PDA

View Full Version : Malicious Malware with highjackers - moved by Tom

sstacy65
September 23rd, 2007, 04:50 PM
I am not too computer literate when it comes to the technical stuff on a computer. First off I am running Windows XP system. System has warned me repeatidly that I have severe issues. The latest system scan told me I have over 137 virus', Malware, 31 are Trojans and approx. 12 are highjackers. My system has constanly been shutting down and upon rebooting the blue screen appears saying checking file system c. Each time it runs this it shows it checking or doing something different. When starting a week ago, when completed would show this:
- Insufficent disk space to cross-linked portion
- windows\dump4f01.tmp first allocation is not valid
(dump4f1f.tmp) <<this also included
- The size of the windows\debug\usermode\userenv.log entry is not valid
Entry will be truncated
Also said the volume serial numer was 94D4-518f
Then would show it truncated 137 items

Other error messages I have gotten: gpt.ini is not accessable - assuming default state.

Just earlier a black box window opened up in the bar at top left showed: 7tudm-a300.a44.410001 then windows antivirus 2007 pops up telling me to download it.

I didn't. That is one of my biggest problems, no matter what it is system, program or other the minute I click run to download system shuts down. So I am in real bad situation here not being able to download anything for help.
I am sure its in my root directory as I hav received error messages stating so.

My system is at Critical stage now and I am not sure how much longer I can keep it operating. Please can someone help. What do I do? If you need anything else let me know. I will get it to you right away.
Tom
September 27th, 2007, 03:37 AM
Howdy sstacy65,


A belated welcome to CTH. We'll need to see what all is loaded there first, then determine what issues might be found.


Please download HijackThis from Here (http://www.cybertechhelp.com/download/file/self-extracting-hijack-this-installer). Then click on the downloaded file to install HijackThis. After it is installed open HijackThis and select Do a system scan and save logfile. Use copy/paste and post that log back here for review.


Also go Here (http://www.silentrunners.org/sr_download.html) and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here. You can use separate posts here if needed.
sstacy65
September 27th, 2007, 11:51 AM
Logfile of HijackThis v1.99.1
Scan saved at 3:42:33 AM, on 9/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe ,
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Zango - {07AA283A-43D7-4CBE-A064-32A21112D94D} - C:\Program Files\Zango\bin\10.0.341.0\HostIE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [pas_check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ltaockig.dll",sitypnow
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Oobpcln] "C:\Documents and Settings\Administrator\My Documents\?racle\c?rss.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 30\imc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm484YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.33/g_bin/eng/cards_2_0_0_75.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_34.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184345451396
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader4.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://games.tagged.com/online/online2/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/eng/darts_2_0_0_40.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.33/g_bin/eng/mahjong_2_0_0_29.cab
O16 - DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} (GameDesire Slots 80th) - http://67.15.101.33/g_bin/eng/slots80_2_0_0_35.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5126/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DomainService - - C:\WINDOWS\system32\gagfnwfs.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
sstacy65
September 27th, 2007, 11:56 AM
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \ {++}
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" [** WMI GetObject error **]
"Oobpcln" = ""C:\Documents and Settings\Administrator\My Documents\*racle\c*rss.exe"" (unwritable string) [file not found]
sstacy65
September 27th, 2007, 12:07 PM
Does it make a difference that I ran these in safe mode?
Tom
September 28th, 2007, 12:16 AM
Yes, I will indicate when Safe Mode is to be used, so if it isn't stated the steps should be done in normal mode. That Silent Runners log is very cut off there - looks like you didn't wait for the scan to complete and notify you it was done. But enough information here that shows the infection and suggests we start repairs. Unfortunately some of the infection you may have been tricked into installing, so let's see what will uninstall.



Go to Start > Run and type

cmd

and OK. Type the below commands and hit "Enter" after each line

sc stop DomainService
sc delete DomainService

Type Exit to close.

---------------------------------


Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.

Zango/Seekmo
ProfileWatcher (see here (http://www.vitalsecurity.org/2006/11/profilewatcher-spreads-zango-on.html))
FriendFinder Messenger (see here (http://www.bleepingcomputer.com/uninstall/397/FriendFinder-Messenger.html))

-------------------------------


Then Download ComboFix.exe from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop, and click the downloaded file to run the repair.

When the command window opens, select 1 (and Enter). Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

----------------------------

Go here (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE) and download the free version of SUPERAntiSpyware and install it.

After installation accept any prompts to allow SUPERAntiSpyware to install the latest infection definition files. Next follow the prompts to complete the installation. For now, uncheck the option to have SUPERAntiSpyware "Automatically check for program and definition updates". Providing an email address and allowing the software to send diagnostic reports to it's research center are up to you. Do NOT allow SUPERAntiSpyware to Protect your Home Page settings.

Once the installation is complete open SUPERAntiSpyware and press the Preferences button. Under the General and Startup tab, uncheck the following (leaving all other settings as is).

Start-up Options:
*Start SUPERAntiSpyware when Windows starts

Automatic Updates:
*Check for program updates when the application starts.

Start-up Scanning:
*Check for updates before scanning on startup.

Then select Close. Don't scan just yet though.

-----------------------

Go Here (http://www.atribune.org/ccount/click.php?id=1) and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.



===============================================

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).


Open SUPERAntiSpyware and click the Scan your Computer button. Making sure that Fixed Drive (NTFS) is checked (typically the C Drive), check "Perform Complete Scan", then click Next. SUPERAntiSpyware will now complete a system scan.


SUPERAntiSpyware will now scan your computer and when its finished it will list all the infections it has found. Make sure that they all have a check next to them and click next. If prompted allow the reboot (or manually reboot at this time), and after the reboot open SUPERAntiSpyware again (double click the bug-shaped Taskbar icon).

Click Preferences, then under the Statistics/Logs tab, click to select the most recent Scan Log, then click View Log. Save the log to your desktop, and copy/paste the text from the log back here.


And post back a new HijackThis log along with the combofix.txt log and the Super log please.
sstacy65
October 3rd, 2007, 02:38 AM
ComboFix 07-09-21.2 - "Administrator" 2007-10-02 15:36:38.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT -6:00]
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\DOCUME~1\ADMINI~1.\posterm.dll
C:\DOCUME~1\ADMINI~1.\sthbdm32.dll
C:\DOCUME~1\ADMINI~1.\stubext.dll
C:\DOCUME~1\ADMINI~1.\systerm.exe
C:\DOCUME~1\ADMINI~1.\wintst.dll
C:\DOCUME~1\ADMINI~1\APPLIC~1\YSTEM~1
C:\DOCUME~1\ADMINI~1\err.log
C:\DOCUME~1\ADMINI~1\posterm.dll
C:\DOCUME~1\ADMINI~1\sthbdm32.dll
C:\DOCUME~1\ADMINI~1\stubext.dll
C:\DOCUME~1\ADMINI~1\systerm.exe
C:\DOCUME~1\ADMINI~1\wintst.dll
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\F.tmp
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\inetget2
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\poolsv
C:\Temp\1cb
C:\Temp\1cb\SYSCHECK.LOG
C:\temp\brr
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\jd2002.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\linkinfo.dll
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\pbsysie.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\0_exception.nls
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\drivers\bg_bg.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\close_ico.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.g if
C:\WINDOWS\system32\drivers\header_red_free_scan_b g.gif
C:\WINDOWS\system32\drivers\header_red_protect_you r_pc.gif
C:\WINDOWS\system32\drivers\icon_warning_big.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jp g
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.g if
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.g if
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.g if
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\remove_spyware_header. gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\spyware_detected.gif
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_ico.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\yellow_warning_ico.gif
C:\WINDOWS\system32\ESHOPEE.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\help.txt
C:\WINDOWS\system32\jtyuwwks.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\oembios32.dll
C:\WINDOWS\system32\Q2
C:\WINDOWS\system32\Q2\MON33DLL.EXE
C:\WINDOWS\system32\spooldr.sys
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wintst.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\xcbqlbjo.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_ASC3550U
-------\LEGACY_FOPN
-------\LEGACY_FWDRV.SYS
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\ApiMon
-------\qqd.sys
-------\runtime

((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.
2007-10-02 13:00 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-02 12:38 18,432 --a------ C:\WINDOWS\winh32.exe
2007-10-02 12:25 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-10-02 12:23 32,768 --a------ C:\WINDOWS\system32\ace16win.dll
2007-10-02 12:23 <DIR> d-------- C:\WINDOWS\system32\acespy
2007-10-02 12:18 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-10-02 12:18 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-10-02 12:01 53,248 --a------ C:\WINDOWS\system32\masterc.dll
2007-10-01 06:30 46,080 --a------ C:\WINDOWS\system32\mc.exe
2007-10-01 05:48 46,080 --a------ C:\WINDOWS\system32\symstore.exe
2007-10-01 05:48 18,944 --ah----- C:\WINDOWS\system32\drivers\protect.sys
2007-09-30 17:33 85,056 --a------ C:\WINDOWS\system32\lkpcmlsm.dll
2007-09-30 17:30 1,558,845 ---hs---- C:\WINDOWS\system32\eghhk.bak2
2007-09-30 14:07 6,448 ---hs---- C:\WINDOWS\system32\fihhk.ini2
2007-09-30 13:54 6,448 ---hs---- C:\WINDOWS\system32\fihhk.bak1
2007-09-30 13:35 71,542 --a------ C:\WINDOWS\system32\center1.exe
2007-09-30 13:34 226,166 --a------ C:\WINDOWS\system32\center.exe
2007-09-30 05:37 1 --a------ C:\WINDOWS\system32\rc.dat
2007-09-30 05:30 6,448 ---hs---- C:\WINDOWS\system32\eghhk.bak1
2007-09-30 05:30 340,544 --a------ C:\WINDOWS\system32\khhge.dll
2007-09-30 05:24 50,176 --a------ C:\WINDOWS\system32\btasv.dll
2007-09-30 05:24 40,830 --a------ C:\WINDOWS\system32\conf.dat
2007-09-30 05:24 376,832 --a------ C:\WINDOWS\system32\xxyvtts.dll
2007-09-30 05:24 376,832 --a------ C:\WINDOWS\system32\hgghiif.dll
2007-09-29 04:22 6,625 ---hs---- C:\WINDOWS\system32\aaabc.ini2
2007-09-29 03:58 6,448 ---hs---- C:\WINDOWS\system32\aaabc.bak1
2007-09-29 02:30 6,488 ---hs---- C:\WINDOWS\system32\jjllm.bak1
2007-09-29 02:25 <DIR> d-------- C:\Program Files\Temporary
2007-09-29 02:24 <DIR> d-------- C:\WINDOWS\system32\vMW10a
2007-09-29 02:24 <DIR> d-------- C:\Temp\xOe
2007-09-29 02:23 35,328 --a------ C:\WINDOWS\winshow.exe
2007-09-27 17:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-27 17:16 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-09-27 17:16 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2007-09-27 17:15 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-27 17:03 84,544 --a------ C:\WINDOWS\system32\aaivmgef.dll
2007-09-27 16:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:38 84,544 --a------ C:\WINDOWS\system32\hgnbrxfh.dll
2007-09-27 12:02 84,544 --------- C:\WINDOWS\system32\rshqugtk.dll
2007-09-27 11:39 84,544 --a------ C:\WINDOWS\system32\vdgrxhvf.dll
2007-09-26 14:17 84,032 --a------ C:\WINDOWS\system32\niuxpxus.dll
2007-09-25 06:29 84,032 --a------ C:\WINDOWS\system32\yahpdhfw.dll
2007-09-25 03:12 2,107,477 ---hs---- C:\WINDOWS\system32\qrtss.ini2
2007-09-24 22:22 <DIR> d-------- C:\Program Files\Antivirus Protection
2007-09-24 21:24 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-09-24 07:29 <DIR> d-------- C:\Program Files\QuickTime
2007-09-24 02:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-09-23 19:31 85,568 --a------ C:\WINDOWS\system32\wqmmuehs.dll
2007-09-23 13:42 5,664 --a------ C:\DOCUME~1\ADMINI~1\mssvmdll.dll
2007-09-23 13:41 4,640 --a------ C:\DOCUME~1\ADMINI~1\svhc32.dll
2007-09-23 13:39 5,664 --a------ C:\WINDOWS\system32\systerm.exe
2007-09-23 13:39 5,664 --a------ C:\WINDOWS\system32\mxcrtp.dll
2007-09-23 13:39 4,640 --a------ C:\WINDOWS\system32\uncwqs.dll
2007-09-23 13:35 5,664 --a------ C:\WINDOWS\system32\regdll32.exe
2007-09-23 13:35 5,664 --a------ C:\DOCUME~1\ADMINI~1\mxcrtp.dll
2007-09-23 07:23 2,144,087 ---hs---- C:\WINDOWS\system32\qrtss.bak2
2007-09-23 07:20 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-09-23 07:20 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-09-23 06:52 85,568 --a------ C:\WINDOWS\system32\bhhncrmt.dll
2007-09-23 06:46 2,115,810 ---hs---- C:\WINDOWS\system32\qrtss.bak1
2007-09-23 06:37 <DIR> d-------- C:\WINDOWS\system32\GRB9
2007-09-23 06:37 <DIR> d-------- C:\WINDOWS\system32\DLL2
2007-09-20 06:58 <DIR> d-------- C:\WINDOWS\pss
2007-09-20 02:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-09-20 02:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-20 02:07 <DIR> d-------- C:\Program Files\Google
2007-09-18 04:49 0 --a------ C:\WINDOWS\system32\ntkrpamp.exe
2007-09-18 04:49 0 --a------ C:\WINDOWS\system32\ntkrnlmp.exe
2007-09-18 03:08 <DIR> d--hs---- C:\FOUND.084
2007-09-18 03:00 <DIR> d--hs---- C:\FOUND.083
2007-09-17 11:39 <DIR> d--hs---- C:\FOUND.082
2007-09-17 11:34 <DIR> d--hs---- C:\FOUND.081
2007-09-17 11:12 <DIR> d--hs---- C:\FOUND.080
2007-09-17 11:07 <DIR> d--hs---- C:\FOUND.079
2007-09-17 11:03 <DIR> d--hs---- C:\FOUND.078
2007-09-16 19:18 <DIR> d--hs---- C:\FOUND.077
2007-09-16 09:19 <DIR> d--hs---- C:\FOUND.076
2007-09-16 09:15 <DIR> d--hs---- C:\FOUND.075
2007-09-16 09:11 <DIR> d--hs---- C:\FOUND.074
2007-09-16 07:01 <DIR> d--hs---- C:\FOUND.073
2007-09-16 06:57 <DIR> d--hs---- C:\FOUND.072
2007-09-16 06:53 <DIR> d--hs---- C:\FOUND.071
2007-09-16 06:48 <DIR> d--hs---- C:\FOUND.070
2007-09-16 06:44 <DIR> d--hs---- C:\FOUND.069
2007-09-16 06:39 <DIR> d--hs---- C:\FOUND.068
2007-09-16 06:35 <DIR> d--hs---- C:\FOUND.067
2007-09-16 06:30 <DIR> d--hs---- C:\FOUND.066
2007-09-16 06:26 <DIR> d--hs---- C:\FOUND.065
2007-09-16 06:21 <DIR> d--hs---- C:\FOUND.064
2007-09-16 06:17 <DIR> d--hs---- C:\FOUND.063
2007-09-16 06:12 <DIR> d--hs---- C:\FOUND.062
2007-09-16 06:08 <DIR> d--hs---- C:\FOUND.061
2007-09-16 06:03 <DIR> d--hs---- C:\FOUND.060
2007-09-16 05:59 <DIR> d--hs---- C:\FOUND.059
2007-09-16 05:54 <DIR> d--hs---- C:\FOUND.058
2007-09-16 05:50 <DIR> d--hs---- C:\FOUND.057
2007-09-16 05:45 <DIR> d--hs---- C:\FOUND.056
2007-09-16 05:41 <DIR> d--hs---- C:\FOUND.055
2007-09-16 05:36 <DIR> d--hs---- C:\FOUND.054
2007-09-16 05:32 <DIR> d--hs---- C:\FOUND.053
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-18 04:25 402560 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2007-09-18 04:25 402560 --a------ C:\WINDOWS\system32\DllCache\tcpip.sys
2007-09-15 05:32 2273402 --a------ C:\WINDOWS\system32\ntoskrnl.exe
2007-09-15 05:32 2150650 --a------ C:\WINDOWS\system32\ntkrnlpa.exe
2007-09-01 02:40 28672 --a------ C:\WINDOWS\system32\posterm.dll
2007-09-01 02:39 5664 --a------ C:\DOCUME~1\ADMINI~1\mstsk32.dll
2007-09-01 02:36 5664 --a------ C:\WINDOWS\system32\mssvmdll.dll
2007-09-01 02:36 5664 --a------ C:\DOCUME~1\ADMINI~1\krnl32.dll
2007-09-01 02:36 4640 --a------ C:\DOCUME~1\ADMINI~1\winhid64.dll
2007-08-24 07:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZangoSA
2007-08-24 07:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
2007-08-23 07:34 --------- d-------- C:\Program Files\Shockwave.com
2007-08-18 02:05 --------- d-------- C:\Program Files\ProfileWatcher
2007-08-12 00:44 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-10 04:03 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\GanymedeNet
2007-08-09 17:08 --------- d-------- C:\Program Files\AOL Games
2007-08-09 02:40 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-09 02:40 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-08-09 02:24 44288 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-09 01:36 --------- d--hs---- C:\Program Files\outlook
2007-08-09 01:33 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\WinRAR
2007-08-09 00:49 --------- d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\MP3Rocket
2007-08-09 00:48 --------- d-------- C:\Program Files\MP3 Rocket
2007-08-09 00:36 --------- d-------- C:\Program Files\Spyware & Adware Removal
2007-08-08 17:42 1763283 ---hs---- C:\WINDOWS\system32\vwyay.bak2
2007-08-03 04:26 6466 ---hs---- C:\WINDOWS\system32\vwyay.bak1
2007-08-02 13:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-07-31 03:52 774144 --a------ C:\Program Files\RngInterstitial.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-13 16:38 4608 --a------ C:\WINDOWS\system32\w95inf32.dll
.
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
402,560 2007-09-18 10:25:36 C:\WINDOWS\system32\drivers\tcpip.sys
402,560 2007-09-18 10:25:32 C:\WINDOWS\system32\DllCache\tcpip.sys
360,576 2006-04-20 12:18:36 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
359,040 2004-08-04 11:14:42 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
sstacy65
October 3rd, 2007, 02:39 AM
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000012-890e-4aac-afd9-eff6954a34dd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bf4e8b9-adf1-4613-99c0-81ba546438af}]
C:\WINDOWS\system32\hreqnce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18ADF4E0-6158-4A8E-2902-4DB6783FF393}]
C:\WINDOWS\system32\ldppu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1adbcce8-cf84-441e-9b38-afc7a19c06a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28FE5CF8-11DB-447c-9120-23508DA295F4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{666B02A6-E440-4B3F-9B6D-BD8706937F35}]
C:\WINDOWS\system32\cbaaa.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}]
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsys32.exe

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{900F1B37-83EA-4D43-AF90-AC6F5D08D59F}]
C:\WINDOWS\system32\yaywv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A623CE6B-5D06-497D-9FCE-7434A9E2BDA3}]
2007-09-30 05:30 340544 --a------ C:\WINDOWS\system32\khhge.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF3EDB98-9B70-4925-93A1-FFD2B3D62542}]
C:\WINDOWS\system32\sstrq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDA4EECA-6938-40ec-A076-3DEAEC1448D7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 14:05]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 10:19]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 09:21]
"ProfileWatcher"="C:\Program Files\ProfileWatcher\profilewatcher.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:56 C:\WINDOWS\system32\bthprops.cpl]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-24 07:29]
"winload"="C:\Program Files\Internet Explorer\winload.exe" [2007-09-30 05:24]
"bxproxy"="C:\WINDOWS\System32\krnl32.dll" []
"shellbn"="C:\WINDOWS\System32\posterm.dll" [2007-09-01 02:40]
"SearchIndexer"="C:\WINDOWS\system32\lkpcmlsm.dll" [2007-09-30 17:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 15:17]
"Oobpcln"="C:\Documents and Settings\Administrator\My Documents\?racle\c?rss.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"IMC"="C:\Program Files\FriendFinder\FriendFinder Messenger 30\imc.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:56]
"AWMON"="C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe" [2005-05-25 12:12]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSetActiveDesktop"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khhge]
C:\WINDOWS\system32\khhge.dll 2007-09-30 05:30 340544 C:\WINDOWS\system32\khhge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjijkj]
ljjijkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqnon]
urqqnon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vturrqo]
vturrqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywv]
C:\WINDOWS\system32\yaywv.dll

