kittois

65 Posts

1627

September 5th, 2007 01:00

HIJack this --- Newpoly Win 32

I have the New Ply win 32 virus. My Mc Afee virus scan continually pops up with it, saying that it is in either some volume controler file or in system 32\11181092ld.exe

Here is the script:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:38 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Media\aolsw.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1167420152\ee\AOLSoftware.exe
C:\WINDOWS\system32\ab.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\Common Files\AOL\1167420152\ee\anotify.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167420152\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iudctgs] C:\WINDOWS\system32\iudctgs.exe
O4 - HKLM\..\Run: [hbigwzuokgrf] C:\WINDOWS\system32\hbigwzuokgrf.exe
O4 - HKLM\..\Run: [wdiuvdsufvsk] C:\WINDOWS\system32\wdiuvdsufvsk.exe
O4 - HKLM\..\Run: [it] C:\WINDOWS\system32\it.exe
O4 - HKLM\..\Run: [rpveotrreqkp] C:\WINDOWS\system32\rpveotrreqkp.exe
O4 - HKLM\..\Run: [gjvgpoqqpv] C:\WINDOWS\system32\gjvgpoqqpv.exe
O4 - HKLM\..\Run: [drmyvolmfm] C:\WINDOWS\system32\drmyvolmfm.exe
O4 - HKLM\..\Run: [xjufnz] C:\WINDOWS\system32\xjufnz.exe
O4 - HKLM\..\Run: [ab] C:\WINDOWS\system32\ab.exe
O4 - HKLM\..\Run: [oiupgnwxfpb] C:\WINDOWS\system32\oiupgnwxfpb.exe
O4 - HKLM\..\Run: [phzkvefb] C:\WINDOWS\system32\phzkvefb.exe
O4 - HKLM\..\Run: [hyeumy] C:\WINDOWS\system32\hyeumy.exe
O4 - HKLM\..\Run: [tnnt] C:\WINDOWS\system32\tnnt.exe
O4 - HKLM\..\Run: [bnfhwz] C:\WINDOWS\system32\bnfhwz.exe
O4 - HKLM\..\Run: [snjlprpk] C:\WINDOWS\system32\snjlprpk.exe
O4 - HKLM\..\Run: [meipiajaodtf] C:\WINDOWS\system32\meipiajaodtf.exe
O4 - HKLM\..\Run: [wecfd] C:\WINDOWS\system32\wecfd.exe
O4 - HKLM\..\Run: [ljci] C:\WINDOWS\system32\ljci.exe
O4 - HKLM\..\Run: [grgyfblszywp] C:\WINDOWS\system32\grgyfblszywp.exe
O4 - HKLM\..\Run: [ottmgm] C:\WINDOWS\system32\ottmgm.exe
O4 - HKLM\..\Run: [dmyxfl] C:\WINDOWS\system32\dmyxfl.exe
O4 - HKLM\..\Run: [cazppoi] C:\WINDOWS\system32\cazppoi.exe
O4 - HKLM\..\Run: [zsubqjorhwj] C:\WINDOWS\system32\zsubqjorhwj.exe
O4 - HKLM\..\Run: [hwxmuvvs] C:\WINDOWS\system32\hwxmuvvs.exe
O4 - HKLM\..\Run: [hsuw] C:\WINDOWS\system32\hsuw.exe
O4 - HKLM\..\Run: [xhax] C:\WINDOWS\system32\xhax.exe
O4 - HKLM\..\Run: [boymi] C:\WINDOWS\system32\boymi.exe
O4 - HKLM\..\Run: [ymxikheor] C:\WINDOWS\system32\ymxikheor.exe
O4 - HKLM\..\Run: [wqewao] C:\WINDOWS\system32\wqewao.exe
O4 - HKLM\..\Run: [vrwktnjeact] C:\WINDOWS\system32\vrwktnjeact.exe
O4 - HKLM\..\Run: [eqikgr] C:\WINDOWS\system32\eqikgr.exe
O4 - HKLM\..\Run: [xseu] C:\WINDOWS\system32\xseu.exe
O4 - HKLM\..\Run: [nvlc] C:\WINDOWS\system32\nvlc.exe
O4 - HKLM\..\Run: [znz] C:\WINDOWS\system32\znz.exe
O4 - HKLM\..\Run: [amgccd] C:\WINDOWS\system32\amgccd.exe
O4 - HKLM\..\Run: [pyoow] C:\WINDOWS\system32\pyoow.exe
O4 - HKLM\..\Run: [ywhiv] C:\WINDOWS\system32\ywhiv.exe
O4 - HKLM\..\Run: [hmdyfzqdcaiv] C:\WINDOWS\system32\hmdyfzqdcaiv.exe
O4 - HKLM\..\Run: [joeprwi] C:\WINDOWS\system32\joeprwi.exe
O4 - HKLM\..\Run: [fyzrh] C:\WINDOWS\system32\fyzrh.exe
O4 - HKLM\..\Run: [osvrlj] C:\WINDOWS\system32\osvrlj.exe
O4 - HKLM\..\Run: [xwiw] C:\WINDOWS\system32\xwiw.exe
O4 - HKLM\..\Run: [ynoqwzijyue] C:\WINDOWS\system32\ynoqwzijyue.exe
O4 - HKLM\..\RunServices: [drmyvolmfm] C:\WINDOWS\system32\drmyvolmfm.exe
O4 - HKLM\..\RunServices: [iudctgs] C:\WINDOWS\system32\iudctgs.exe
O4 - HKLM\..\RunServices: [xjufnz] C:\WINDOWS\system32\xjufnz.exe
O4 - HKLM\..\RunServices: [hmdyfzqdcaiv] C:\WINDOWS\system32\hmdyfzqdcaiv.exe
O4 - HKLM\..\RunServices: [ynoqwzijyue] C:\WINDOWS\system32\ynoqwzijyue.exe
O4 - HKLM\..\RunServices: [ab] C:\WINDOWS\system32\ab.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028YYUS
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167406600296
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spy Watch (AOL-SPY_Watch) - Unknown owner - C:\WINDOWS\Media\aolsw.exe
O23 - Service: Print Spooler Service (feueefisai4iqgi) - Unknown owner - C:\WINDOWS\system32\xseu.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

Responses(40)
Solutions(0)

B

bamajim

10.4K Posts

0

September 5th, 2007 14:00

kittois

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

kittois

65 Posts

0

September 6th, 2007 03:00

I'm not sure that I posted this in the right place, but here is the log after running the fix. Unbelieveable how manyb trojans seem to be listed ----- I am curious as to (i) how much personal information this log shows to someone that can read it and really understand it (unlike me) and(ii) whether it demonstrates how corrupt my operating system was overalll, and if so how bad was it? Hopefully I will discover that it isn't any more --- we'll see!! Thanks.

SDFix: Version 1.102

Run by MILISSA MURRAY on Wed 09/05/2007 at 11:38 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
AOL-SPY_Watch
feueefisai4iqgi

ImagePath:
"C:\WINDOWS\Media\aolsw.exe"
C:\WINDOWS\system32\ywhiv.exe /service

AOL-SPY_Watch - Deleted
feueefisai4iqgi - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CQVDEBNQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\D.EXE - Deleted
C:\WINDOWS\SYSTEM32\IUDCTGS.EXE - Deleted
C:\WINDOWS\SYSTEM32\IVO.EXE - Deleted
C:\WINDOWS\SYSTEM32\UCKMLCQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\VEBGWH.EXE - Deleted
C:\WINDOWS\SYSTEM32\ALDBE.EXE - Deleted
C:\WINDOWS\SYSTEM32\ARCIPX~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\BZXF.EXE - Deleted
C:\WINDOWS\SYSTEM32\EUXAYJ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\FEKINL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\HBIGWZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\HQXZKS~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\HWEZDBTU.EXE - Deleted
C:\WINDOWS\SYSTEM32\I.EXE - Deleted
C:\WINDOWS\SYSTEM32\JZIKEA.EXE - Deleted
C:\WINDOWS\SYSTEM32\KPGRBK~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\LBX.EXE - Deleted
C:\WINDOWS\SYSTEM32\LDYOLX~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\MXAHFQ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\QFQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\SERKIJE.EXE - Deleted
C:\WINDOWS\SYSTEM32\TDJOSP~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\THOELRI.EXE - Deleted
C:\WINDOWS\SYSTEM32\XDRIIF~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZRUYOG~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\DUHLPB~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GKTRKU~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GTV.EXE - Deleted
C:\WINDOWS\SYSTEM32\NOE.EXE - Deleted
C:\WINDOWS\SYSTEM32\SQR.EXE - Deleted
C:\WINDOWS\SYSTEM32\XJVNRA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\BQRLYV.EXE - Deleted
C:\WINDOWS\SYSTEM32\BUHEEL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\CTTBKK~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\JOEPRWI.EXE - Deleted
C:\WINDOWS\SYSTEM32\N.EXE - Deleted
C:\WINDOWS\SYSTEM32\NKPEZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\PHZKVEFB.EXE - Deleted
C:\WINDOWS\SYSTEM32\XJUFNZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\YDTA.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZSUBQJ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZPBJSR.EXE - Deleted
C:\WINDOWS\SYSTEM32\JVC.EXE - Deleted
C:\WINDOWS\SYSTEM32\WVBLNODU.EXE - Deleted
C:\WINDOWS\SYSTEM32\JJHNRN~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\YNOQWZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\BNFHWZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\DRMYVO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\CAZPPOI.EXE - Deleted
C:\WINDOWS\SYSTEM32\IT.EXE - Deleted
C:\WINDOWS\SYSTEM32\OQVBLRKA.EXE - Deleted
C:\WINDOWS\SYSTEM32\PESHWO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\UQWM.EXE - Deleted
C:\WINDOWS\SYSTEM32\WDIUVD~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WWY.EXE - Deleted
C:\WINDOWS\SYSTEM32\DMWCK.EXE - Deleted
C:\WINDOWS\SYSTEM32\HLAMOIOD.EXE - Deleted
C:\WINDOWS\SYSTEM32\HYEUMY.EXE - Deleted
C:\WINDOWS\SYSTEM32\LJCI.EXE - Deleted
C:\WINDOWS\SYSTEM32\NXXX.EXE - Deleted
C:\WINDOWS\SYSTEM32\OYJKHY~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PDIMVT~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\SNJLPRPK.EXE - Deleted
C:\WINDOWS\SYSTEM32\YWHIV.EXE - Deleted
C:\WINDOWS\SYSTEM32\AB.EXE - Deleted
C:\WINDOWS\SYSTEM32\DXOG.EXE - Deleted
C:\WINDOWS\SYSTEM32\ERTQD.EXE - Deleted
C:\WINDOWS\SYSTEM32\HMDYFZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\JZLMGL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KKAZZPUU.EXE - Deleted
C:\WINDOWS\SYSTEM32\NEMLOI.EXE - Deleted
C:\WINDOWS\SYSTEM32\NHLEBGIE.EXE - Deleted
C:\WINDOWS\SYSTEM32\OWERHX.EXE - Deleted
C:\WINDOWS\SYSTEM32\PWQXDG.EXE - Deleted
C:\WINDOWS\SYSTEM32\RPVEOT~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZKXJVZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZRO.EXE - Deleted
C:\WINDOWS\SYSTEM32\MEIPIA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\OSFAEV~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\OUAMNL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PDT.EXE - Deleted
C:\WINDOWS\SYSTEM32\RJZFLM.EXE - Deleted
C:\WINDOWS\SYSTEM32\XWIW.EXE - Deleted
C:\WINDOWS\SYSTEM32\DZPXTR~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ISMWKZ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ITXNBA~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PSVIIEQO.EXE - Deleted
C:\WINDOWS\SYSTEM32\PYOOW.EXE - Deleted
C:\WINDOWS\SYSTEM32\TTRPVME.EXE - Deleted
C:\WINDOWS\SYSTEM32\VAMONA.EXE - Deleted
C:\WINDOWS\SYSTEM32\AMGCCD.EXE - Deleted
C:\WINDOWS\SYSTEM32\FYZRH.EXE - Deleted
C:\WINDOWS\SYSTEM32\K.EXE - Deleted
C:\WINDOWS\SYSTEM32\OSVRLJ.EXE - Deleted
C:\WINDOWS\SYSTEM32\RLBWLQ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GRGYFB~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\PBQVYKNQ.EXE - Deleted
C:\WINDOWS\SYSTEM32\ISPJHU~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\LB.EXE - Deleted
C:\WINDOWS\SYSTEM32\NVLC.EXE - Deleted
C:\WINDOWS\SYSTEM32\TNNT.EXE - Deleted
C:\WINDOWS\SYSTEM32\XSEU.EXE - Deleted
C:\WINDOWS\SYSTEM32\YMXIKH~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\AIN.EXE - Deleted
C:\WINDOWS\SYSTEM32\FRZDVGP.EXE - Deleted
C:\WINDOWS\SYSTEM32\KWDWCS~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\OTTMGM.EXE - Deleted
C:\WINDOWS\SYSTEM32\OUJLIFU.EXE - Deleted
C:\WINDOWS\SYSTEM32\XCYIXQ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\DMYXFL.EXE - Deleted
C:\WINDOWS\SYSTEM32\HWXMUVVS.EXE - Deleted
C:\WINDOWS\SYSTEM32\VRWKTN~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WKAYSE~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\YY.EXE - Deleted
C:\WINDOWS\SYSTEM32\XHAX.EXE - Deleted
C:\WINDOWS\SYSTEM32\AETHKP~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\GJVGPO~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\OIUPGN~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\OWFVNB~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\W.EXE - Deleted
C:\WINDOWS\SYSTEM32\YKZQFJ~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\RUUDIL~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WAXZP.EXE - Deleted
C:\WINDOWS\SYSTEM32\Q.EXE - Deleted
C:\WINDOWS\SYSTEM32\TGWWWYO.EXE - Deleted
C:\WINDOWS\SYSTEM32\WQEWAO.EXE - Deleted
C:\WINDOWS\SYSTEM32\EQIKGR.EXE - Deleted
C:\WINDOWS\SYSTEM32\AFRNMHU.EXE - Deleted
C:\WINDOWS\SYSTEM32\BOYMI.EXE - Deleted
C:\WINDOWS\SYSTEM32\WECFD.EXE - Deleted
C:\WINDOWS\SYSTEM32\APOGTM~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\KESUNGIU.EXE - Deleted
C:\WINDOWS\SYSTEM32\LF.EXE - Deleted
C:\WINDOWS\SYSTEM32\WNPADN~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\ZNZ.EXE - Deleted
C:\WINDOWS\SYSTEM32\HSUW.EXE - Deleted
C:\WINDOWS\TEMP\LAJUEIJT\GGAB.EXE - Deleted
C:\WINDOWS\TEMP\UVJTOY~1\SWGBHQI.EXE - Deleted
C:\WINDOWS\TEMP\UZOL\JKFAEM.EXE - Deleted
C:\WINDOWS\Media\aolsw.exe - Deleted
C:\WINDOWS\system32\i.exe - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
C:\WINDOWS\system32\w.exe - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1107729329\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1107729329\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Disabled:LEXPPS.EXE"
"C:\\WINDOWS\\system32\\spcauth.exe"="C:\\WINDOWS\\system32\\spcauth.exe:*:Enabled:AOL"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe"="C:\\Program Files\\WinAntiVirus Pro 2006\\Updater.exe:*:Enabled:updater.exe"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1167398347\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1167398347\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1167398347\\ee\\AOLOpenRide.exe"="C:\\Program Files\\Common Files\\AOL\\1167398347\\ee\\AOLOpenRide.exe:*:Enabled:AOL OpenRide"
"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\1167420152\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1167420152\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components"
"C:\\Program Files\\AOL 9.0a\\waol.exe"="C:\\Program Files\\AOL 9.0a\\waol.exe:*:Enabled:AOL"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\AOL 9.0\AOLphx.exe
C:\Program Files\AOL 9.0\AOLphxex.exe
C:\Program Files\AOL 9.0\rbm.exe
C:\Program Files\AOL 9.0a\AOLphx.exe
C:\Program Files\AOL 9.0a\AOLphxex.exe
C:\Program Files\AOL 9.0a\rbm.exe
C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe
C:\Documents and Settings\JACOB FOX\Application Data\Microsoft\Templates\~WRL0776.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Templates\~WRL0222.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Templates\~WRL3596.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL0005.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL0233.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL0248.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL0589.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL1158.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL1852.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL1881.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL1921.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL3289.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL3329.tmp
C:\Documents and Settings\MARLEE FOX\Application Data\Microsoft\Word\~WRL3447.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@R1E5.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@R1E7.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@R1E9.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@R1EB.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@S1E6.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@S1E8.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@S1EA.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\Z@S1EC.tmp
C:\Documents and Settings\MARLEE FOX\Local Settings\Temp\~$mso271.tmp
C:\Documents and Settings\MARLEE FOX\My Documents\Poetry\~WRL0443.tmp
C:\Documents and Settings\MILISSA MURRAY\Application Data\Microsoft\Templates\~WRL1988.tmp
C:\Documents and Settings\MILISSA MURRAY\Application Data\Microsoft\Templates\~WRL2741.tmp
C:\Documents and Settings\MILISSA MURRAY\Application Data\Microsoft\Word\~WRL0003.tmp
C:\Documents and Settings\MILISSA MURRAY\Application Data\Microsoft\Word\~WRL0796.tmp

Finished

B

bamajim

10.4K Posts

0

September 6th, 2007 14:00

kittois

QUOTE I'm not sure that I posted this in the right place, but here is the log after running the fix. Unbelieveable how manyb trojans seem to be listed ----- I am curious as to (i) how much personal information this log shows to someone that can read it and really understand it (unlike me) and(ii) whether it demonstrates how corrupt my operating system was overalll, and if so how bad was it? Hopefully I will discover that it isn't any more --- we'll see!! Thanks.

You posted in the right place. Yes you had a pretty good infection.
As far as any of these logs revealing any personal information. The only thing that is revealed is the name the PC is registered to in some cases. Like so

C:\Documents and Settings\MILISSA MURRAY

We would not request anything that would compromise any personal information. :smileyhappy:

Rerun Hijackthis and post a fresh Hijackthis log

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

Message Edited by bamajim on 09-06-2007 10:21 AM

kittois

65 Posts

0

September 7th, 2007 11:00

As promised, I re-ran HiJiack this, now that the virus NewPoly Win 32 appears to be back. Here is the Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:13:57 AM, on 9/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Picasa\PicasaMediaDetector.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1167420152\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Common Files\AOL\Topspeed\3.0\aoltpsd3.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167420152\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.EXE" -b
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm028YYUS
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167406600296
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/popcaploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

kittois

65 Posts

0

September 7th, 2007 11:00

Thanks for the update. All was well for about a day and a half, but now I just received another McAfee Message that "The file nC:\System Volume Information\_restoreE586002E-AC25-4A79-BOCC-3442BAQ99B6\RP828\A0180887.exe is infected by the New Poly Win32 Virus and cannot be cleaned."

Do I run the cleaner again? I noted that you said toi rerun Hijack this and run a new log -- I will follow up and do that. Thanks.

B

bamajim

10.4K Posts

0

September 7th, 2007 14:00

kittois

QUOTE

Thanks for the update. All was well for about a day and a half, but now I just received another McAfee Message that "The file nC:\System Volume Information\_restoreE586002E-AC25-4A79-BOCC-3442BAQ99B6\RP828\A0180887.exe is infected by the New Poly Win32 Virus and cannot be cleaned."

The warning you are getting from McAfee is from a system restore folder which does not pose an infection threat unless you use system restore. We will clean that file in closing.

1. Please perform an Ewido Online Malware Scan

When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
Click on Start Scan.
after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
If any infections are found, (After you save the logfile), Click on Remove Infections.

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

kittois

65 Posts

0

September 8th, 2007 03:00

Thanks for your latest.

I tried to log on to ewido.net and perform the scan as you directed, but it wouldn't let me. I got to the Ewido web site but no dialog box would come up, and it said "error" on the Ewido web page -- in the actual text above the empty box that seems to appear in the middle of that page. Not finding what I expected to find, I clicked the "scan" button and nothing much happened, so I clicked through to the download section and downloaded a trial copy of the Awgas software. When I went to run it, I got the "BIG BLUE PAGE" telling me something generally to the effect that there was a danger to my computer and that it had to be shut down. So I shut down and restarted the computer and got the BIG BLUE PAGE again -- a couple of times -- so I restarted in Safe Mode and removed the Awgas program. When I started up again things seemed to be okay for the most part, except that I received a couple of Microsoft Error Report messages that I had to click through to get into my ISP to send you this message. For what its worth though, the Mcafee virus box telling me about the winpoly 32 virus hasn't opened this time around ----- yet.

Any ideas as to what to do now?

B

bamajim

10.4K Posts

0

September 9th, 2007 12:00

kittois

The blue screen is not good. It may be indication of a different problem.

Please download Combofix and save to your desktop:

Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

kittois

65 Posts

0

September 13th, 2007 02:00

This is E-MAIL TWO of TWO>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-06 00:05 --------- d-------- C:\DOCUME~1\DOUGLA~1\APPLIC~1\AOL
2007-09-04 23:27 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-04 23:22 --------- d-------- C:\Program Files\Common Files\AOL
2007-09-04 23:21 --------- d-------- C:\Program Files\Common Files\aolshare
2007-09-04 23:19 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-03 12:56 --------- d-------- C:\Program Files\MSN Messenger
2007-09-03 12:13 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-03 12:04 --------- d-------- C:\Program Files\iWin Games
2007-09-03 12:03 --------- d-------- C:\Program Files\iWin.com
2007-09-03 11:14 --------- d-------- C:\Program Files\Shockwave.com
2007-08-31 14:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HP
2007-08-30 00:35 --------- d-------- C:\Program Files\Zango
2007-08-05 15:00 --------- d-------- C:\Program Files\AOL Games
2007-08-05 15:00 --------- d-------- C:\DOCUME~1\MILISS~1\APPLIC~1\FloodLightGames
2007-08-05 15:00 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FloodLightGames
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-17 00:28 205824 --a------ C:\WINDOWS\system32\mvmrqys.exe
2007-06-16 21:42 205824 --a------ C:\WINDOWS\system32\djgb.exe
2007-06-16 18:53 205824 --a------ C:\WINDOWS\system32\awv.exe
2007-06-16 15:06 205824 --a------ C:\WINDOWS\system32\zhiudbr.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-02-26 21:08 774144 --a--c--- C:\Program Files\RngInterstitial.dll
2006-09-03 12:25 389632 --a--c--- C:\DOCUME~1\DOUGLA~1\remote.exe
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 19:02]
"VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 22:50]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-02-06 18:36]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe" [2002-05-18 13:04]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2003-08-21 19:10]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2003-08-27 12:00]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-10-15 15:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QMusic2"="C:\Program Files\BenQ\QMusic2\QMAgent.exe" [2004-10-04 14:11]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 14:49]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 14:46]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 14:50]
"LifeScape Media Detector"="C:\Program Files\Picasa\PicasaMediaDetector.exe" [2006-08-29 22:58]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"HostManager"="C:\Program Files\Common Files\AOL\1167420152\ee\AOLSoftware.exe" [2007-04-12 17:23]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-14 22:15]
"AOL Fast Start"="C:\Program Files\AOL 9.0a\AOL.exe" [2007-04-18 02:49]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56]
Verizon Online Support Center.lnk - C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe [2005-02-05 17:07:47]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-12-03 23:17:13]

C:\DOCUME~1\MILISS~1\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-12-26 23:33:13]

R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-10 02:50:00 C:\WINDOWS\Tasks\McAfee.com Update Check (FOX-23MY2288RCI-DOUGLAS FOX).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-10 02:54:00 C:\WINDOWS\Tasks\McAfee.com Update Check (FOX-23MY2288RCI-JACOB FOX).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-10 02:52:00 C:\WINDOWS\Tasks\McAfee.com Update Check (FOX-23MY2288RCI-MARLEE FOX).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
"2007-09-10 02:01:12 C:\WINDOWS\Tasks\McAfee.com Update Check (FOX-23MY2288RCI-MILISSA MURRAY).job"
- C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-09 22:50:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-09 22:54:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-09 22:54
.
--- E O F ---

kittois

65 Posts

0

September 13th, 2007 02:00

With apologies for the delay, here is the ComboFix log. I thought that I had posted this earlier but upon checking couldn't find it on the forum. Thanks.

Kittois

PS: Because of the character limit, I will post in two emails. This is email ONE of TWO

ComboFix 07-09-10.2 - "MILISSA MURRAY" 2007-09-09 22:42:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.285 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\cursorcafe.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\cursorcafeA.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\games.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\gamesA.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\buttons\screensaverA.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\contexts\Travel.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\buttons\cursorcafe.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\buttons\cursorcafeA.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\buttons\games.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\buttons\gamesA.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\buttons\screensaver.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\buttons\screensaverA.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\contexts\related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\contexts\travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\contexts\Travel.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\DOUGLA~1\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\DOUGLA~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\update.log
C:\DOCUME~1\DOUGLA~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\DOCUME~1\DOUGLA~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\DOUGLA~1\APPLIC~1\WinAntiVirus Pro 2006\PGE.dat
C:\DOCUME~1\DOUGLA~1\APPLIC~1\winantiviruspro2006freeinstall[1].exe
C:\DOCUME~1\DOUGLA~1\err.log
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Games\GamesOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Games\GamesOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Layouts\PreferencesLayout.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Layouts\PreferencesLayout.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Layouts\ToolbarLayout.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Manager\ManagerOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\PopupBlocker\PopupBlockerOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\PopupBlocker\PopupBlockerOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Reference\ReferenceOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Reference\ReferenceOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Screensavers\ScreensaversOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Screensavers\ScreensaversOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\SearchMatch\SearchMatchOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\SearchMatch\SearchMatchOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\LOCALS~1\APPLIC~1\Starware\TravelSearch\TravelSearchOptions.xml.backup
C:\DOCUME~1\MARLEE~1\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\MARLEE~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\DOCUME~1\MARLEE~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\MARLEE~1\err.log
C:\DOCUME~1\MILISS~1\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\MILISS~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\update.log
C:\DOCUME~1\MILISS~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\DOCUME~1\MILISS~1\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\MILISS~1\err.log
C:\Program Files\Common Files\winantivirus pro 2006
C:\Program Files\Common Files\WinAntiVirus Pro 2006\err.log
C:\Program Files\Common Files\winantivirus pro 2006\err.log
C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
C:\Program Files\Common Files\winantivirus pro 2006\WapCHK.dll
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE_tobedeleted
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL_tobedeleted
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE_tobedeleted
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL_tobedeleted
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL_tobedeleted
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml
C:\Program Files\screensavers.com\Installer\bin\iebyterange.xml.backup
C:\Program Files\screensavers.com\Installer\bin\ScreensaversInst.dll
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\screensavers.com\Installer\temp\dm3E6.tmp
C:\Program Files\screensavers.com\Wallpaper\Shrek 2 - P*ss in Boots.jpg
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\winantivirus pro 2006
C:\Program Files\winantivirus pro 2006\msvcp71.dll
C:\Program Files\WinAntiVirus Pro 2006\msvcp71.dll
C:\Program Files\winantivirus pro 2006\msvcr71.dll
C:\Program Files\WinAntiVirus Pro 2006\msvcr71.dll
C:\WA6P
C:\WINDOWS\bck3.dat
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_FOPN
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\FOPN
-------\vspf
-------\vspf_hk

((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.

2007-09-09 22:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-05 23:36 d-------- C:\WINDOWS\ERUNT
2007-09-05 18:09 45,116 --a------ C:\WINDOWS\system32\9488282ld.exe
2007-09-05 17:59 45,116 --a------ C:\WINDOWS\system32\59202032ld.exe
2007-09-05 10:13 45,116 --a------ C:\WINDOWS\system32\1354532ld.exe
2007-09-05 10:02 45,116 --a------ C:\WINDOWS\system32\2377182ld.exe
2007-09-05 09:51 45,116 --a------ C:\WINDOWS\system32\51567962ld.exe
2007-09-05 09:41 45,116 --a------ C:\WINDOWS\system32\41195782ld.exe
2007-09-05 09:30 45,116 --a------ C:\WINDOWS\system32\30502342ld.exe
2007-09-05 09:20 45,116 --a------ C:\WINDOWS\system32\20234532ld.exe
2007-09-05 09:09 45,116 --a------ C:\WINDOWS\system32\9563432ld.exe
2007-09-05 08:37 45,116 --a------ C:\WINDOWS\system32\37295002ld.exe
2007-09-05 08:27 45,116 --a------ C:\WINDOWS\system32\27102ld.exe
2007-09-05 08:16 45,116 --a------ C:\WINDOWS\system32\16244532ld.exe
2007-09-05 08:05 45,116 --a------ C:\WINDOWS\system32\531622ld.exe
2007-09-05 07:54 45,116 --a------ C:\WINDOWS\system32\54473752ld.exe
2007-09-04 23:35 45,116 --a------ C:\WINDOWS\system32\35557182ld.exe
2007-09-04 23:21 d-------- C:\Program Files\AOL 9.0a
2007-09-04 23:15 45,116 --a------ C:\WINDOWS\system32\15264842ld.exe
2007-09-04 22:55 45,116 --a------ C:\WINDOWS\system32\54592342ld.exe
2007-09-04 22:34 45,116 --a------ C:\WINDOWS\system32\3432462ld.exe
2007-09-04 22:14 45,116 --a------ C:\WINDOWS\system32\1444062ld.exe
2007-09-04 21:53 45,116 --a------ C:\WINDOWS\system32\53373432ld.exe
2007-09-04 21:33 45,116 --a------ C:\WINDOWS\system32\3391092ld.exe
2007-09-04 21:12 45,116 --a------ C:\WINDOWS\system32\12425462ld.exe
2007-09-04 20:52 45,116 --a------ C:\WINDOWS\system32\52134062ld.exe
2007-09-04 20:11 45,116 --a------ C:\WINDOWS\system32\11181092ld.exe
2007-09-04 19:50 45,116 --a------ C:\WINDOWS\system32\50405152ld.exe
2007-09-04 15:55 45,116 --a------ C:\WINDOWS\system32\55107962ld.exe
2007-09-04 15:28 45,116 --a------ C:\WINDOWS\system32\28447342ld.exe
2007-09-04 15:16 45,116 --a------ C:\WINDOWS\system32\16433902ld.exe
2007-09-04 14:58 45,116 --a------ C:\WINDOWS\system32\58432032ld.exe
2007-09-04 14:40 45,116 --a------ C:\WINDOWS\system32\4044622ld.exe
2007-09-04 14:16 45,116 --a------ C:\WINDOWS\system32\1644312ld.exe
2007-09-04 13:25 45,116 --a------ C:\WINDOWS\system32\25432032ld.exe
2007-09-04 12:31 45,116 --a------ C:\WINDOWS\system32\31442342ld.exe
2007-09-04 12:02 45,116 --a------ C:\WINDOWS\system32\2172812ld.exe
2007-09-04 11:35 45,116 --a------ C:\WINDOWS\system32\35506872ld.exe
2007-09-04 11:09 45,116 --a------ C:\WINDOWS\system32\9235152ld.exe
2007-09-04 10:42 45,116 --a------ C:\WINDOWS\system32\42557502ld.exe
2007-09-04 10:22 45,116 --a------ C:\WINDOWS\system32\22276252ld.exe
2007-09-04 10:02 45,116 --a------ C:\WINDOWS\system32\1577032ld.exe
2007-09-04 08:38 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-09-04 07:58 45,116 --a------ C:\WINDOWS\system32\58476252ld.exe
2007-09-04 07:38 45,116 --a------ C:\WINDOWS\system32\38181252ld.exe
2007-09-04 07:17 45,116 --a------ C:\WINDOWS\system32\17461712ld.exe
2007-09-03 12:28 45,116 --a------ C:\WINDOWS\system32\28184062ld.exe
2007-09-03 11:37 8,858 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-03 09:32 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-03 09:32 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-03 09:32 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-02 17:08 45,116 --a------ C:\WINDOWS\system32\8149092ld.exe
2007-09-02 16:57 45,116 --a------ C:\WINDOWS\system32\57405462ld.exe
2007-09-02 16:51 45,116 --a------ C:\WINDOWS\system32\5178432ld.exe
2007-09-02 16:40 45,116 --a------ C:\WINDOWS\system32\40294372ld.exe
2007-09-02 16:29 45,116 --a------ C:\WINDOWS\system32\29517502ld.exe
2007-09-02 16:19 45,116 --a------ C:\WINDOWS\system32\19135312ld.exe
2007-09-02 16:08 45,116 --a------ C:\WINDOWS\system32\8383902ld.exe
2007-09-02 15:58 45,116 --a------ C:\WINDOWS\system32\5826712ld.exe
2007-09-02 15:47 45,116 --a------ C:\WINDOWS\system32\47279212ld.exe
2007-09-02 15:36 45,116 --a------ C:\WINDOWS\system32\36527962ld.exe
2007-09-02 15:26 45,116 --a------ C:\WINDOWS\system32\26184842ld.exe
2007-09-02 15:15 45,116 --a------ C:\WINDOWS\system32\15441562ld.exe
2007-09-02 15:05 45,116 --a------ C:\WINDOWS\system32\596872ld.exe
2007-09-02 14:54 45,116 --a------ C:\WINDOWS\system32\54347652ld.exe
2007-09-02 14:44 45,116 --a------ C:\WINDOWS\system32\4406872ld.exe
2007-09-02 14:33 45,116 --a------ C:\WINDOWS\system32\33254532ld.exe
2007-09-02 14:22 45,116 --a------ C:\WINDOWS\system32\22516562ld.exe
2007-09-02 14:12 45,116 --a------ C:\WINDOWS\system32\12168282ld.exe
2007-09-02 14:01 45,116 --a------ C:\WINDOWS\system32\1416402ld.exe
2007-09-02 13:51 45,116 --a------ C:\WINDOWS\system32\5159842ld.exe
2007-09-02 13:40 45,116 --a------ C:\WINDOWS\system32\4031622ld.exe
2007-09-02 13:29 45,116 --a------ C:\WINDOWS\system32\2956932ld.exe
2007-09-02 13:09 45,116 --a------ C:\WINDOWS\system32\964532ld.exe
2007-09-02 12:58 45,116 --a------ C:\WINDOWS\system32\58119372ld.exe
2007-09-02 12:47 45,116 --a------ C:\WINDOWS\system32\47312812ld.exe
2007-09-02 12:36 45,116 --a------ C:\WINDOWS\system32\36549062ld.exe
2007-09-02 12:26 45,116 --a------ C:\WINDOWS\system32\26197342ld.exe
2007-09-02 12:04 45,116 --a------ C:\WINDOWS\system32\4375462ld.exe
2007-09-02 10:35 45,116 --a------ C:\WINDOWS\system32\35243592ld.exe
2007-09-01 11:02 45,116 --a------ C:\WINDOWS\system32\2461402ld.exe
2007-09-01 10:52 45,116 --a------ C:\WINDOWS\system32\52176562ld.exe
2007-09-01 10:39 45,116 --a------ C:\WINDOWS\system32\3953122ld.exe
2007-09-01 00:56 45,116 --a------ C:\WINDOWS\system32\56448752ld.exe
2007-09-01 00:46 45,116 --a------ C:\WINDOWS\system32\4613752ld.exe
2007-09-01 00:35 45,116 --a------ C:\WINDOWS\system32\352302ld.exe
2007-09-01 00:24 45,116 --a------ C:\WINDOWS\system32\24219212ld.exe
2007-09-01 00:13 45,116 --a------ C:\WINDOWS\system32\13407342ld.exe
2007-09-01 00:03 45,116 --a------ C:\WINDOWS\system32\337962ld.exe
2007-08-31 23:52 45,116 --a------ C:\WINDOWS\system32\52171402ld.exe
2007-08-31 23:41 45,116 --a------ C:\WINDOWS\system32\4125312ld.exe
2007-08-31 23:30 45,116 --a------ C:\WINDOWS\system32\30472812ld.exe
2007-08-31 23:20 45,116 --a------ C:\WINDOWS\system32\20199682ld.exe
2007-08-31 23:09 45,116 --a------ C:\WINDOWS\system32\9536712ld.exe
2007-08-31 22:59 45,116 --a------ C:\WINDOWS\system32\59257652ld.exe
2007-08-31 22:48 45,116 --a------ C:\WINDOWS\system32\48453592ld.exe
2007-08-31 22:38 45,116 --a------ C:\WINDOWS\system32\38132962ld.exe
2007-08-31 22:27 45,116 --a------ C:\WINDOWS\system32\273502ld.exe
2007-08-31 22:16 45,116 --a------ C:\WINDOWS\system32\16512342ld.exe
2007-08-31 22:06 45,116 --a------ C:\WINDOWS\system32\659842ld.exe

.

B

bamajim

10.4K Posts

0

September 13th, 2007 13:00

kittois

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

File::
C:\WINDOWS\system32\9488282ld.exe
C:\WINDOWS\system32\59202032ld.exe
C:\WINDOWS\system32\1354532ld.exe
C:\WINDOWS\system32\2377182ld.exe
C:\WINDOWS\system32\51567962ld.exe
C:\WINDOWS\system32\41195782ld.exe
C:\WINDOWS\system32\30502342ld.exe
C:\WINDOWS\system32\20234532ld.exe
C:\WINDOWS\system32\9563432ld.exe
C:\WINDOWS\system32\37295002ld.exe
C:\WINDOWS\system32\27102ld.exe
C:\WINDOWS\system32\16244532ld.exe
C:\WINDOWS\system32\531622ld.exe
C:\WINDOWS\system32\54473752ld.exe
C:\WINDOWS\system32\35557182ld.exe
C:\WINDOWS\system32\15264842ld.exe
C:\WINDOWS\system32\54592342ld.exe
C:\WINDOWS\system32\3432462ld.exe
C:\WINDOWS\system32\1444062ld.exe
C:\WINDOWS\system32\53373432ld.exe
C:\WINDOWS\system32\3391092ld.exe
C:\WINDOWS\system32\12425462ld.exe
C:\WINDOWS\system32\52134062ld.exe
C:\WINDOWS\system32\11181092ld.exe
C:\WINDOWS\system32\50405152ld.exe
C:\WINDOWS\system32\55107962ld.exe
C:\WINDOWS\system32\28447342ld.exe
C:\WINDOWS\system32\16433902ld.exe
C:\WINDOWS\system32\58432032ld.exe
C:\WINDOWS\system32\4044622ld.exe
C:\WINDOWS\system32\1644312ld.exe
C:\WINDOWS\system32\25432032ld.exe
C:\WINDOWS\system32\31442342ld.exe
C:\WINDOWS\system32\2172812ld.exe
C:\WINDOWS\system32\35506872ld.exe
C:\WINDOWS\system32\9235152ld.exe
C:\WINDOWS\system32\42557502ld.exe
C:\WINDOWS\system32\22276252ld.exe
C:\WINDOWS\system32\1577032ld.exe
C:\WINDOWS\system32\58476252ld.exe
C:\WINDOWS\system32\38181252ld.exe
C:\WINDOWS\system32\17461712ld.exe
C:\WINDOWS\system32\28184062ld.exe
C:\WINDOWS\system32\8149092ld.exe
C:\WINDOWS\system32\57405462ld.exe
C:\WINDOWS\system32\5178432ld.exe
C:\WINDOWS\system32\40294372ld.exe
C:\WINDOWS\system32\29517502ld.exe
C:\WINDOWS\system32\19135312ld.exe
C:\WINDOWS\system32\8383902ld.exe
C:\WINDOWS\system32\5826712ld.exe
C:\WINDOWS\system32\47279212ld.exe
C:\WINDOWS\system32\36527962ld.exe
C:\WINDOWS\system32\26184842ld.exe
C:\WINDOWS\system32\15441562ld.exe
C:\WINDOWS\system32\596872ld.exe
C:\WINDOWS\system32\54347652ld.exe
C:\WINDOWS\system32\4406872ld.exe
C:\WINDOWS\system32\33254532ld.exe
C:\WINDOWS\system32\22516562ld.exe
C:\WINDOWS\system32\12168282ld.exe
C:\WINDOWS\system32\1416402ld.exe
C:\WINDOWS\system32\5159842ld.exe
C:\WINDOWS\system32\4031622ld.exe
C:\WINDOWS\system32\2956932ld.exe
C:\WINDOWS\system32\964532ld.exe
C:\WINDOWS\system32\58119372ld.exe
C:\WINDOWS\system32\47312812ld.exe
C:\WINDOWS\system32\36549062ld.exe
C:\WINDOWS\system32\26197342ld.exe
C:\WINDOWS\system32\4375462ld.exe
C:\WINDOWS\system32\35243592ld.exe
C:\WINDOWS\system32\2461402ld.exe
C:\WINDOWS\system32\52176562ld.exe
C:\WINDOWS\system32\3953122ld.exe
C:\WINDOWS\system32\56448752ld.exe
C:\WINDOWS\system32\4613752ld.exe
C:\WINDOWS\system32\352302ld.exe
C:\WINDOWS\system32\24219212ld.exe
C:\WINDOWS\system32\13407342ld.exe
C:\WINDOWS\system32\337962ld.exe
C:\WINDOWS\system32\52171402ld.exe
C:\WINDOWS\system32\4125312ld.exe
C:\WINDOWS\system32\30472812ld.exe
C:\WINDOWS\system32\20199682ld.exe
C:\WINDOWS\system32\9536712ld.exe
C:\WINDOWS\system32\59257652ld.exe
C:\WINDOWS\system32\48453592ld.exe
C:\WINDOWS\system32\38132962ld.exe
C:\WINDOWS\system32\273502ld.exe
C:\WINDOWS\system32\16512342ld.exe
C:\WINDOWS\system32\659842ld.exe
C:\WINDOWS\system32\mvmrqys.exe
C:\WINDOWS\system32\djgb.exe
C:\WINDOWS\system32\awv.exe
C:\WINDOWS\system32\zhiudbr.exe

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

user posted image

You will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

It should be much shorter this time

CastleCops Instructor

MRU Graduate

"The world is what you make of it"

kittois

65 Posts

0

September 13th, 2007 19:00

POST 5

2007-08-31 17:50 45,116 --a------ C:\WINDOWS\system32\50458752ld.exe

2007-08-31 17:40 45,116 --a------ C:\WINDOWS\system32\39592502ld.exe

2007-08-31 17:29 45,116 --a------ C:\WINDOWS\system32\2932312ld.exe

2007-08-31 17:18 45,116 --a------ C:\WINDOWS\system32\1855312ld.exe

2007-08-31 17:08 45,116 --a------ C:\WINDOWS\system32\8186252ld.exe

2007-08-31 16:57 45,116 --a------ C:\WINDOWS\system32\57309212ld.exe

2007-08-31 16:46 45,116 --a------ C:\WINDOWS\system32\46455622ld.exe

2007-08-31 16:36 45,116 --a------ C:\WINDOWS\system32\3657962ld.exe

2007-08-31 16:25 45,116 --a------ C:\WINDOWS\system32\252102ld.exe

2007-08-31 16:14 45,116 --a------ C:\WINDOWS\system32\1456312ld.exe

2007-08-31 16:04 45,116 --a------ C:\WINDOWS\system32\4141092ld.exe

2007-08-31 15:53 45,116 --a------ C:\WINDOWS\system32\53465782ld.exe

2007-08-31 15:43 45,116 --a------ C:\WINDOWS\system32\42579372ld.exe

2007-08-31 15:32 45,116 --a------ C:\WINDOWS\system32\3292652ld.exe

2007-08-31 15:21 45,116 --a------ C:\WINDOWS\system32\21297812ld.exe

2007-08-31 15:10 45,116 --a------ C:\WINDOWS\system32\10445782ld.exe

2007-08-31 14:49 45,116 --a------ C:\WINDOWS\system32\49294372ld.exe

2007-08-31 14:39 45,116 --a------ C:\WINDOWS\system32\3925002ld.exe

2007-08-31 14:28 45,116 --a------ C:\WINDOWS\system32\28229372ld.exe

2007-08-31 14:17 45,116 --a------ C:\WINDOWS\system32\1745152ld.exe

2007-08-31 14:17 45,116 --a------ C:\WINDOWS\system32\17185462ld.exe

2007-08-31 14:06 45,116 --a------ C:\WINDOWS\system32\6413282ld.exe

2007-08-31 13:55 45,116 --a------ C:\WINDOWS\system32\55528282ld.exe

2007-08-31 13:44 45,116 --a------ C:\WINDOWS\system32\44555932ld.exe

2007-08-31 13:34 45,116 --a------ C:\WINDOWS\system32\3435002ld.exe

2007-08-31 13:23 45,116 --a------ C:\WINDOWS\system32\23502ld.exe

2007-08-31 13:12 45,116 --a------ C:\WINDOWS\system32\11583432ld.exe

2007-08-31 13:01 45,116 --a------ C:\WINDOWS\system32\1157652ld.exe

2007-08-31 12:50 45,116 --a------ C:\WINDOWS\system32\50398432ld.exe

2007-08-31 12:40 45,116 --a------ C:\WINDOWS\system32\4013282ld.exe

2007-08-31 12:29 45,116 --a------ C:\WINDOWS\system32\29331872ld.exe

2007-08-31 12:18 45,116 --a------ C:\WINDOWS\system32\18333432ld.exe

2007-08-31 12:07 45,116 --a------ C:\WINDOWS\system32\7446092ld.exe

2007-08-31 11:56 45,116 --a------ C:\WINDOWS\system32\56304372ld.exe

2007-08-31 11:45 45,116 --a------ C:\WINDOWS\system32\45427502ld.exe

2007-08-31 11:35 45,116 --a------ C:\WINDOWS\system32\3571872ld.exe

2007-08-31 11:24 45,116 --a------ C:\WINDOWS\system32\2427462ld.exe

kittois

65 Posts

0

September 13th, 2007 19:00

post 4

2007-08-31 20:41 45,116 --a------ C:\WINDOWS\system32\41221562ld.exe

2007-08-31 20:30 45,116 --a------ C:\WINDOWS\system32\304402ld.exe

2007-08-31 20:19 45,116 --a------ C:\WINDOWS\system32\195002ld.exe

2007-08-31 20:09 45,116 --a------ C:\WINDOWS\system32\9142032ld.exe

2007-08-31 19:58 45,116 --a------ C:\WINDOWS\system32\58373282ld.exe

2007-08-31 19:48 45,116 --a------ C:\WINDOWS\system32\48112962ld.exe

2007-08-31 19:37 45,116 --a------ C:\WINDOWS\system32\37323432ld.exe

2007-08-31 19:26 45,116 --a------ C:\WINDOWS\system32\26494212ld.exe

2007-08-31 19:16 45,116 --a------ C:\WINDOWS\system32\16206712ld.exe

2007-08-31 19:05 45,116 --a------ C:\WINDOWS\system32\5547812ld.exe

2007-08-31 18:55 45,116 --a------ C:\WINDOWS\system32\5558122ld.exe

2007-08-31 18:44 45,116 --a------ C:\WINDOWS\system32\44221402ld.exe

2007-08-31 18:33 45,116 --a------ C:\WINDOWS\system32\33292652ld.exe

2007-08-31 18:22 45,116 --a------ C:\WINDOWS\system32\22487342ld.exe

2007-08-31 18:12 45,116 --a------ C:\WINDOWS\system32\128622ld.exe

2007-08-31 18:01 45,116 --a------ C:\WINDOWS\system32\1415622ld.exe

2007-08-31 18:01 45,116 --a------ C:\WINDOWS\system32\114152ld.exe

kittois

65 Posts

0

September 13th, 2007 19:00

POST 2 -- I also received a note about an invalisd HTML when trying to send the last post

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\11181092ld.exe

C:\WINDOWS\system32\12168282ld.exe

C:\WINDOWS\system32\12425462ld.exe

C:\WINDOWS\system32\13407342ld.exe

C:\WINDOWS\system32\1354532ld.exe

C:\WINDOWS\system32\1416402ld.exe

C:\WINDOWS\system32\1444062ld.exe

C:\WINDOWS\system32\15264842ld.exe

C:\WINDOWS\system32\15441562ld.exe

C:\WINDOWS\system32\1577032ld.exe

C:\WINDOWS\system32\16244532ld.exe

C:\WINDOWS\system32\16433902ld.exe

C:\WINDOWS\system32\1644312ld.exe

C:\WINDOWS\system32\16512342ld.exe

C:\WINDOWS\system32\17461712ld.exe

C:\WINDOWS\system32\19135312ld.exe

C:\WINDOWS\system32\20199682ld.exe

C:\WINDOWS\system32\20234532ld.exe

C:\WINDOWS\system32\2172812ld.exe

C:\WINDOWS\system32\22276252ld.exe

C:\WINDOWS\system32\22516562ld.exe

C:\WINDOWS\system32\2377182ld.exe

C:\WINDOWS\system32\24219212ld.exe

C:\WINDOWS\system32\2461402ld.exe

C:\WINDOWS\system32\25432032ld.exe

C:\WINDOWS\system32\26184842ld.exe

C:\WINDOWS\system32\26197342ld.exe

C:\WINDOWS\system32\27102ld.exe

C:\WINDOWS\system32\273502ld.exe

C:\WINDOWS\system32\28184062ld.exe

C:\WINDOWS\system32\28447342ld.exe

C:\WINDOWS\system32\29517502ld.exe

C:\WINDOWS\system32\2956932ld.exe

C:\WINDOWS\system32\30472812ld.exe

C:\WINDOWS\system32\30502342ld.exe

C:\WINDOWS\system32\31442342ld.exe

C:\WINDOWS\system32\33254532ld.exe

C:\WINDOWS\system32\337962ld.exe

C:\WINDOWS\system32\3391092ld.exe

C:\WINDOWS\system32\3432462ld.exe

C:\WINDOWS\system32\352302ld.exe

C:\WINDOWS\system32\35243592ld.exe

C:\WINDOWS\system32\35506872ld.exe

C:\WINDOWS\system32\35557182ld.exe

C:\WINDOWS\system32\36527962ld.exe

C:\WINDOWS\system32\36549062ld.exe

C:\WINDOWS\system32\37295002ld.exe

C:\WINDOWS\system32\38132962ld.exe

C:\WINDOWS\system32\38181252ld.exe

C:\WINDOWS\system32\3953122ld.exe

C:\WINDOWS\system32\40294372ld.exe

C:\WINDOWS\system32\4031622ld.exe

C:\WINDOWS\system32\4044622ld.exe

C:\WINDOWS\system32\41195782ld.exe

C:\WINDOWS\system32\4125312ld.exe

C:\WINDOWS\system32\42557502ld.exe

C:\WINDOWS\system32\4375462ld.exe

C:\WINDOWS\system32\4406872ld.exe

C:\WINDOWS\system32\4613752ld.exe

C:\WINDOWS\system32\47279212ld.exe

C:\WINDOWS\system32\47312812ld.exe

C:\WINDOWS\system32\48453592ld.exe

C:\WINDOWS\system32\50405152ld.exe

C:\WINDOWS\system32\51567962ld.exe

C:\WINDOWS\system32\5159842ld.exe

C:\WINDOWS\system32\5178432ld.exe

C:\WINDOWS\system32\52134062ld.exe

C:\WINDOWS\system32\52171402ld.exe

C:\WINDOWS\system32\52176562ld.exe

C:\WINDOWS\system32\531622ld.exe

C:\WINDOWS\system32\53373432ld.exe

C:\WINDOWS\system32\54347652ld.exe

C:\WINDOWS\system32\54473752ld.exe

C:\WINDOWS\system32\54592342ld.exe

C:\WINDOWS\system32\55107962ld.exe

C:\WINDOWS\system32\56448752ld.exe

C:\WINDOWS\system32\57405462ld.exe

C:\WINDOWS\system32\58119372ld.exe

C:\WINDOWS\system32\5826712ld.exe

C:\WINDOWS\system32\58432032ld.exe

C:\WINDOWS\system32\58476252ld.exe

C:\WINDOWS\system32\59202032ld.exe

C:\WINDOWS\system32\59257652ld.exe

C:\WINDOWS\system32\596872ld.exe

C:\WINDOWS\system32\659842ld.exe

C:\WINDOWS\system32\8149092ld.exe

C:\WINDOWS\system32\8383902ld.exe

C:\WINDOWS\system32\9235152ld.exe

C:\WINDOWS\system32\9488282ld.exe

C:\WINDOWS\system32\9536712ld.exe

C:\WINDOWS\system32\9563432ld.exe

C:\WINDOWS\system32\964532ld.exe

C:\WINDOWS\system32\awv.exe

C:\WINDOWS\system32\djgb.exe

C:\WINDOWS\system32\mvmrqys.exe

C:\WINDOWS\system32\zhiudbr.exe

kittois

65 Posts

0

September 13th, 2007 19:00

Here is the log. I think that it will take three posts. This is the FIRST (I note also that Combofix didn't re-reset the clock).

Thanks.

ComboFix 07-09-10.2 - "MILISSA MURRAY" 2007-09-13 14:07:01.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.240 [GMT -4:00]

* Created a new restore point

FILE::

C:\WINDOWS\system32\9488282ld.exe

C:\WINDOWS\system32\59202032ld.exe

C:\WINDOWS\system32\1354532ld.exe

C:\WINDOWS\system32\2377182ld.exe

C:\WINDOWS\system32\51567962ld.exe

C:\WINDOWS\system32\41195782ld.exe

C:\WINDOWS\system32\30502342ld.exe

C:\WINDOWS\system32\20234532ld.exe

C:\WINDOWS\system32\9563432ld.exe

C:\WINDOWS\system32\37295002ld.exe

C:\WINDOWS\system32\27102ld.exe

C:\WINDOWS\system32\16244532ld.exe

C:\WINDOWS\system32\531622ld.exe

C:\WINDOWS\system32\54473752ld.exe

C:\WINDOWS\system32\35557182ld.exe

C:\WINDOWS\system32\15264842ld.exe

C:\WINDOWS\system32\54592342ld.exe

C:\WINDOWS\system32\3432462ld.exe

C:\WINDOWS\system32\1444062ld.exe

C:\WINDOWS\system32\53373432ld.exe

C:\WINDOWS\system32\3391092ld.exe

C:\WINDOWS\system32\12425462ld.exe

C:\WINDOWS\system32\52134062ld.exe

C:\WINDOWS\system32\11181092ld.exe

C:\WINDOWS\system32\50405152ld.exe

C:\WINDOWS\system32\55107962ld.exe

C:\WINDOWS\system32\28447342ld.exe

C:\WINDOWS\system32\16433902ld.exe

C:\WINDOWS\system32\58432032ld.exe

C:\WINDOWS\system32\4044622ld.exe

C:\WINDOWS\system32\1644312ld.exe

C:\WINDOWS\system32\25432032ld.exe

C:\WINDOWS\system32\31442342ld.exe

C:\WINDOWS\system32\2172812ld.exe

C:\WINDOWS\system32\35506872ld.exe

C:\WINDOWS\system32\9235152ld.exe

C:\WINDOWS\system32\42557502ld.exe

C:\WINDOWS\system32\22276252ld.exe

C:\WINDOWS\system32\1577032ld.exe

C:\WINDOWS\system32\58476252ld.exe

C:\WINDOWS\system32\38181252ld.exe

C:\WINDOWS\system32\17461712ld.exe

C:\WINDOWS\system32\28184062ld.exe

C:\WINDOWS\system32\8149092ld.exe

C:\WINDOWS\system32\57405462ld.exe

C:\WINDOWS\system32\5178432ld.exe

C:\WINDOWS\system32\40294372ld.exe

C:\WINDOWS\system32\29517502ld.exe

C:\WINDOWS\system32\19135312ld.exe

C:\WINDOWS\system32\8383902ld.exe

C:\WINDOWS\system32\5826712ld.exe

C:\WINDOWS\system32\47279212ld.exe

C:\WINDOWS\system32\36527962ld.exe

C:\WINDOWS\system32\26184842ld.exe

C:\WINDOWS\system32\15441562ld.exe

C:\WINDOWS\system32\596872ld.exe

C:\WINDOWS\system32\54347652ld.exe

C:\WINDOWS\system32\4406872ld.exe

C:\WINDOWS\system32\33254532ld.exe

C:\WINDOWS\system32\22516562ld.exe

C:\WINDOWS\system32\12168282ld.exe

C:\WINDOWS\system32\1416402ld.exe

C:\WINDOWS\system32\5159842ld.exe

C:\WINDOWS\system32\4031622ld.exe

C:\WINDOWS\system32\2956932ld.exe

C:\WINDOWS\system32\964532ld.exe

C:\WINDOWS\system32\58119372ld.exe

C:\WINDOWS\system32\47312812ld.exe

C:\WINDOWS\system32\36549062ld.exe

C:\WINDOWS\system32\26197342ld.exe

C:\WINDOWS\system32\4375462ld.exe

C:\WINDOWS\system32\35243592ld.exe

C:\WINDOWS\system32\2461402ld.exe

C:\WINDOWS\system32\52176562ld.exe

C:\WINDOWS\system32\3953122ld.exe

C:\WINDOWS\system32\56448752ld.exe

C:\WINDOWS\system32\4613752ld.exe

C:\WINDOWS\system32\352302ld.exe

C:\WINDOWS\system32\24219212ld.exe

C:\WINDOWS\system32\13407342ld.exe

C:\WINDOWS\system32\337962ld.exe

C:\WINDOWS\system32\52171402ld.exe

C:\WINDOWS\system32\4125312ld.exe

C:\WINDOWS\system32\30472812ld.exe

C:\WINDOWS\system32\20199682ld.exe

C:\WINDOWS\system32\9536712ld.exe

C:\WINDOWS\system32\59257652ld.exe

C:\WINDOWS\system32\48453592ld.exe

C:\WINDOWS\system32\38132962ld.exe

C:\WINDOWS\system32\273502ld.exe

C:\WINDOWS\system32\16512342ld.exe

C:\WINDOWS\system32\659842ld.exe

C:\WINDOWS\system32\mvmrqys.exe

C:\WINDOWS\system32\djgb.exe

C:\WINDOWS\system32\awv.exe

C:\WINDOWS\system32\zhiudbr.exe

1
2
3

View All

0 events found

No Events found!

Virus & Spyware

HIJack this --- Newpoly Win 32

Was this post helpful?