Jump to content


Photo
- - - - -

Malware keeps coming back, please help


  • This topic is locked This topic is locked
23 replies to this topic

#1 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 04 January 2010 - 11:59 PM

I've got this bug on my system that Malwarebytes can't completely remove. Malwarebytes removes it temporarily but it reinstalls itself after I restart a couple times. It hijacks my desktop background. I've noticed my browser keeps getting randomly redirected to odd sites, and I'm am also unable to run windows update. I'm pretty sure the malware is called "winupdate86". Please help!

Here are my logs:

Malwarebytes' Anti-Malware 1.43
Database version: 3494
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/4/2010 7:53:46 PM
mbam-log-2010-01-04 (19-53-46).txt

Scan type: Full Scan (C:\|)
Objects scanned: 427048
Time elapsed: 1 hour(s), 47 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\System32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\Temp\F0.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 8:45:49 PM, on 1/4/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HIJACKTHIS\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {ebba2a2f-7b79-462a-a550-e500fe0dd556} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com
O15 - Trusted Zone: www.christinamilian.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.9.113.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: rewopawiy - {39481500-99ba-4a62-8828-4a45907a78eb} - (no file)
O21 - SSODL: vimawemot - {df2c8e1e-37fe-49a3-96c4-ba06a193b9c7} - c:\windows\system32\gaduvoma.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: mujuzedij - {39481500-99ba-4a62-8828-4a45907a78eb} - (no file)
O22 - SharedTaskScheduler: gahurihor - {df2c8e1e-37fe-49a3-96c4-ba06a193b9c7} - c:\windows\system32\gaduvoma.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe (file missing)

--
End of file - 9628 bytes

#2 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 05 January 2010 - 09:25 AM

Hi bigwilltillidie and Welcome to Malwarebytes!

Please download ComboFix from Here or [url="http://"http://download.bleepingcomputer.com/sUBs/ComboFix.exe"]Here[/url] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select Safe Mode.

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..
This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#3 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 05 January 2010 - 02:32 PM

Here are the Combo-fix and new hijack this logs. I have a feeling something is still on the system because I was redirected to a false malwarebytes website from yahoo.

Attached Files



#4 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 05 January 2010 - 04:28 PM

Hi bigwilltillidie,

Give me a few days, been busy today. And I'll look at your logs and we'll go from ther. By the way, I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player


Close all other windows except for hijackthis, perform a scan and put a check against the following items and click 'fix checked'.

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll

And remove Ask Toolbar from Add/Remove Programs in the Control Panel (if present):


I'll post back on Thursday.......... :D
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#5 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 06 January 2010 - 09:32 AM

Hi bigwilltillidie

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\ds32gt8.dll
Driver::
bkgc

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.




Posted Image


This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#6 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 06 January 2010 - 05:04 PM

Here you go

Attached Files



#7 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 06 January 2010 - 05:41 PM

Looks good bigwilltillidie. Let run a few more scans. Smile we are getting closer. Good job you done there.

  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Next



ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: Posted Image
  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Next


Download Security Check from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

In your next reply, please include these log(s):

MBAM Report
EsetOnlineScanner\log.txt
checkup.txt


Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#8 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 06 January 2010 - 08:33 PM

I haven't noticed anything out of the ordinary for a bit, not since I got redirected after running Combo-fix for the first time. But it seems like the ESET scan found some things.

Malwarebytes Log

Malwarebytes' Anti-Malware 1.43
Database version: 3504
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/6/2010 3:04:29 PM
mbam-log-2010-01-06 (15-04-29).txt

Scan type: Quick Scan
Objects scanned: 208979
Time elapsed: 4 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET Online Scanner Log


C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\16\78fcee10-724751d5 probably a variant of Win32/Agent trojan
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\49\35217071-3019301d probably a variant of Win32/Agent trojan
C:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\6.0\38\2ebfd1a6-34cc6c18 probably a variant of Java/TrojanDownloader.OpenStream.NAD trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\AGikTvut.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\AGikTvut.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\avkbafmh.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\BdJRrqss.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\BdJRrqss.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\beyxfljd.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\dephhjun.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\eNorqtwa.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\eNorqtwa.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\eqdlrhlb.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\ixqcilfp.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\kbdsock.dll.vir a variant of Win32/Bamital.B trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\KQsvyccf.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\KQsvyccf.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\liluqhwp.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lxmwoalj.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\mfhgkdfu.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\oVyaGfhk.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\oVyaGfhk.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\OVyycJlm.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\OVyycJlm.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\padncaps.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\QqtsYJlm.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\QqtsYJlm.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\rfgfcftq.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\rtmrtthn.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\tmnmxtwv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\vDKjSvut.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\vDKjSvut.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\waGOoUvw.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\waGOoUvw.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\wgdrhafg.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\wgshkgyg.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\xgscwsfj.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\YIlknUtv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\YIlknUtv.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\yntdtynp.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\psukox.sys.vir a variant of Win32/Rootkit.Kryptik.AF trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_psukox_.sys.zip a variant of Win32/Rootkit.Kryptik.AF trojan

