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Adware.SearchAid.origin;Incurable.Moved.;
    A0524172.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Adware.ClickSpring - read error;;
    A0524193.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Adware.Rabio;Incurable.Moved.;
    A0524198.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.DownLoader.45546;Deleted.;
    A0524297.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.DownLoader.54123;Deleted.;
    A0524302.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Starter.384;Cured.;
    A0524303.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Starter.384;Cured.;
    A0524304.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Starter.384;Cured.;
    A0524305.exe;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Starter.384;Cured.;
    A0524306.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606;Trojan.Proxy.origin;Incurable.Moved.;
    MFEX-1.DAT;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP606\snapshot;Trojan.DownLoader.54123;Deleted.;
    A0525505.sys;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP612;Trojan.DownLoader.50037;Deleted.;
    A0525507.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP612;Trojan.Click.4739;Deleted.;
    A0525508.dll;C:\System Volume Information\_restore{B9D53F92-0DC4-4FAB-A416-CA460472F579}\RP612;Trojan.Click.4739;Deleted.;
    Wndbc7.tmp.infected;C:\_OTMoveIt\MovedFiles\04132008_150050\NoLopBackups;Trojan.Mezzia;Deleted.;
    jbbakflf.dll;C:\_OTMoveIt\MovedFiles\04132008_150050\WINDOWS\system32;Trojan.Click.4739;Deleted.;
    WLCtrl32.dl_;C:\_OTMoveIt\MovedFiles\04132008_150050\WINDOWS\system32;Trojan.DownLoader.54123;Deleted.;
    f02WtR1065.exe;C:\_OTMoveIt\MovedFiles\04132008_150050\WINDOWS\system32\f02WtR(2);Trojan.DownLoader.24715;Deleted.;
    lolz.exe;C:\_OTMoveIt\MovedFiles\04132008_150050\WINDOWS\system32\hqwoeumdxt;Trojan.StartPage.21079;Deleted.;
    lsass.exe;C:\_OTMoveIt\MovedFiles\04132008_150050\WINDOWS\system32\hqwoeumdxt;BackDoor.Aim.33;Deleted.;
    wee.exe;C:\_OTMoveIt\MovedFiles\04132008_150050\WINDOWS\system32\hqwoeumdxt;Trojan.StartPage.21079;Deleted.;




    and new HiJack log..

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:07:51 PM, on 2008-04-17
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\lxcycoms.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\LTMSG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,[email protected]
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-45c49cbaf7a58b5a.spaces.live.com/PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab55579.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1ABB4DFE-88F5-40C4-A923-6A735645E98C}: NameServer = 208.54.220.21 209.142.136.85
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 7198 bytes
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Upgrading Java:

    • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
    • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 6. The Java SE Runtime Environment (JRE) allows end-users to run Java applications (the fourth one in the list)..
    • Click the "Download" button to the right. A new page will open.
    • Select your platform and check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
    • Click Continue.
    • Click on the link under Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager.
    • Go to Start - Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Close any programs you may have running - especially your web browser.
    • Then from your desktop double-click on the download to install the newest version.


    Are you having any problems now?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/701130

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice