multi-spyware attack! please help

Question

Funny thing - I was in firefox when this started, and it all was in explorer, which was closed. The only other thing that might have been functional was Skype. Hm. Thanks, in advance, to whomever has the time to look at this. afym Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:34:23 PM, on 7/31/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\dla	fswctrl.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\cygwin\bin\cygrunsrv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\oonhvrqA.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\cygwin\usr\sbin\cron.exe C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\WINDOWS\System32\PGPserv.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ssoftsrv.exe C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\oonhvrq.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\PGP\PGPtray.exe C:\Palm\HOTSYNC.EXE C:\Program Files\iPod\bin\iPodService.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla	fswctrl.exe O4 - HKLM\..\Run: [StorageGuard] 'C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe' /r O4 - HKLM\..\Run: [PCMService] 'C:\Program Files\Dell\Media Experience\PCMService.exe' O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [VSOCheckTask] 'c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] 'c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe' O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [runner1] C:\WINDOWSetadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM\..\Run: [oonhvrqA] C:\WINDOWS\oonhvrqA.exe O4 - HKLM\..\Run: [Salestart] 'C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe' O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe 'C:\WINDOWS\system32\itrslopu.dll',forkonce O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\MSMSGS.EXE' /background O4 - HKCU\..\Run: [RealPlayer] 'C:\Program Files\Real\RealPlayerealplay.exe' /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimized O4 - HKCU\..\Run: [updateMgr] 'C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe' AcRdB7_0_8 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Ncao] 'C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe' -vt yazb O4 - Startup: Event Reminder.lnk = C:\Program Files\PrintMaster\PMREMIND.EXE O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.gamehouse.com/games/DinerDash2.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/shangrila/zylomplayer.cab O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play10.pogo.com/game/deluxe/zuma/popcaploader_v5.cab O23 - Service: cron - Unknown owner - C:\cygwin\bin\cygrunsrv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\oonhvrq.exe -- End of file - 9854 bytes

afym · Answer

So sorry, log got jumbled. I'm trying again below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:23 PM, on 7/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\cygwin\bin\cygrunsrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\oonhvrqA.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\cygwin\usr\sbin\cron.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\PGPserv.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\oonhvrq.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PGP\PGPtray.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [oonhvrqA] C:\WINDOWS\oonhvrqA.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\itrslopu.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe" -vt yazb
O4 - Startup: Event Reminder.lnk = C:\Program Files\PrintMaster\PMREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.gamehouse.com/games/DinerDash2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/shangrila/zylomplayer.cab
O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play10.pogo.com/game/deluxe/zuma/popcaploader_v5.cab
O23 - Service: cron - Unknown owner - C:\cygwin\bin\cygrunsrv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\oonhvrq.exe

--
End of file - 9854 bytes

Bugbatter · Answer

Please download Combofix from here: http://download.bleepingcomputer.com/sUBs/combofix.exe
Or
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
** Take note that the links are case sensitive

Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new HijackThis log.

Note:
Do not mouseclick Combofix's window while it is running. That may cause your system to stall/hang.
Do not proceed with the rest of the fix if you fail to run ComboFix.

afym · Answer

And this is the hijackthis log. Thanks again!     Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:07:54 AM, on 8/1/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\cygwin\bin\cygrunsrv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\cygwin\usr\sbin\cron.exe C:\WINDOWS\System32\PGPserv.exe C:\WINDOWS\system32\ssoftsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\PGP\PGPtray.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Palm\HOTSYNC.EXE C:\WINDOWS\system32
otepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla	fswshx.dll O2 - BHO: (no name) - {677ADB60-D529-472C-81E6-1475AA0C8B01} - C:\Program Files\Internet Explorer\hokeqoz83122.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [StorageGuard] 'C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe' /r O4 - HKLM\..\Run: [PCMService] 'C:\Program Files\Dell\Media Experience\PCMService.exe' O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [VSOCheckTask] 'c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] 'c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe' O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe'  -osboot O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\MSMSGS.EXE' /background O4 - HKCU\..\Run: [RealPlayer] 'C:\Program Files\Real\RealPlayerealplay.exe' /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimized O4 - HKCU\..\Run: [updateMgr] 'C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe' AcRdB7_0_8 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Ncao] 'C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe' -vt yazb O4 - Startup: Event Reminder.lnk = C:\Program Files\PrintMaster\PMREMIND.EXE O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://click.getmirar.com (HKLM) O15 - Trusted Zone: http://click.mirarsearch.com (HKLM) O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM) O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.gamehouse.com/games/DinerDash2.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/shangrila/zylomplayer.cab O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play10.pogo.com/game/deluxe/zuma/popcaploader_v5.cab O23 - Service: cron - Unknown owner - C:\cygwin\bin\cygrunsrv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 9680 bytes

afym · Answer

This is the final piece of the combofix log. I will post the new hijackthis log after that.   C:\WINDOWS\mcroso~1.net C:\WINDOWS\oonhvrq.exe C:\WINDOWS\system32\b02FdUe C:\WINDOWS\system32\b02FdUe\b02FdUe1065.exe C:\WINDOWS\system32\drivers\fad.sys C:\WINDOWS\system32\drivers\fopn.sys C:\WINDOWS\system32\G1 C:\WINDOWS\system32\G1\kmhp83122.exe C:\WINDOWS\system32\G11 C:\WINDOWS\system32\G11\z553.exe C:\WINDOWS\system32\G3 C:\WINDOWS\system32\G3\wr725.exe C:\WINDOWS\system32\G7 C:\WINDOWS\system32\ldcore.dll C:\WINDOWS\system32\ltpnrnle.exe C:\WINDOWS\system32qemoeih.exe C:\WINDOWS\system32\wcpsvsu.exe C:\WINDOWS\system32\win C:\WINDOWS\system32\ymbols~1 C:\WINDOWS\wr.txt (((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_FOPN -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS -------\Windows Overlay Components (((((((((((((((((((((((((   Files Created from 2007-07-01 to 2007-08-01  ))))))))))))))))))))))))))))))) 2007-07-31 23:22 51,200 --a------ C:\WINDOWS
ircmd.exe 2007-07-31 23:16 125,504 --a------ C:\WINDOWS\SYSTEM32\ckfpkjli.dll 2007-07-31 22:34   d-------- C:\Program Files\Trend Micro 2007-07-30 06:50   d-------- C:\Program Files\Windows Defender 2007-07-29 23:40 9,769 --a------ C:\WINDOWS\myirt0578.exe 2007-07-29 22:59 936,352 -r-hs---- C:\WINDOWS\oonhvrqA.exe 2007-07-29 22:59   d-------- C:\Temp\brr 2007-07-29 22:59   d-------- C:\Temp\0c2 2007-07-29 22:59   d-------- C:\Temp 2007-07-23 17:48   d-------- C:\Program Files\Triogical2 ((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-07-31 23:49 --------- d-------- C:\DOCUME~1\Yair\APPLIC~1\Skype 2007-07-28 05:06 135 --a------ C:\Program Files\Common Files\profsyxyrtirt.html 2007-06-24 20:42 --------- d-------- C:\Program Files\Picasa2 2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))     *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{677ADB60-D529-472C-81E6-1475AA0C8B01}]    C:\Program Files\Internet Explorer\hokeqoz83122.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'StorageGuard'='C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe' [2003-02-13 02:01] 'PCMService'='C:\Program Files\Dell\Media Experience\PCMService.exe' [2003-08-26 20:47] 'mmtask'='c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe' [2003-10-06 11:05] 'MMTray'='C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe' [2003-10-06 11:05] 'VSOCheckTask'='c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' [2003-08-08 19:02] 'MCAgentExe'='c:\PROGRA~1\mcafee.com\agent\mcagent.exe' [2003-12-08 15:38] 'MCUpdateExe'='C:\PROGRA~1\mcafee.com\agent\mcupdate.exe' [2004-01-28 16:48] 'VirusScan Online'='c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe' [2003-08-17 22:50] 'TkBellExe'='C:\Program Files\Common Files\Real\Update_OBealsched.exe' [2004-07-01 23:39] 'Picasa Media Detector'='C:\Program Files\Picasa2\PicasaMediaDetector.exe' [2007-05-02 02:08] 'iTunesHelper'='C:\Program Files\iTunes\iTunesHelper.exe' [2006-02-23 16:45] 'QuickTime Task'='C:\Program Files\QuickTime\qttask.exe' [2006-03-25 23:56] 'Windows Defender'='C:\Program Files\Windows Defender\MSASCui.exe' [2006-11-03 19:20] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Sonic RecordNow!'='' [] 'ctfmon.exe'='C:\WINDOWS\system32\ctfmon.exe' [2004-08-04 03:56] 'MSMSGS'='C:\Program Files\Messenger\MSMSGS.exe' [2004-10-13 12:24] 'RealPlayer'='C:\Program Files\Real\RealPlayerealplay.exe' [2006-05-31 08:49] 'Skype'='C:\Program Files\Skype\Phone\Skype.exe' [2006-06-26 15:53] 'updateMgr'='C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe' [2006-03-30 16:45] 'swg'='C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe' [2007-06-18 23:27] 'Ncao'='C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe' [] C:\Documents and Settings\Yair\Start Menu\Programs\Startup\ DESKTOP.INI [2002-09-03 14:36:04] Event Reminder.lnk - C:\Program Files\PrintMaster\PMREMIND.EXE [2004-05-25 17:02:42] HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2003-09-25 11:47:12] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe [2005-09-23 23:05:26] Dataviz Messenger.lnk - C:\WINDOWS\DvzCommon\DvzMsgr.exe [2003-07-01 22:16:46] DESKTOP.INI [2002-09-03 14:36:04] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-05-13 19:33:10] PGPtray.lnk - C:\Program Files\PGP\PGPtray.exe [2004-11-29 22:09:47] R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys R2 cron;cron;C:\cygwin\bin\cygrunsrv.exe R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys R2 dsunidrv;DellSupport UniDriver;C:\WINDOWS\system32\DRIVERS\dsunidrv.sys R2 PGPdisk;PGPdisk;C:\WINDOWS\system32\drivers\PGPdisk.sys R2 PGPsdkDriver;PGPsdkDriver;C:\WINDOWS\system32\Drivers\PGPsdk.sys R2 ssoftnt4;ssoftnt4;\??\C:\WINDOWS\System32\Drivers\ssoftnt4.sys R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla	fsnboio.sys R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla	fsncofs.sys R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla	fsndrct.sys R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla	fsndres.sys R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla	fsnifs.sys R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla	fsnopio.sys R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla	fsnpool.sys R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla	fsnudf.sys R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla	fsnudfa.sys R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver;C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys R3 MA311;NETGEAR Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\ma311n51.sys R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys R3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys S3 ApiMon;ApiMon;\??\C:\WINDOWS\system32\drivers\ApiMon.sys S3 DSproct;DSproct;\??\C:\Program Files\DellSupport\GTAction	riggers\DSproct.sys S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys S3 i81x;i81x;C:\WINDOWS\system32\DRIVERS\i81xnt5.sys S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys S3 SQLAgent$MICROSOFTBCM;SQLAgent$MICROSOFTBCM;C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlagent.EXE -i MICROSOFTBCM S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- D:\autorun.exe Contents of the 'Scheduled Tasks' folder 2004-07-30 01:37:00 C:\WINDOWS\Tasks\backup.job - C:\cygwin\home\Yair\bin\backup.bat 2004-07-30 01:52:27 C:\WINDOWS\Tasks\CorelDRAW 9.job - C:\PROGRA~1\Corel\GRAPHI~1\Programs\coreldrw.exe 2007-08-01 03:48:00 C:\WINDOWS\Tasks\McAfee.com Update Check (D8LVPW41-Administrator).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe 2007-08-01 03:47:06 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICEDESK-Eitan).job - C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe 2007-08-01 03:47:06 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICEDESK-Eyal).job 2007-08-01 02:11:26 C:\WINDOWS\Tasks\McAfee.com Update Check (OFFICEDESK-Yair).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe 2007-07-31 10:55:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job - C:\Program Files\Windows Defender\MpCmdRun.exe 2007-08-01 03:47:19 C:\WINDOWS\Tasks\SDMsgUpdate (SmartDrawTrial).job - C:\PROGRA~1\SMARTD~1\Messages\SDNotify.exe ************************************************************************** catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-07-31 23:48:05 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-07-31 23:51:05 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-07-31 23:50  --- E O F ---

afym · Answer

Thank you. I ran combofix, rebooted, and the log is below. It's too long for one message so I am splitting it in pieces.   ComboFix 07-07-30.2 - 'Yair' 2007-07-31 23:27:23.1 [GMT -4:00] - NTFS Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.True  * Created a new restore point ((((((((((((((((((((((((((((((((((((((((((((   V Log   ))))))))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\efcyvut.dll C:\WINDOWS\system32\hggdaxw.dll C:\WINDOWS\system32
nnoolj.dll C:\WINDOWS\system32\pbeugbwk.dll C:\WINDOWS\system32\esqmonke.exe C:\WINDOWS\system32\mkmowbhl.exe C:\WINDOWS\system32\xftcsdqn.exe C:\WINDOWS\SYSTEM32\cbeeg.bak1 C:\WINDOWS\SYSTEM32\cbeeg.bak2 C:\WINDOWS\SYSTEM32\cbeeg.ini C:\WINDOWS\SYSTEM32\cbeeg.bak1 C:\WINDOWS\SYSTEM32\cbeeg.bak2 C:\WINDOWS\SYSTEM32\cbeeg.ini C:\WINDOWS\system32\geebc.dll C:\WINDOWS\system32\iifedde.dll * * *  POST RUN FILES/FOLDERS  * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *   (((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007 C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode C:\DOCUME~1\Yair\APPLIC~1.\mbols~1 C:\DOCUME~1\Yair\APPLIC~1.\mbols~1\wuauclt.exe C:\DOCUME~1\Yair\APPLIC~1.\scurit~1 C:\Documents and Settings\Yair.\err.log C:\Program Files\Common Files\winantispyware 2007 C:\Program Files\Common Files\winantispyware 2007\err.log C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe C:\Program Files\inetget2 C:\Program Files\inetget2\popinstall.exe C:\Program Files\Internet Explorer\hokeqoz83122.dll C:\Program Files\winantispyware 2007 C:\Program Files\winantispyware 2007\RTMonitor.dat\bce0964a622b4fcfb0775691\ce3184a03d464dfb6ad1d8a9\0cbc9cbdd7d441bb7f624ca9\#data C:\Program Files\winantispyware 2007\RTMonitor.dat\bce0964a622b4fcfb0775691\ce3184a03d464dfb6ad1d8a9\0cbc9cbdd7d441bb7f624ca9\#internal C:\Program Files\winantispyware 2007\RTMonitor.dat\bce0964a622b4fcfb0775691\ce3184a03d464dfb6ad1d8a9\0cbc9cbdd7d441bb7f624ca9\#name C:\Program Files\winpop C:\Program Files\winpop\UnInstall.exe C:\WINDOWS\b122.exe C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48 C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\dirty_dishes.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\foodtray.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\heart1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\heart2.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\heart3.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\menu_down.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\menu_up.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories\mop_prop.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\accessories	icket.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a1.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a2.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a3.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\music\cafe\cafe_music_a4.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\music\mainmenumusic.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\baby_cry.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\chef_cook1.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\closing_time.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\customer_ditch.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\dialog_down.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\dialog_up.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\drink_table.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\expert.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\highchair_deliver.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\highchair_pickup.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\keystroke2.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\level_lose.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\level_win.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\menu_click.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\menu_rollover.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\mop_pickup.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\mop_spill.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_bring_check_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_deliver_food_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_dropoff_drinks_1.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_food_ready_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_gain_heart_1.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_get_drinks_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_menu_down.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_party_arrive_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_pencil_write_2.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_pickup_food_1_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\sfx_seat_people_snd.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx\spill.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx	able_drink.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\audio\sfx	ip_2.ogg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\flo_lose.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\flo_win.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\fullscreendialog.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\high_score_menu_bg.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\levelintro.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\levelintro.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\levelover.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\longdialog.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\longdialog.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\mainmenu.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\mainmenu_logo.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\popup.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\popup.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds	extfield.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\backgrounds\upgrade_lines.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\arrowdown_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\arrowdown_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\arrowdown_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\arrowup_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\arrowup_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\arrowup_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\checkbox_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\checkbox_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\checkbox_rotated_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\checkbox_rotated_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\decor_highlight.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\decor_normal.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\decor_selected.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_large_1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_large_2.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_large_3.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_small_1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_small_2.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a_small_3.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a2.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\dialog_button_a3.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\left_arrow_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\left_arrow_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\left_arrow_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button1_mask.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\main_menu_button2_mask.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\map_button_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\map_button_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\map_button_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttonsight_arrow_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttonsight_arrow_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttonsight_arrow_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\upgrade_down.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\upgrade_over.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\upgrade_up.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\buttons\welcome_player.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\config\actionpoints.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\config\career.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\config\customer.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\config\endless.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\config\global.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\config\powerups.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\cook\stove.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\cursor\arrow.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\cursor\click.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\cursor\click2.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\cursor\grab.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\cursor\open.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_male\anim.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_male\anim.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_male\blue.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_male\blue_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_male\legs.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_maleed.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\dad_maleed_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_male\anim.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_male\anim.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_male\blue.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_male\blue_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_male\legs.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_maleed.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\kid_maleed_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\anim.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\anim.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\baby.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\baby.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\blue.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\blue_baby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\blue_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_female\legs.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_femaleed.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_femaleed_baby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\mom_femaleed_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_female\anim.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_female\anim.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_female\blue.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_female\blue_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_female\legs.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_femaleed.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\customers\young_femaleed_legs.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\flo\idle.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\flo\idle.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\flo\lower.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\flo\lower.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\flo\upper.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\flo\upper.png

afym · Answer

This is the second piece of the combofix log. There will be one more.   C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\fonts\mercurius.mvec C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\bench.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\bench.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\blue_highchairbaby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\chair.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\chair.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\dirt2top.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\dirt4top.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\dishcart.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\dishcart.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\green_highchairbaby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\highchair_prop_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\highchair_prop_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\highchairbaby.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\highchairbaby.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\luxury_bench.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\luxury_bench.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\mop_station_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\mop_station_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\mop_station_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\podium.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\podium_heart.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\podium_heart.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\purple_highchairbaby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furnitureadio.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furnitureed_highchairbaby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\spill.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\spill.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\stereo.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture	icketstation.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture	icketstation.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\furniture\yellow_highchairbaby.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\family.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help_dividerline.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help1_colormatch1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help1_colormatch2.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help1_noise.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help1_score.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help2_cleardishes.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help2_givecheck.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help2_pickupfood.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help2_servefood.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\help\help2_takeorder.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\hiscore\local-hs-bb.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\hiscore\p1icon.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\career_1_1.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\career_1_2.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\career_1_3.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\career_1_4.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\career_1_5.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\career_1_6.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\endless_1_1.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\endless_1_1_a.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\endless_1_1_b.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\layouts\endless_1_1_c.bin C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\playfirstlogo.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\background.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\chairs\blue.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\chairs\green.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\chairs\green.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\chairs\grey.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\chairsed.pal C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\food\cup1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\food\food.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\food\food.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\frames\2_0.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\frames\2_1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\furniture\drinkstation1_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\furniture\drinkstation1_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\furniture\drinkstation1_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\people\cook.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\people\cook.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\props\cup_prop1.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe	ables\2top.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe	ables\2top.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe	ables\4top.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe	ables\4top.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants\cafe\upgrades.xml C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assetsestaurants	ableshadow.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\careerupgrade.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\choosedifficulty.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\closeconfirm.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\entername.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\game.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\getmoregames.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\help1.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\help2.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\hiscore.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\hiscoreinfo.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\hiscoresubmit.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\levelintro.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\levelover.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\loading.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\mainloop.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\mainmenu.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\ok.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\pause.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\style.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\upgrade.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\upsell.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\scripts\yesno.lua C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\splash\aol_logo.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\splash\playfirst_logo.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\strings.xml C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\angersmoke.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\angersmoke.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\bubblesequest_bubble.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\bubblesequest_mop.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\bubblesequest_rejectmeal.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\chairflags.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\chairflags.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\check.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\checkmark.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\closed.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\coinflip.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\coinflip.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\decor_lines.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\dollar.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\expert.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\foodpoof.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\foodpoof.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\heartgrow.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\heartgrow.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\jar.anm C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\jar.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\lives_icon.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
oisering.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
otes\music_boost_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
otes\music_boost_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
otes\music_boost_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
otes\music_boost_d.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
otes\music_boost_e.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui
otes\music_boost_f.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui	ablenumber_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui	ablenumber_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui	raynumber.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui	utorialarrow.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui	utorialbox.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\ui_base.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\ui_hand.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\ui_timer_off.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\ui_timer_on.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgradeanim.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_bench_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_bench_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_bench_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_drink_station1_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_drink_station1_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_drink_station1_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_luxury_bench_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_luxury_bench_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_luxury_bench_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_oven_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_oven_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_oven_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_podium_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_podium_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_podium_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_powerbars_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_powerbars_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_powerbars_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_radio_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_radio_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_radio_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_stereo_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_stereo_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_stereo_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_table_a.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_table_b.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\ui\upgrades\icon_table_c.png C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\upsell\dd1.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\upsell\dd2.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\upsell\dd3.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\assets\upsell\dd4.jpg C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.48\dinerdash2.exe

Bugbatter · Answer

We need to disable your Microsoft Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, deselect the Turn on real-time protection check box
* Click Save

Please make sure Defeneder is disabled after each time you reboot during our fixes. After all of the fixes are complete it is very important that you enable Real-time Protection again.

You have Viewpoint installed. Viewpoint developed a behavioral targeting product in 2006. Viewpoint is associated with a program called viewmgr.exe and the ViewPoint Media Player.
Viewpoint is bundled with AOL, AOL Instant Messenger, Adobe Atmosphere, Netscape 7, etc and sometimes not mentioned in the license agreement. Hardware manufacturers pre-install some of these applications.
ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers. The Viewpoint Toolbar is listed is also classified as a threat in the CounterSpy Threat Library because it hijacks your search queries and also transmits non personally identifiable information back to their servers.
Viewpoint Manager is a media player often bundled with AIM software. Viewpoint Manager is a useless add on.
More info here:
http://ask-leo.com/viewmgrexe.html
http://www.kephyr.com/spywarescanner/library/viewpointmediaplayer/index.phtml
Because Viewpoint's software will track your web surfing and tailor advertisements based on the web pages you are visiting, I suggest you remove the program.
** Note: Removing Viewpoint Media Player may cause the program that bundled it to not function as intended. For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.
If you wish to remove Viewpoint, end process on ViewManager in Task Manager.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar
Viewpoint Experience Technology

Then remove the Viewpoint folder in your Program Files.

Look in your Control Panel's Add/Remove Programs for any of these and uninstall them:

Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets

Reboot and download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Reboot

Please launch HijackThis and place a checkmark next to these if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {677ADB60-D529-472C-81E6-1475AA0C8B01} - C:\Program Files\Internet Explorer\hokeqoz83122.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Yair\APPLIC~1\MBOLS~1\wuauclt.exe" -vt yazb
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/zenpuzzlegarden/miniclipGameLoader.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.gamehouse.com/games/DinerDash2.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play10.pogo.com/game/deluxe/zuma/popcaploader_v5.cab

If you removed Viewpoint, check this one as well:
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close all windows except HijackThis and click "Fix Checked"
Close HijackThis.

Reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Configure to show all files/folders:
Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders

Delete these specified files if they still exist:
C:\WINDOWS\ oonhvrqA.exe
C:\WINDOWS\SYSTEM32\ ckfpkjli.dll

Reboot normally.

Rehide files:
Start>Search and at the top select Tools>Folder Options
Select the View tab
Display the contents of system folders
Show hidden files and folders
Uncheck: Hide protected operating system files
Click on Apply.

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply with all other logs requested.
Click Close to exit the program.

In addition to your log from SAS, please post a fresh HijackThis log. Thanks :)

afym · Answer

Okay, took a while to get to it... here are the logs. First half of SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/02/2007 at 05:00 AM

Application Version : 3.9.1008

Core Rules Database Version : 3277
Trace Rules Database Version: 1288

Scan type : Complete Scan
Total Scan Time : 02:38:16

Memory items scanned : 451
Memory threats detected : 0
Registry items scanned : 6344
Registry threats detected : 21
File items scanned : 160180
File threats detected : 287

Browser Hijacker.Internet Explorer Zone Hijack
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click#https
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect#https

Adware.Tracking Cookie
C:\Documents and Settings\Yair\Cookies\yair@trafficmp[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wgmyekajcko.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.k8l[1].txt
C:\Documents and Settings\Yair\Cookies\yair@amaena[1].txt
C:\Documents and Settings\Yair\Cookies\yair@adopt.specificclick[1].txt
C:\Documents and Settings\Yair\Cookies\yair@secure.agoramedia[2].txt
C:\Documents and Settings\Yair\Cookies\yair@m1.webstats.motigo[2].txt
C:\Documents and Settings\Yair\Cookies\yair@adv.webmd[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ehg-randomhouse.hitbox[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wbk4gmczcaq.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.cnn[1].txt
C:\Documents and Settings\Yair\Cookies\yair@qksrv[2].txt
C:\Documents and Settings\Yair\Cookies\yair@partner2profit[2].txt
C:\Documents and Settings\Yair\Cookies\yair@sales.liveperson[3].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wflowodjwaq.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.addynamix[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ad.outerinfo[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.adbrite[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wfl4gjdzolq.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@adopt.euroclick[2].txt
C:\Documents and Settings\Yair\Cookies\yair@tribalfusion[1].txt
C:\Documents and Settings\Yair\Cookies\yair@linksynergy[1].txt
C:\Documents and Settings\Yair\Cookies\yair@adrevolver[1].txt
C:\Documents and Settings\Yair\Cookies\yair@mediaplex[1].txt
C:\Documents and Settings\Yair\Cookies\yair@localsrv[2].txt
C:\Documents and Settings\Yair\Cookies\yair@drivecleaner[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ehg-wachovia.hitbox[2].txt
C:\Documents and Settings\Yair\Cookies\yair@precisionclick[2].txt
C:\Documents and Settings\Yair\Cookies\yair@server.cpmstar[2].txt
C:\Documents and Settings\Yair\Cookies\yair@members.tripod[1].txt
C:\Documents and Settings\Yair\Cookies\yair@advertising[1].txt
C:\Documents and Settings\Yair\Cookies\yair@fastclick[2].txt
C:\Documents and Settings\Yair\Cookies\yair@omahasteaks.122.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@statse.webtrendslive[2].txt
C:\Documents and Settings\Yair\Cookies\yair@sixapart.adbureau[2].txt
C:\Documents and Settings\Yair\Cookies\yair@doubleclick[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Yair\Cookies\yair@2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@anat.tacoda[1].txt
C:\Documents and Settings\Yair\Cookies\yair@citi.bridgetrack[1].txt
C:\Documents and Settings\Yair\Cookies\yair@perf.overture[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.realtechnetwork[3].txt
C:\Documents and Settings\Yair\Cookies\yair@go.winantivirus[1].txt
C:\Documents and Settings\Yair\Cookies\yair@imrworldwide[2].txt
C:\Documents and Settings\Yair\Cookies\yair@adtech[2].txt
C:\Documents and Settings\Yair\Cookies\yair@pch.122.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ehg-cbot.hitbox[1].txt
C:\Documents and Settings\Yair\Cookies\yair@adinterax[2].txt
C:\Documents and Settings\Yair\Cookies\yair@interclick[2].txt
C:\Documents and Settings\Yair\Cookies\yair@indextools[1].txt
C:\Documents and Settings\Yair\Cookies\yair@questionmarket[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ad.zanox[1].txt
C:\Documents and Settings\Yair\Cookies\yair@www7.addfreestats[1].txt
C:\Documents and Settings\Yair\Cookies\yair@go.winantispyware[3].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.pointroll[1].txt
C:\Documents and Settings\Yair\Cookies\yair@www.burstbeacon[2].txt
C:\Documents and Settings\Yair\Cookies\yair@server.iad.liveperson[3].txt
C:\Documents and Settings\Yair\Cookies\yair@nextag[1].txt
C:\Documents and Settings\Yair\Cookies\yair@burstnet[1].txt
C:\Documents and Settings\Yair\Cookies\yair@247realmedia[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.revsci[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wakouhdjklq.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@tacoda[1].txt
C:\Documents and Settings\Yair\Cookies\yair@revsci[1].txt
C:\Documents and Settings\Yair\Cookies\yair@agoramedia[1].txt
C:\Documents and Settings\Yair\Cookies\yair@anad.tacoda[1].txt
C:\Documents and Settings\Yair\Cookies\yair@roiservice[2].txt
C:\Documents and Settings\Yair\Cookies\yair@stat.onestat[1].txt
C:\Documents and Settings\Yair\Cookies\yair@overture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@apmebf[2].txt
C:\Documents and Settings\Yair\Cookies\yair@paypal.112.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@bluestreak[2].txt
C:\Documents and Settings\Yair\Cookies\yair@xiti[1].txt
C:\Documents and Settings\Yair\Cookies\yair@specificclick[1].txt
C:\Documents and Settings\Yair\Cookies\yair@scholastic.122.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@realmedia[2].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wjkyuoajmco.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wjlyklcpokp.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@msnportal.112.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@casalemedia[1].txt
C:\Documents and Settings\Yair\Cookies\yair@statcounter[2].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wfmyomdpmgo.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@3s.serving-sys[1].txt
C:\Documents and Settings\Yair\Cookies\yair@sales.liveperson[1].txt
C:\Documents and Settings\Yair\Cookies\yair@serving-sys[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.freeonlinegames[2].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wjl4goajelp.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@atdmt[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ad.yieldmanager[2].txt
C:\Documents and Settings\Yair\Cookies\yair@server.iad.liveperson[1].txt
C:\Documents and Settings\Yair\Cookies\yair@media.adrevolver[1].txt
C:\Documents and Settings\Yair\Cookies\yair@findwhat[2].txt
C:\Documents and Settings\Yair\Cookies\yair@adbrite[1].txt
C:\Documents and Settings\Yair\Cookies\yair@www.burstnet[1].txt
C:\Documents and Settings\Yair\Cookies\yair@edge.ru4[1].txt
C:\Documents and Settings\Yair\Cookies\yair@keywordmax[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wgkyglajwhp.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@hitbox[1].txt
C:\Documents and Settings\Yair\Cookies\yair@uclick[1].txt
C:\Documents and Settings\Yair\Cookies\yair@2.adbrite[1].txt
C:\Documents and Settings\Yair\Cookies\yair@counter.hitslink[1].txt
C:\Documents and Settings\Yair\Cookies\yair@cnn.122.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@go.winantivirus[3].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wfloghc5whp.stats.esomniture[1].txt
C:\Documents and Settings\Yair\Cookies\yair@cz5.clickzs[2].txt
C:\Documents and Settings\Yair\Cookies\yair@zedo[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wbligpazolq.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@adbrite[3].txt
C:\Documents and Settings\Yair\Cookies\yair@go.winantispyware[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ehg-legonewyorkinc.hitbox[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.labpixies[1].txt
C:\Documents and Settings\Yair\Cookies\yair@4.adbrite[3].txt
C:\Documents and Settings\Yair\Cookies\yair@web4.realtracker[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wfliggdjodo.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@ads.realtechnetwork[1].txt
C:\Documents and Settings\Yair\Cookies\yair@e-2dj6wfkyskazago.stats.esomniture[2].txt
C:\Documents and Settings\Yair\Cookies\yair@toseeka[2].txt
C:\Documents and Settings\Yair\Cookies\yair@homestore.122.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@usatoday1.112.2o7[1].txt
C:\Documents and Settings\Yair\Cookies\yair@winantispyware[1].txt
C:\Documents and Settings\Yair\Cookies\yair@media.top-banners[1].txt
C:\Documents and Settings\Yair\Cookies\yair@stats1.reliablestats[1].txt
C:\Documents and Settings\Yair\Cookies\yair@tripod[1].txt
C:\Documents and Settings\Yair\Cookies\yair@goclick[2].txt
C:\Documents and Settings\Yair\Cookies\yair@www.winantispyware[1].txt
C:\Documents and Settings\Yair\Cookies\yair@www.googleadservices[2].txt
C:\Documents and Settings\Yair\Cookies\yair@www.amaena[2].txt
C:\Documents and Settings\Yair\Cookies\yair@cpvfeed[2].txt
C:\Documents and Settings\Yair\Cookies\yair@stats.drivecleaner[1].txt
C:\Documents and Settings\Yair\Cookies\yair@winantivirus[1].txt
C:\Documents and Settings\Yair\Cookies\yair@pro-market[1].txt
C:\Documents and Settings\Yair\Cookies\yair@ad.adtegrity[2].txt
C:\Documents and Settings\Yair\Cookies\yair@eyeblast.adbureau[1].txt
C:\Documents and Settings\Yair\Cookies\yair@www.drivecleaner[2].txt
C:\Documents and Settings\Yair\Cookies\yair@adultfriendfinder[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@advertising[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@atdmt[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@casalemedia[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@doubleclick[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@ehg-attworldnet.hitbox[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@ehg-legonewyorkinc.hitbox[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@ehg-wachovia.hitbox[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@fastclick[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@hitbox[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@maxserving[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@msnportal.112.2o7[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@nextag[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@qnsr[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@questionmarket[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@realmedia[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@servedby.advertising[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@statcounter[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@straightforwardmedia[2].txt
C:\Documents and Settings\Eitan\Cookies\eitan@tacoda[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@tribalfusion[1].txt
C:\Documents and Settings\Eitan\Cookies\eitan@zedo[2].txt

afym · Answer

Here is second half of SAS log. Also: in both this half and the previous, I had to change one 'b' to a '3': there is now one "3s" in each, in which the 3 was originally a b. That letter combination was apparently "prohibited content"...
The next posting will be the HijackThis log.

C:\Documents and Settings\Eyal\Cookies\eyal@2o7[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ad.yieldmanager[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ad.zanox[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@adknowledge[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@adlegend[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@adopt.hbmediapro[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@adrevolver[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ads.addynamix[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ads.digitalpoint[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ads.pointroll[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@advertising[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@advertstream[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@anad.tacoda[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@anat.tacoda[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@apmebf[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@as-eu.falkag[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@as-us.falkag[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@atdmt[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@atwola[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@banner[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@belnk[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@bluestreak[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@3s.serving-sys[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@burstnet[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@casalemedia[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@citi.bridgetrack[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@data2.perf.overture[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@dist.belnk[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@doubleclick[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@edge.ru4[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ehg-cafepress.hitbox[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ehg-dig.hitbox[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ehg-foxmovies.hitbox[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ehg-legonewyorkinc.hitbox[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ehg-schwablo.hitbox[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@ehg-warnerbrothers.hitbox[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@emarketmakers[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@fastclick[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@focalex[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@fortunecity[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@hitbox[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@login.tracking101[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@m1.webstats4u[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@maxserving[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@media.fastclick[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@mediaplex[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@nextag[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@perf.overture[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@qksrv[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@questionmarket[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@realmedia[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@rightmedia[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@rotator.adjuggler[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@server.cpmstar[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@serving-sys[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@statcounter[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@superstats[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@tacoda[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@tradedoubler[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@trafficmp[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@tribalfusion[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@tripod[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@valueclick[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@www.burstbeacon[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@www.burstnet[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@www.screensavers[2].txt
C:\Documents and Settings\Eyal\Cookies\eyal@xiti[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@z1.adserver[1].txt
C:\Documents and Settings\Eyal\Cookies\eyal@zedo[1].txt
C:\Documents and Settings\Eyal\Local Settings\Temp\Cookies\eyal@advertising[1].txt
C:\Documents and Settings\Eyal\Local Settings\Temp\Cookies\eyal@atdmt[1].txt
C:\Documents and Settings\Eyal\Local Settings\Temp\Cookies\eyal@maxserving[2].txt
C:\Documents and Settings\Eyal\Local Settings\Temp\Cookies\eyal@servedby.advertising[2].txt
C:\Documents and Settings\Yair\Cookies\yair@4.adbrite[1].txt
C:\Documents and Settings\Yair\Cookies\yair@statcounter[1].txt

Trojan.Windows Overlay Components/SysMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OvMon#UninstallString

Adware.Mirar/NetNucleus
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version

Adware.ClickSpring/Outer Info Network
C:\Documents and Settings\Yair\Start Menu\Programs\Outerinfo

Trojan.TagASaurus
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\DESKTOP\SEARCHUS.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\DESKTOP\SEARCHUS.EXE

Trojan.Downloader-Gen/Micky
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\1.DLLB
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\2.DLLB
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\5.DLLB
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\6.DLLB
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\7.DLLB
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\1.DLLB
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\5.DLLB

Trojan.Downloader-StdRun/Gen
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN1.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN1.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN2.EXE

Trojan.Downloader-StdRun/Variant
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN2.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN4.EXE
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMP\STDRUN6.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN10.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN11.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN12.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN13.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN14.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN7.EXE
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\TEMP\STDRUN8.EXE

Trojan.Downloader-LDCore
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\JC4H82PX\USER9[1].EXE
C:\WINDOWS\MYIRT0578.EXE

Adware.k8l
C:\PROGRAM FILES\COMMON FILES\PROFSYXYRTIRT.HTML

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\DOCUME~1\YAIR\APPLIC~1\MBOLS~1\WUAUCLT.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063167.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\HOKEQOZ83122.DLL.VIR

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EFCYVUT.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HGGDAXW.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IIFEDDE.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063178.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063179.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063197.DLL

Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ESQMONKE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MKMOWBHL.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063182.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063183.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\G1\KMHP83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WCPSVSU.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1019\A0063069.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063161.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063171.EXE

Adware.SysMon
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\G11\Z553.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063174.EXE

Trojan.Downloader-Gen/TStamp
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XFTCSDQN.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063184.EXE

Trojan.Downloader-Stera/WinSoftware
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1016\A0062993.EXE

Trojan.Downloader-VisFX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1020\A0063085.EXE

Trojan.Downloader-Gen/BasicMath
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1020\A0063086.EXE

Trojan.ZQuest
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063166.DLL

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1022\A0063180.DLL

Trace.Known Threat Sources
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OPQRJ2CD\32647543ygwvrhbjt3h4evjrbgnrt[1].htm

afym · Answer

And finally the Hijack This log. Thank you again for all this help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:52:04 AM, on 8/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe C:\Program Files\Common Files\Real\Update_OBealsched.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\MSMSGS.EXE C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\WINDOWS\DvzCommon\DvzMsgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\PGP\PGPtray.exe C:\Palm\HOTSYNC.EXE C:\cygwin\bin\cygrunsrv.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\cygwin\usr\sbin\cron.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe C:\WINDOWS\System32\PGPserv.exe C:\WINDOWS\system32\ssoftsrv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32
otepad.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla	fswshx.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll O4 - HKLM\..\Run: [StorageGuard] 'C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe' /r O4 - HKLM\..\Run: [PCMService] 'C:\Program Files\Dell\Media Experience\PCMService.exe' O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [VSOCheckTask] 'c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe' /checktask O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [VirusScan Online] 'c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe' O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osboot O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [iTunesHelper] 'C:\Program Files\iTunes\iTunesHelper.exe' O4 - HKLM\..\Run: [QuickTime Task] 'C:\Program Files\QuickTime\qttask.exe' -atboottime O4 - HKLM\..\Run: [Windows Defender] 'C:\Program Files\Windows Defender\MSASCui.exe' -hide O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] 'C:\Program Files\Messenger\MSMSGS.EXE' /background O4 - HKCU\..\Run: [RealPlayer] 'C:\Program Files\Real\RealPlayerealplay.exe' /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [Skype] 'C:\Program Files\Skype\Phone\Skype.exe' /nosplash /minimized O4 - HKCU\..\Run: [updateMgr] 'C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe' AcRdB7_0_8 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: Event Reminder.lnk = C:\Program Files\PrintMaster\PMREMIND.EXE O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Readereader_sl.exe O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: PGPtray.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.gamehouse.com/games/mjolauncher.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.arcadetown.com/swf/shangrila/zylomplayer.cab O16 - DPF: {C26027F5-C7EF-4CC1-9637-B514BCF8BF4E} (SAIOnlineAForm Control) - http://www.arcadetown.com/swf/scorchanisland/saionline.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: cron - Unknown owner - C:\cygwin\bin\cygrunsrv.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\System32\PGPserv.exe O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe -- End of file - 8552 bytes

Bugbatter · Answer

Good job! We're almost finished. :)

If you want to, you can fix a couple of optionals and that blank Start Page in IE. It is not malwere, but just a blank page.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Please launch Hijackthis nd place a checkmark next to this:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

The following are optional to fix because they use a small amount of resources and, depending on your needs, may not be necessary to run at Startup. Fixing them here will not prevent you from opening them manually as needed.

O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
(Description: RealPlayer scheduler-- Unnnecessary.)

O4 - HKCU\..\Run: [RealPlayer] \"C:\Program Files\Real\RealPlayer\realplay.exe\" /RunUPGToolCommandReBoot
(RealPlayer system tray application -- Unnecessary.)

Close all windows except Hijackthis and click "Fix Checked".

Close HijackThis and reboot.

Download and scan each user profile with CCleaner:
http://www.ccleaner.com/downloadbuilds.asp
** Select to download the BASIC version.
1. Before first use, select Options > Advanced and UNCHECK
" Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies (if you want to keep those).
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.
In the Applications Tab:
• Clean all except cookies (if you want to keep those) in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.
3. Click the " Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click " OK" and it will scan and clean your system.
6. Click " exit" when done.
REBOOT.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. It is possible that you may be running Java code in your applications that absolutely require a specific version of the JRE to run. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2 allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Official JAVA Installation Instructions if needed.

Please post a fresh HijackThis log for final review and let me know if your issue has been resolved. Thanks :)

Virus & Spyware

multi-spyware attack! please help

Was this post helpful?