Security Check

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
McAfee SecurityCenter
``````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
SUPERAntiSpyware Free Edition
Java Web Start
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 5
Java 2 Runtime Environment, SE v1.4.1_07
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.1.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe
Ad-Aware AAWTray.exe is disabled!
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

#9 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 07 January 2010 - 06:40 AM

The "C:\Qoobox" The Qoobox folder is a back up just in case ComboFix makes a mistake.


There are some older versions of Java on your computer. These can be a source of infection.

[Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) - JRE 6 Update 17 -"
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

To test your Java Run-time, you may go to this page http://www.java.com/...help/testvm.xml
When all is well, you should see Java Version: 1.6.0_17 from Sun Microsystems Inc.

Some final items:

Follow these steps to uninstall Combofix and all of its files and components.


Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

Make sure there's a space between Combofix and /
Then hit enter.



Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Malware And Spyware Tips

It was a pleasure working with you.

Kenny
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#10 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 07 January 2010 - 01:39 PM

THANKS FOR ALL YOUR HELP!!!

One last question for you though. I noticed when following your last bit of instructions that I had quite a few versions of Java to uninstall. So I'm guessing that whenever I update to a newer version, does that mean that it doesn't uninstall the previous one? Should I always go back and uninstall the older versions after I update java? Thanks again for all the help Kenny94!

#11 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 07 January 2010 - 04:49 PM

It better to remove all of them first:

Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 5
Java 2 Runtime Environment, SE v1.4.1_07


Then install JRE 6 Update 17.

But be sure to do the below, when you remove and installed Java:


  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#12 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 08 January 2010 - 01:49 AM

Bad news, it's back again... It actually managed to disable Malwarebytes. I ran a scan with another program, removed what I could, and then reinstalled and updated Malwarebytes. I included a Hijackthis log from before I ran the first scan (just in case it might help), the log from a Malwarebytes quick scan, and a log from a hijackthis scan after the quick scan was completed.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 9:48:35 PM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HIJACKTHIS\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [movanokig] Rundll32.exe "c:\windows\system32\fokazifi.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [SpybotDeletingA8270] command.com /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7911] cmd.exe /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA288] command.com /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC703] cmd.exe /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5384] command.com /c del "C:\WINDOWS\wt\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1472] cmd.exe /c del "C:\WINDOWS\wt\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2849] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3578] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4092] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3511] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5587] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7871] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4834] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7133] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5843] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1422] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4716] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5577] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1861] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7606] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9492] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC109] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1248] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8267] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1439] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6515] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5179] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3976] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1516] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4792] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2770] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingC984] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2367] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3906] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9078] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7420] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7261] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3199] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1721] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC685] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1716] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7971] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2546] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3927] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1540] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9322] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA363] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3733] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6141] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7559] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9365] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC909] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5745] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7884] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6798] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6319] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4223] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1416] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9816] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4467] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3924] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2191] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1924] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8609] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1385] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7176] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7046] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9737] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3798] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5959] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9749] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3891] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3006] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2796] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3953] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC83] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2538] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7928] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5202] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4459] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2321] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9486] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8709] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9225] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8926] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9926] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9854] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1325] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4107] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4574] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8494] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA494] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2225] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3558] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2541] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8467] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2769] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3419] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2995] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7862] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC363] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA198] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4967] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA93] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8551] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9790] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7620] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4549] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6989] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3139] command.com /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5474] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4209] command.com /c del "C:\WINDOWS\system32\biyedepu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2068] cmd.exe /c del "C:\WINDOWS\system32\biyedepu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9561] command.com /c del "C:\WINDOWS\system32\nuvameje.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6492] cmd.exe /c del "C:\WINDOWS\system32\nuvameje.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2676] command.com /c del "c:\windows\system32\fokazifi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3476] cmd.exe /c del "c:\windows\system32\fokazifi.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB969] command.com /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1119] cmd.exe /c del "C:\WINDOWS\wt\WDInUsePlugin.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2509] command.com /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9859] cmd.exe /c del "C:\WINDOWS\wt\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4795] command.com /c del "C:\WINDOWS\wt\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6910] cmd.exe /c del "C:\WINDOWS\wt\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3055] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2022] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6493] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8617] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4779] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9443] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB152] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1289] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2603] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7915] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2653] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5659] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5386] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4227] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3324] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD227] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8809] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD728] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3911] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5754] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3359] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6500] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5140] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7353] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8445] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9068] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2401] command.com /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5829] cmd.exe /c del "C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3150] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1251] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8194] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2484] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302Java.