R0 protect;protect;C:\WINDOWS\system32\drivers\protec t.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdud f_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.s ys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\driver s\UdfReadr_xp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.s ys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.s ys


Contents of the 'Scheduled Tasks' folder
"2007-10-02 06:00:02 C:\WINDOWS\Tasks\At25.job"
"2007-10-02 07:00:02 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 08:00:02 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 09:00:02 C:\WINDOWS\Tasks\At28.job"
"2007-10-02 10:00:02 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 11:00:02 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 12:00:02 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 13:00:02 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 14:00:02 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 15:00:02 C:\WINDOWS\Tasks\At34.job"
"2007-10-02 16:00:02 C:\WINDOWS\Tasks\At35.job"
"2007-10-02 17:00:02 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 18:00:04 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 19:00:02 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 20:00:02 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 21:00:02 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-01 22:00:02 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-01 23:00:02 C:\WINDOWS\Tasks\At42.job"
"2007-10-02 00:00:02 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 01:00:02 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 02:00:02 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 03:00:02 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 04:00:02 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\Y24d405u.exe
"2007-10-02 05:00:02 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\Y24d405u.exe
.
************************************************** *****************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 15:43:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-02 15:48:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 15:48
.
--- E O F ---
sstacy65
October 3rd, 2007, 02:41 AM
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/02/2007 at 05:56 PM

Application Version : 3.9.1008

Core Rules Database Version : 3315
Trace Rules Database Version: 1316

Scan type : Complete Scan
Total Scan Time : 00:53:00

Memory items scanned : 392
Memory threats detected : 0
Registry items scanned : 5659
Registry threats detected : 1
File items scanned : 19174
File threats detected : 13

Adware.Accoona
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{944864a5-3916-46e2-96a9-a2e84f3f1208}

Trojan.Downloader-Gen/TStamp
C:\WINDOWS\SYSTEM32\TQHPGELR.EXE

Trojan.Downloader-Gen/Suspicious
C:\WINDOWS\SYSTEM32\SYMSTORE.EXE
C:\WINDOWS\SYSTEM32\MC.EXE
C:\28.TMP
C:\2F.TMP

Malware.SystemDoctor
C:\WINDOWS\DOWNLOADED PROGRAM FILES\USDR6_0001_D19M2108NETINSTALLER.EXE

Trojan.Downloader-FakeRX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3733E7A9-350E-44EF-989C-C6C055C152F1}\RP134\A0211101.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3733E7A9-350E-44EF-989C-C6C055C152F1}\RP134\A0212102.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3733E7A9-350E-44EF-989C-C6C055C152F1}\RP134\A0212117.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3733E7A9-350E-44EF-989C-C6C055C152F1}\RP135\A0212241.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OEMBIOS32. DLL.VIR

Adware.eZula
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3733E7A9-350E-44EF-989C-C6C055C152F1}\RP135\A0212178.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JTYUWWKS.E XE.VIR
sstacy65
October 3rd, 2007, 02:45 AM
Logfile of HijackThis v1.99.1
Scan saved at 6:42:42 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Internet Explorer\winload.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {0bf4e8b9-adf1-4613-99c0-81ba546438af} - C:\WINDOWS\system32\hreqnce.dll (file missing)
O2 - BHO: (no name) - {18ADF4E0-6158-4A8E-2902-4DB6783FF393} - C:\WINDOWS\system32\ldppu.dll (file missing)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: Editor plugin - {28FE5CF8-11DB-447c-9120-23508DA295F4} - masterc.dll (file missing)
O2 - BHO: (no name) - {46CF09FC-2A44-408E-B0D7-2745B22F8B15} - C:\WINDOWS\system32\khhge.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {666B02A6-E440-4B3F-9B6D-BD8706937F35} - C:\WINDOWS\system32\cbaaa.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6C6B8C69-9285-4D94-8492-9E920C8C2B65} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\winsys32.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\usbgbuys.dll
O2 - BHO: (no name) - {900F1B37-83EA-4D43-AF90-AC6F5D08D59F} - C:\WINDOWS\system32\yaywv.dll (file missing)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {DF3EDB98-9B70-4925-93A1-FFD2B3D62542} - C:\WINDOWS\system32\sstrq.dll (file missing)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: Flash Module - {EDA4EECA-6938-40ec-A076-3DEAEC1448D7} - btasv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Documents and Settings\Administrator\uncwqs.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [ProfileWatcher] C:\Program Files\ProfileWatcher\profilewatcher.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [bxproxy] C:\WINDOWS\System32\krnl32.dll
O4 - HKLM\..\Run: [shellbn] C:\WINDOWS\System32\posterm.dll
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\bcijcfvg.dll",sitypnow
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Oobpcln] "C:\Documents and Settings\Administrator\My Documents\?racle\c?rss.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IMC] C:\Program Files\FriendFinder\FriendFinder Messenger 30\imc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm484YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.33/g_bin/eng/cards_2_0_0_75.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/eng/boards_2_0_0_34.cab
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184345451396
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.fubar.com/imgs/ImageUploader4.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://games.tagged.com/online/online2/mahjong_escape_ancient_japan/SpinTopGamesLauncher.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - https://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {8C63DABA-CBA8-4B5D-A0F7-AE00F2920929} (Bridge Installer) - http://cdn2.zone.msn.com/Bingame/BRDG/dataFiles/heartbeat.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab
O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/eng/darts_2_0_0_40.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
O16 - DPF: {D1D98C0F-A339-42AB-BD5F-EA0FF5D0E65F} (RockYou Image Uploader Control) - http://www.rockyou.com/RockYouImageUploader.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.33/g_bin/eng/mahjong_2_0_0_29.cab
O16 - DPF: {ECEAD8AE-01D6-11D5-9A39-0080C8D85044} (GameDesire Slots 80th) - http://67.15.101.33/g_bin/eng/slots80_2_0_0_35.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5126/mcfscan.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: khhge - C:\WINDOWS\system32\khhge.dll
O20 - Winlogon Notify: ljjijkj - ljjijkj.dll (file missing)
O20 - Winlogon Notify: urqqnon - urqqnon.dll (file missing)
O20 - Winlogon Notify: vturrqo - vturrqo.dll (file missing)
O20 - Winlogon Notify: yaywv - C:\WINDOWS\system32\yaywv.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