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4555] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5243] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4353] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8996] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8805] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8240] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\controlPanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7260] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9270] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2635] command.com /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5167] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\install\DRM0302_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1348] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1321] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\actorobject.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9158] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8859] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx5drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5243] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4617] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\dx7drv.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8952] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4567] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\jdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB325] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6222] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\npWTHost.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1921] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1364] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3864] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5049] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\ObjectBundle.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1961] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4048] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\rdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1229] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD81] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Sound.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4610] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2434] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdcaps.ded"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7239] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2690] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wdengine.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4300] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5933] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB282] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8037] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_fileList.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1096] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4557] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\Webd331_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9519] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6159] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB671] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD83] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2505] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5772] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wt3d.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8665] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7953] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHost.exe"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8286] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6990] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\WTHostCtl.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3728] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD337] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8646] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingD169] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtmulti.jar"
O4 - HKCU\..\RunOnce: [SpybotDeletingB338] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5232] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9565] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9248] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ax"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7429] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7047] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtwmplug.ini"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1585] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2429] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\controlPanel\index.html"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5971] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5907] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3719] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD719] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\webdriver.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8174] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7627] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\legacy\wt3d.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3578] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2988] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6620] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3006] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1.cdanfo"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1243] command.com /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1596] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\webd\4.1.1\install\Webd4_1_1_Uninstall.cdas"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7669] command.com /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingD784] cmd.exe /c del "C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1973] command.com /c del "C:\WINDOWS\system32\biyedepu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD583] cmd.exe /c del "C:\WINDOWS\system32\biyedepu.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3044] command.com /c del "C:\WINDOWS\system32\nuvameje.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5704] cmd.exe /c del "C:\WINDOWS\system32\nuvameje.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3545] command.com /c del "c:\windows\system32\fokazifi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2223] cmd.exe /c del "c:\windows\system32\fokazifi.dll_old"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com
O15 - Trusted Zone: www.christinamilian.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.9.113.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D9BAD161-5C29-44D7-84B9-920A10D57C24}: NameServer = 193.104.110.38,4.2.2.1,192.168.1.254
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: biyedepu.dll c:\windows\system32\fokazifi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: doyosovis - {ea6c5766-7e6a-48f0-9053-dcc6c1e1c712} - c:\windows\system32\fokazifi.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: jugezatag - {ea6c5766-7e6a-48f0-9053-dcc6c1e1c712} - c:\windows\system32\fokazifi.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe (file missing)

--
End of file - 37874 bytes



Logfile of Trend Micro HijackThis v2.0.3 (BETA)

Scan saved at 10:42:34 PM, on 1/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HIJACKTHIS\TrendMicro\HiJackThis\HiJackThis.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=Http://www.alienware.com
O15 - Trusted Zone: www.christinamilian.com
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.9.113.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase5483.cab
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: biyedepu.dll c:\windows\system32\fokazifi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: doyosovis - {ea6c5766-7e6a-48f0-9053-dcc6c1e1c712} - c:\windows\system32\fokazifi.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: jugezatag - {ea6c5766-7e6a-48f0-9053-dcc6c1e1c712} - c:\windows\system32\fokazifi.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe (file missing)

--
End of file - 10349 bytes

Attached Files



#13 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 08 January 2010 - 06:08 AM

Hi bigwilltillidie

If you look at your MBAM report. You'll see "No action taken" you might have posted this before you "clicked Remove Selected" or you did not made sure that everything was checked, and click Remove Selected. Lets hope for the latter.. Make sure that everything is checked, and click Remove Selected and reboot your computer. Also, are you getting redirected to any sites as before and can you run Windows update?


Please disable Tea Timer by right clinking it's icon in the system tray and selecting "disable Spybot S&D resident". It will reload on the next reboot without the you having to re-enable it.


  • Launch Malwarebytes' Anti-Malware
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#14 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 08 January 2010 - 04:35 PM

Yeah I just forgot to hit remove selected before I got a copy of the log is all. Here's a new one for you. And no I haven't had any problems with windows update this time around

Attached Files



#15 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 08 January 2010 - 04:57 PM

Your HJT log is showing an infection. Lets run ComboFix again. Since vundo is there.

Please download ComboFix from Here or [url="http://"http://download.bleepingcomputer.com/sUBs/ComboFix.exe"]Here[/url] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files.
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\Combo-Fix.txt along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#16 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 09 January 2010 - 01:05 PM

Here you go

Attached Files



#17 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 12 January 2010 - 03:23 PM

Hi bigwilltillidie, sorry for the delay. I never received a Topic Reply Notification..... ;)

Open Notepad and copy and paste the text in the code box below into it:

File:: 
c:\documents and settings\Will\Application Data\FrostWire
Folder:: 
c:\\Program Files\\FrostWire
Registry:: 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] 
"c:\\Program Files\\FrostWire\\FrostWire.exe"=-

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.


Posted Image


This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.


Next

Please do an online scan with Kaspersky WebScanner

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

In your next reply, please include these log(s):

Combofix.txt
Kaspersky Report


Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#18 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 13 January 2010 - 02:03 AM

No noticeable problems recently. Looks like the Kaspersky scan found a couple bugs though

Attached Files



#19 Kenny94

Kenny94

    Malware Fighter

  • Experts
  • PipPipPipPipPipPip
  • 2,655 posts
  • Gender:Male
  • Location:S.C USA
  • Interests:The workings of Apple's tablets and all PC'S

    Computing is not about computers any more. It is about living.
    ~Nicholas Negroponte

Posted 13 January 2010 - 07:25 AM

Lets see if their there.


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Files (if present):

C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\16
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\49


Some final items:


Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

Malware And Spyware Tips

Also see here for system improvement: Help! My computer is slow!


It was a pleasure working with you again bigwilltillidie.

Kenny (Kenny94)
My Blog On Malware And Security Tips

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click the PayPal button Posted Image

#20 bigwilltillidie

bigwilltillidie

    New Member

  • Members
  • Pip
  • 12 posts

Posted 13 January 2010 - 02:31 PM

I managed to delete those files. And for some reason Combofix already seemed to be uninstalled from my system, don't remember doing it though. Thanks for the help again, I'll keep my fingers crossed it stays gone this time




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users