************************************************** ********

Please let me know what I should do next if anything.
Thank you for all your help so far.
Tom
October 3rd, 2007, 08:25 PM
Goodness but that is a very infected system. Usually infection does not have as many opportunities, unless updates and security patches aren't kept current - when was the last time you did a Windows update here? I do need to let you know the level of change caused by this infection is such that both the change done as well as the steps to remove the infection, if successful, may leave the system at a point requiring reformat/re-installation of the operating system. Of course one option is to go ahead and offload any person data and do that reinstall now.

If we are to continue, you will need to secure an uninfected copy of the tcpip.sys file from a different computer with XP SP2 or from a friend who can provide a copy. Let me know when you have this available and we will start the next phase of repairs here.
sstacy65
October 12th, 2007, 07:04 AM
I really don't want to try to repair, for fear will not completely fix and will just end up having the same problems over again. So I have purchased Windows Vista Home Premium. How do I go about installing this on my system. What do I need to do?
sstacy65
October 12th, 2007, 07:04 AM
I really don't want to try to repair, for fear will not completely fix and will just end up having the same problems over again. So I have purchased Windows Vista Home Premium. How do I go about installing this on my system. What do I need to do?
Tom
October 12th, 2007, 02:07 PM
If you have decided to install Vista let's move your request to our Vista forum, where you can get some best steps methods for the new install.
Murf
October 13th, 2007, 12:53 AM
Hi sstacy65,

If you don't want to clean the system first and still have some infections, then your only choice is wipe the drive clean and install the VISTA you bought.

Problem is you will lose everything on that drive, emails, favorites, any programs you have installed. Is that a problem??

Yes you could upgrade your XP to VISTA to maintain these items, but I would not advise doing that as any infection you have will stay there.

Several questions?

1. Do you have the program cd's to reinstall any opf your programs?

2. Have you run the VISTA upgrade advisor (http://www.microsoft.com/windows/products/windowsvista/buyorupgrade/upgradeadvisor.mspx)to ensure your system will except VISTA?

If you want to upgrade, then need to clean it up first which TOM in CS had help you do.

Let us know.
sstacy65
October 16th, 2007, 11:47 AM
As I don't have hardly anything on my computer, what there is, I'm not worried about losing. I have always made paper copies of anything I saved just in case anything was ever to happen.
I only decided to upgrade to Vista beacause I was under the impression doing so would take out all the infection. Really I don't care much for Vista. If Installing Vista, the infected areas will come along with it, then that really just defeats the purpose. I'm willing to do whatever it takes to clean out completely, all the infected areas of my pc. I'm not against reformating, I can handle that. I'd rather not have the Vista. Now as far as system software, cd's, or disc's, I do not have. I purchased this from an ad in paper. The person builds and rebuilds pc's. Mine has Windows XP SP2. When purchased I was given no software or discs at all. Will this be a problem for what we do next. I do have software but just didn't come with this pc. I'm ready to take whatever course you know is best. I trust you a 100%. LOL Lead the way. :thumbsup: