[inactive]pop ups adware hellp hjt log

Unknown · September 2006

i've been getting a lot of popups and things downloading by them selves and adare se cant delete them i realy need help. i have my hjt log
Logfile of HijackThis v1.99.1
Scan saved at 1:42:53 PM, on 9/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\qcssjqe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\qcssjqeA.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faja4\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.incredimail.com/english
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\vaehd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hvllnaw.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [afxec6fa] RUNDLL32.EXE w2f5652d.dll,n 004ec6f6000000122f5652d
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [qcssjqeA] C:\WINDOWS\qcssjqeA.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QQ\command.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qcssjqe.exe

jmoney3457 · September 2006

hi faja, please go to http://virusscan.jotti.org/ and submit the following files for a scan then copy/paste the results for EACH file in your next reply and remember you can only upload ONE (1) file at a time and after each scan it will provide you with the results here are the 3 files:

C:\WINDOWS\System32\vaehd.exe
C:\WINDOWS\system32\hvllnaw.exe
C:\WINDOWS\qcssjqeA.exe

faja4boys · September 2006

Scan for C:\WINDOWS\System32\vaehd.exe:
AntiVir Found Trojan/Dldr.Qoolog.bj.3
ArcaVir Found Trojan.Downloader.Qoologic.Bj
Avast Found Win32:Qoologic-AI
AVG Antivirus Found Downloader.Generic.ZIV
BitDefender Found Trojan.Downloader.Qoologic.BC
ClamAV Found nothing
Dr.Web Found Trojan.Qoologic
F-Prot Antivirus Found W32/Downloader.SJB
Fortinet Found W32/Qoologic.BJ!tr.dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.bj
NOD32 Found Win32/TrojanDownloader.Qoologic.BJ
Norman Virus Control Found W32/Qoologic.HW
UNA Found TrojanDownloader.Win32.Qoologic
VirusBuster Found Trojan.DL.Qoologic.AI1
VBA32 Found Trojan-Downloader.Win32.Qoologic.bj
Scan for C:\WINDOWS\system32\hvllnaw.exe:
AntiVir Found Trojan/Dldr.Qoologic.BJ
ArcaVir Found Trojan.Downloader.Qoologic.Bj
Avast Found Win32:Qoologic-AH
AVG Antivirus Found Downloader.Generic.VPJ
BitDefender Found Trojan.Downloader.Qoologic.BC
ClamAV Found nothing
Dr.Web Found Trojan.Qoologic
F-Prot Antivirus Found W32/Downloader.SKG
Fortinet Found W32/Qoologic.BJ!tr.dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Qoologic.bj
NOD32 Found Win32/TrojanDownloader.Qoologic.BJ
Norman Virus Control Found W32/Qoologic.HU
UNA Found TrojanDownloader.Win32.Qoologic
VirusBuster Found Trojan.DL.Qoologic.AF
VBA32 Found Trojan-Downloader.Win32.Qoologic.bj
Scan for C:\WINDOWS\qcssjqeA.exe:
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found Dloader.S!tr
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found W32/DLoader.AXWN
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.VB.3 (probable variant)

jmoney3457 · September 2006

ah qoologic, don't worry we'll zap this please do the following for qoologic:
Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip

Unzip all files to a convenient location such as C:\Qoofix.
Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.

Finally post a new HijackThis log and the contents of the Qoofix logfile.

faja4boys · September 2006

ok well i ran the qoologic fix thing and it found quite a few said it deleted them all... it restarted and i didnt realize u said to post the results for it and i deleted it.. but heres my hjt log
Logfile of HijackThis v1.99.1
Scan saved at 8:39:52 PM, on 9/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\QQ\command.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\qcssjqe.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\qcssjqeA.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faja4\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.incredimail.com/english
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O3 - Toolbar: &VSToolBar - {821F87FF-8245-4972-9E28-732E92EC2F51} - C:\Program Files\VSToolbar\VSToolBar.dll
O4 - HKLM\..\Run: [afxec6fa] RUNDLL32.EXE w2f5652d.dll,n 004ec6f6000000122f5652d
O4 - HKLM\..\Run: [firuds] C:\WINDOWS\System32\fqnddu.exe reg_run
O4 - HKLM\..\Run: [qcssjqeA] C:\WINDOWS\qcssjqeA.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QQ\command.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\qcssjqe.exe

jmoney3457 · September 2006

thats ok as long as it deleted them like you said, but when you say delete do you mean just X'd out the log windows or deleted the qoofix folder? because if you just X'd out the log window you can still obtain the report from the qoofix folder, if thats the case please try to obtain it from the qoofix folder (should be on your C drive or local disk) and post it back here also please do the following either way-->Download Avenger from here:
http://swandog46.geekstogo.com/

Open the program. Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, paste this:

Files to delete:
C:\WINDOWS\qcssjqe.exe
C:\WINDOWS\qcssjqeA.exe

and click 'Done'

Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt

faja4boys · September 2006

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ohyklsii

*******************

Script file located at: \??\C:\Program Files\dglypleo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\qcssjqe.exe deleted successfully.
File C:\WINDOWS\qcssjqeA.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

jmoney3457 · September 2006

ok good, but faja did you see this part of my last post-->

jmoney3457 wrote:

but when you say delete do you mean just X'd out the log windows or deleted the qoofix folder? because if you just X'd out the log window you can still obtain the report from the qoofix folder, if thats the case please try to obtain it from the qoofix folder (should be on your C drive or local disk) and post it back here

what's the case on that?

faja4boys · September 2006

i deleted it from my computer i'm sorry i forgot about that.. i'm still getting pop ups and things downloading them selves tho..

jmoney3457 · September 2006

no biggie as long as it deleted those like you say which i'm sure it did coz you did have a qoo infection..but lets continue-->First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

faja4boys · September 2006

ok i did as told.. and when i restarted my comp after the scan i got a message saying Error loading w2F5652dll the specified module could not be found.. and every second ewido pops up telling me i have spyware or something its called adware.virtumundo and found in C:\WINDOWS\SYSTEM32\GEBBXXW.DLL

ewido anti-spyware - Scan Report

+ Created at: 11:51:34 PM 9/29/2006

+ Scan result:

C:\Documents and Settings\Ant\Local Settings\Temp\stdrun3.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{6CBD7E79-044E-1033-0626-010712000001}\Update.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\thiselt.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users.WINDOWS\Application Data\AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stub_sca4.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\xihzdyns.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\QQ\__delete_on_reboot__c_o_m_m_a_n_d_._e_x_e_ -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\drsmartload180a.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\WINDOWS\system32\en46l1hs1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mkrdim.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mwl_hp.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rwipxmib.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\mmxp2passion.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\mmxsnet.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\NNBar_VCSetup_876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\mit73.tmp.cab/NNBar_VCSetup_876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\mit73.tmp/NNBar_VCSetup_876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lql.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temporary Internet Files\Content.IE5\1LVHNCZQ\MirarSetup_876057[1].exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876057.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\i5.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\i72.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\i76.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun11.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temporary Internet Files\Content.IE5\WD4PQVOL\1205[1].exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\1205.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\WINDOWS\DXCecho.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888 -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\Activate.exe -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\Program Files\ToolBar888\MyToolBar.dll -> Adware.ToolBar888 : Cleaned with backup (quarantined).
C:\WINDOWS\system32\gebbxxw.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\RarSFX0\webhdll.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\Programs -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\Programs\sporder.dll -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\webHancer\whAgent_update.exe -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\WINDOWS\TIELT001.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pwinppes.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\eltfuntarg.exe -> Backdoor.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun2.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temporary Internet Files\Content.IE5\OPO5EN4L\nwnmff_e[1].exe -> Downloader.Adload.fv : Cleaned with backup (quarantined).
C:\drsmartload.exe -> Downloader.Adload.fv : Cleaned with backup (quarantined).
C:\nwnmff_e14.exe -> Downloader.Adload.fv : Cleaned with backup (quarantined).
C:\topaff.exe -> Downloader.Agent.aqx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aaa00000.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\afxec6fa.dll -> Downloader.Agent.awb : Cleaned with backup (quarantined).
C:\WINDOWS\srvocgxfew.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun17.exe -> Downloader.Harnig.co : Cleaned with backup (quarantined).
C:\Program Files\Common Files\WіnSxS\msconfig.exe -> Downloader.PurityScan.cx : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\f49829040.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\pss\xxaej.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__w_2_f_5_6_5_2_d_._d_l_l_ -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w2f5c50f.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w2f73a68.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w2f7fba7.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w2f82cf1.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun4.exe -> Downloader.Small.auy : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun5.exe -> Downloader.Small.auy : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun12.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temporary Internet Files\Content.IE5\VYSBFDOX\idlemg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\MTE3NDI6ODoxNgnew.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINDOWS\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun6.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0018.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun16.exe -> Downloader.Small.dtc : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun14.exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\WINDOWS\win32080918243580.exe -> Downloader.VB.anl : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/qcssjqe.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun13.exe -> Hijacker.Small.ja : Cleaned with backup (quarantined).
C:\Program Files\Common Files\pono.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\WindowsUpdate\meleci.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temporary Internet Files\Content.IE5\LKJYMBJA\dfndrff_e_uit[1].exe -> Hijacker.VB.kc : Cleaned with backup (quarantined).
C:\dfndrff_e14.exe -> Hijacker.VB.kc : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Local Settings\Temp\pre.exe -> Hijacker.VB.pg : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Local Settings\Temporary Internet Files\Content.IE5\30HX780K\SysProtectScannerInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Local Settings\Temporary Internet Files\Content.IE5\Q1LU369W\ErrorSafeNewReleaseInstall[1].cab/UERS_9999_N91S2507NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Local Settings\Temporary Internet Files\Content.IE5\Q1LU369W\ErrorSafeNewReleaseInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Local Settings\Temporary Internet Files\Content.IE5\VT0S8RVV\WinAntiSpyware2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@image.masterstats[2].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@free.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Ant\Cookies\ant@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\faja4\Cookies\faja4@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\sys101824358009.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uni_ehhhh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\uninst104.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).

::Report end

jmoney3457 · September 2006

wow, some nasties removed thats good..now please run the following scan have it remove what it finds (no log is created so don't worry about posting 1)then reboot and post new HJT log along with if it found anything-->http://www.xblock.com/download/xclean_micro.exe

faja4boys · October 2006

OK now i need helppp.. i cant open internet explorer i cant get into my computer i cant get into the control panel i cant even get into the folder where my hijack this is !!

jmoney3457 · October 2006

do you have firefox or another browser other than IE? if so try doing the scan from that browser

faja4boys · October 2006

i dont but heres what i did.. i started in safe mode and went into add/remove programs and deleted 2 things that wernt suppose to be there then i safed that program to scan on a disk and loaded it onto my computer from another and ran that and it found CMD service, downloader-a, error safe, kiwi alpha, open forum, popper-jhertz, search click ads, viewpoint media toolbar, web hancer, win32/VB.DA, and zeno search assistant then i restarted and ran adaware se dontkno what it found because my son went on the computer .. heres my HJT log
Logfile of HijackThis v1.99.1
Scan saved at 3:34:22 PM, on 10/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faja4\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.incredimail.com/english
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [afxec6fa] RUNDLL32.EXE w2f5652d.dll,n 004ec6f6000000122f5652d
O4 - HKLM\..\Run: [firuds] C:\WINDOWS\System32\fqnddu.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

faja4boys · October 2006

i just ran adaware and it found 121 objects so i feel the need to post a new HJT log
Logfile of HijackThis v1.99.1
Scan saved at 4:01:02 PM, on 10/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\faja4\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.incredimail.com/english
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [afxec6fa] RUNDLL32.EXE w2f5652d.dll,n 004ec6f6000000122f5652d
O4 - HKLM\..\Run: [firuds] C:\WINDOWS\System32\fqnddu.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cab
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\hpzipm12.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

jmoney3457 · October 2006

1. Please Download and install Superantispyware
http://www.superantispyware.com/down...NTISPYWAREFREE
Load Superantispyware and click the check for updates button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear post that log in your next reply

2. Also download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

faja4boys · October 2006

faja4 - 06-10-02 18:07:34.51 Service Pack 1
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\faja4\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\CLSID\{7364C13D-FFDE-4DCA-B858-6B454F0BE6B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7364C13D-FFDE-4DCA-B858-6B454F0BE6B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7364C13D-FFDE-4DCA-B858-6B454F0BE6B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7364C13D-FFDE-4DCA-B858-6B454F0BE6B4}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Granting sedebugprivilege to Administrators ... successful

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *

06-09-25 21:14 52 vwbpnl.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\aaa00000.sys
C:\Documents and Settings\LocalService.NT AUTHORITY\Application Data\NetMon
C:\Program Files\Deskbar
C:\Program Files\Common Files\{6CBD7E79-044E-1033-0626-010712000001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\Common Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\WNSXS~1\W?nSxS

((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))

2006-10-02 18:01 86,068 --a

C:\WINDOWS\system32\xlunhkma.dll
2006-10-02 17:38 843,412 ---hs---- C:\WINDOWS\system32\vxycf.ini2
2006-10-02 16:52 0 --a

C:\WINDOWS\system32\cmmgr32.exe
2006-10-02 13:31 143,380 --a

C:\WINDOWS\system32\tiwokrlk.exe
2006-09-27 19:07 76,560 --a

C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-27 07:28 843,068 ---hs---- C:\WINDOWS\system32\vxycf.bak2
2006-09-26 07:28 89,088 --a

C:\WINDOWS\system32\atl71.dll
2006-09-26 07:28 499,712 --a

C:\WINDOWS\system32\msvcp71.dll
2006-09-26 07:28 1,060,864 --a

C:\WINDOWS\system32\mfc71.dll
2006-09-26 07:27 838,955 ---hs---- C:\WINDOWS\system32\vxycf.bak1
2006-09-26 07:27 143,380 --a

C:\WINDOWS\system32\lqkbaaxj.exe
2006-09-25 21:15 919 --a

C:\WINDOWS\system32\winpfg32.sys
2006-09-25 21:13 443 --a

C:\WINDOWS\eltkt.dll
2006-09-25 21:12 1,233 --a

C:\WINDOWS\system32\afxec6fa.sys
2006-09-03 17:46 94,208 --a

C:\WINDOWS\system32\HPZipt12.dll
2006-09-03 17:46 61,699 --a

C:\WINDOWS\system32\HPZinw12.exe
2006-09-03 17:46 57,344 --a

C:\WINDOWS\system32\HPZisn12.dll
2006-09-03 17:46 306,688 --a

C:\WINDOWS\IsUninst.exe
2006-09-03 17:43 6,784 --a

C:\WINDOWS\system32\drivers\serscan.sys
2006-09-03 17:21 12,928 --a

C:\WINDOWS\system32\drivers\Dot4Prt.sys
2006-09-03 17:20 23,808 --a

C:\WINDOWS\system32\drivers\Dot4usb.sys
2006-09-03 17:20 205,056 --a

C:\WINDOWS\system32\drivers\Dot4.sys
2006-09-03 17:18 182,880 --a

C:\WINDOWS\system32\iuenginenew.dll

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-02 18:10

d

C:\Program Files\Common Files
2006-10-02 18:00

d--h

C:\Program Files\BHO Plugin
2006-10-02 18:00

d

C:\Program Files\PSDream
2006-10-02 16:43

d

C:\Program Files\SUPERAntiSpyware
2006-10-02 16:43

d

C:\Program Files\Common Files\Wise Installation Wizard
2006-10-02 16:43

d

C:\Documents and Settings\faja4\Application Data\SUPERAntiSpyware.com
2006-10-02 13:43

d

C:\Documents and Settings\faja4\Application Data\Lavasoft
2006-10-02 12:52

d

C:\Program Files\ewido anti-spyware 4.0
2006-09-30 22:23

d

C:\Documents and Settings\faja4\Application Data\Help
2006-09-29 23:51

d--h

C:\Program Files\WindowsUpdate
2006-09-27 18:59

d

C:\Program Files\Internet Explorer
2006-09-27 18:31

d

C:\Program Files\Symantec
2006-09-27 18:31

d

C:\Program Files\Common Files\Symantec Shared
2006-09-25 22:29

d

C:\Program Files\Messenger
2006-09-25 21:14

d

C:\Program Files\PartyPoker
2006-09-21 22:34

d

C:\Program Files\Windows Media Player
2006-09-14 10:01

d--h

C:\Program Files\InstallShield Installation Information
2006-09-14 10:00

d

C:\Documents and Settings\faja4\Application Data\Verizon
2006-09-11 17:48

d---s---- C:\Documents and Settings\faja4\Application Data\Microsoft
2006-09-09 21:45

d

C:\Documents and Settings\faja4\Application Data\Sun
2006-09-03 23:25

d

C:\Program Files\QuickTime
2006-09-03 17:55

d

C:\Program Files\Common Files\Microsoft Shared
2006-09-03 17:46

d

C:\Program Files\hp
2006-09-03 17:34

d

C:\Program Files\Hewlett-Packard
2006-08-30 22:31

d

C:\Program Files\Java
2006-08-25 10:42

d

C:\Documents and Settings\faja4\Application Data\Aim
2006-08-24 16:51

d

C:\Program Files\Zone Labs
2006-08-24 16:40

d

C:\Program Files\AOD
2006-08-24 16:40

d

C:\Program Files\AIM
2006-08-24 16:17

d

C:\Program Files\Lavasoft
2006-08-24 16:09

d

C:\Program Files\Common Files\AOL
2006-08-24 16:08

d

C:\Program Files\AOL
2006-08-24 16:05

d

C:\Documents and Settings\faja4\Application Data\acccore
2006-08-24 15:50

dr-h

C:\Documents and Settings\faja4\Application Data\yahoo!
2006-08-22 07:37

d

C:\Program Files\Verizon
2006-08-20 17:59

d

C:\Documents and Settings\faja4\Application Data\Macromedia
2006-08-20 17:54

d

C:\Program Files\IncrediMail
2006-08-20 13:40

d

C:\Documents and Settings\faja4\Application Data\Identities
2006-08-20 13:18

d

C:\Program Files\Outlook Express
2006-08-20 13:18

d

C:\Program Files\NetMeeting
2006-08-20 13:18

d

C:\Program Files\Common Files\System
2006-08-20 13:17

d

C:\Program Files\Movie Maker
2006-08-20 13:14

d

C:\Program Files\Windows NT
2006-08-20 09:40

d

C:\Program Files\Norton Personal Firewall
2006-08-20 08:57 62 --ahs---- C:\Documents and Settings\faja4\Application Data\desktop.ini
2006-08-14 12:21

d

C:\Program Files\CheckIt
2006-08-14 12:14

d

C:\Program Files\Norton SystemWorks
2006-08-10 00:56

d

C:\Program Files\Winamp

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^xxaej.exe]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\xxaej.exe"
"backup"="C:\\WINDOWS\\pss\\xxaej.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\xxaej.exe"
"item"="xxaej"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Ant^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Ant\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\TIELT001.exe ELT001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Ant^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Ant\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\pwinppes.exe ELT001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\bfyve]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fqnddu"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\fqnddu.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pwinppes"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\pwinppes.exe ELT001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\firuds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fqnddu"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\fqnddu.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iffz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="stdrun14"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Ant\\LOCALS~1\\Temp\\stdrun14.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IncrediMail]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IncMail"
"hkey"="HKCU"
"command"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iobi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iobiClient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Verizon\\iobi\\iobiClient.exe -AS"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="topaff"
"hkey"="HKLM"
"command"="c:\\topaff.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms068009182435]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms068009182435"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms068009182435.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_e14"
"hkey"="HKLM"
"command"="c:\\\\nwnmff_e14.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSDream]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSDream"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSDream\\PSDream.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qcssjqeA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qcssjqeA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\qcssjqeA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sys101824358009]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys101824358009"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys101824358009.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MirarSetup_876057"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\MirarSetup_876057.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\win32080918243580]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="win32080918243580"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\win32080918243580.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YAHOOM~1"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Mon 10/02/2006 18:20:44.61
ComboFix.txt

SUPERAntiSpyware Scan Log
Generated 10/02/2006 at 05:47 PM

Core Rules Database Version : 3096
Trace Rules Database Version: 1123

Memory threats detected : 3
Registry threats detected : 39
File threats detected : 287

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FCYXV.DLL
C:\WINDOWS\SYSTEM32\FCYXV.DLL
HKLM\Software\Classes\CLSID\{53724C97-75CD-4C57-9B4E-715C8DA9BF3E}
HKCR\CLSID\{53724C97-75CD-4C57-9B4E-715C8DA9BF3E}
HKCR\CLSID\{53724C97-75CD-4C57-9B4E-715C8DA9BF3E}\InprocServer32
HKCR\CLSID\{53724C97-75CD-4C57-9B4E-715C8DA9BF3E}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53724C97-75CD-4C57-9B4E-715C8DA9BF3E}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\fcyxv

Trojan.Downloader-LargeInterest
C:\WINDOWS\SYSTEM32\GEBBXXW.DLL
C:\WINDOWS\SYSTEM32\GEBBXXW.DLL
HKLM\Software\Classes\CLSID\{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}
HKCR\CLSID\{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}
HKCR\CLSID\{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}\InprocServer32
HKCR\CLSID\{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\gebbxxw

Trojan.Virtumonde
C:\WINDOWS\SYSTEM32\ISXHIBOC.DLL
C:\WINDOWS\SYSTEM32\ISXHIBOC.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}

Adware.DeluxeCommunications
HKU\S-1-5-21-1214440339-152049171-1060284298-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{A8BD6820-6ED7-423E-9558-2D1486B0FEEA}
C:\Documents and Settings\Ant\Application Data\Dxcuknwrd.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009264.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009265.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009266.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009318.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009319.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009320.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009331.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010720.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010721.exe

Adware.Tracking Cookie
C:\Documents and Settings\faja4\Cookies\faja4@count2.exitexchange[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@tacoda[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.winantispyware[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@adlegend[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@mediaplex[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.burstnet[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.burstbeacon[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@stats1.reliablestats[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@tcompany.122.2o7[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@highbeam.122.2o7[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@p[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@stats.drivecleaner[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@partypoker[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@indexstats[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@rapidresponse.directtrack[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@winantivirus[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@aff.primaryads[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@count3.exitexchange[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@adbrite[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@count1.exitexchange[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@c.enhance[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@keywordmax[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@partygaming.122.2o7[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@searchfeed[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.winantiviruspro[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@winantispyware[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@icc.intellisrv[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@anad.tacoda[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.xctrk[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.amaena[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@66702201[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@banners.nbcupromotes[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@click.datablocks[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@drivecleaner[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.upspiral[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@scanner[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@ads.as4x.tmcs[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@ad[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@revsci[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@banner.32vegas[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@exitexchange[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@a[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@atwola[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@anat.tacoda[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@c.goclick[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@coolsavings[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@a.websponsors[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@cpvfeed[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.drivecleaner[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.rowise[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@2006[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@server.lon.liveperson[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@geosign.112.2o7[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@www.winantivirus[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@adknowledge[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@ad.yieldmanager[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@enterprisenewsmedia.122.2o7[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@roiservice[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@securityworm81[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@winantiviruspro[2].txt
C:\Documents and Settings\faja4\Cookies\faja4@serving.rpowermedia[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@1070547724[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@directtrack[1].txt
C:\Documents and Settings\faja4\Cookies\faja4@2006[2].txt
C:\Documents and Settings\Ant\Cookies\ant@adecn[1].txt
C:\Documents and Settings\Ant\Cookies\ant@adinterax[2].txt
C:\Documents and Settings\Ant\Cookies\ant@adknowledge[2].txt
C:\Documents and Settings\Ant\Cookies\ant@adlegend[1].txt
C:\Documents and Settings\Ant\Cookies\ant@ads.cnn[1].txt
C:\Documents and Settings\Ant\Cookies\ant@ads.realtechnetwork[1].txt
C:\Documents and Settings\Ant\Cookies\ant@belnk[1].txt
C:\Documents and Settings\Ant\Cookies\ant@clicksor[2].txt
C:\Documents and Settings\Ant\Cookies\ant@coolsavings[2].txt
C:\Documents and Settings\Ant\Cookies\ant@dist.belnk[2].txt
C:\Documents and Settings\Ant\Cookies\ant@exitexchange[1].txt
C:\Documents and Settings\Ant\Cookies\ant@interclick[2].txt
C:\Documents and Settings\Ant\Cookies\ant@kanoodle[1].txt
C:\Documents and Settings\Ant\Cookies\ant@lynxtrack[1].txt
C:\Documents and Settings\Ant\Cookies\ant@partypoker[2].txt
C:\Documents and Settings\Ant\Cookies\ant@revsci[1].txt
C:\Documents and Settings\Ant\Cookies\ant@tracking.dc-storm[1].txt
C:\Documents and Settings\Joe\Cookies\joe@ad.e240.tbn[1].txt
C:\Documents and Settings\Joe\Cookies\joe@ad.yieldmanager[1].txt
C:\Documents and Settings\Joe\Cookies\joe@ad.zanox[1].txt
C:\Documents and Settings\Joe\Cookies\joe@ad1.clickhype[1].txt
C:\Documents and Settings\Joe\Cookies\joe@adbrite[2].txt
C:\Documents and Settings\Joe\Cookies\joe@adecn[1].txt
C:\Documents and Settings\Joe\Cookies\joe@adknowledge[1].txt
C:\Documents and Settings\Joe\Cookies\joe@adlegend[1].txt
C:\Documents and Settings\Joe\Cookies\joe@adopt.specificclick[2].txt
C:\Documents and Settings\Joe\Cookies\joe@ads.contactmusic[1].txt
C:\Documents and Settings\Joe\Cookies\joe@ads.realtechnetwork[1].txt
C:\Documents and Settings\Joe\Cookies\joe@anad.tacoda[2].txt
C:\Documents and Settings\Joe\Cookies\joe@anat.tacoda[2].txt
C:\Documents and Settings\Joe\Cookies\joe@as.casalemedia[1].txt
C:\Documents and Settings\Joe\Cookies\joe@atwola[1].txt
C:\Documents and Settings\Joe\Cookies\joe@azjmp[2].txt
C:\Documents and Settings\Joe\Cookies\joe@belnk[1].txt
C:\Documents and Settings\Joe\Cookies\joe@burstnet[2].txt
C:\Documents and Settings\Joe\Cookies\joe@cbs.112.2o7[1].txt
C:\Documents and Settings\Joe\Cookies\joe@clicks.jackpot[1].txt
C:\Documents and Settings\Joe\Cookies\joe@count.exitexchange[1].txt
C:\Documents and Settings\Joe\Cookies\joe@count1.exitexchange[1].txt
C:\Documents and Settings\Joe\Cookies\joe@cpvfeed[2].txt
C:\Documents and Settings\Joe\Cookies\joe@dist.belnk[2].txt
C:\Documents and Settings\Joe\Cookies\joe@exitexchange[2].txt
C:\Documents and Settings\Joe\Cookies\joe@indextools[2].txt
C:\Documents and Settings\Joe\Cookies\joe@kanoodle[2].txt
C:\Documents and Settings\Joe\Cookies\joe@keywordmax[1].txt
C:\Documents and Settings\Joe\Cookies\joe@login.tracking101[1].txt
C:\Documents and Settings\Joe\Cookies\joe@msnportal.112.2o7[1].txt
C:\Documents and Settings\Joe\Cookies\joe@onlinerewardcenter[1].txt
C:\Documents and Settings\Joe\Cookies\joe@partner2profit[1].txt
C:\Documents and Settings\Joe\Cookies\joe@rb4.worldsex[1].txt
C:\Documents and Settings\Joe\Cookies\joe@revsci[1].txt
C:\Documents and Settings\Joe\Cookies\joe@server.cpmstar[1].txt
C:\Documents and Settings\Joe\Cookies\joe@tacoda[1].txt
C:\Documents and Settings\Joe\Cookies\joe@tracker.myspacemaps[1].txt
C:\Documents and Settings\Joe\Cookies\joe@webstats4u[2].txt
C:\Documents and Settings\Joe\Cookies\joe@www.burstbeacon[1].txt
C:\Documents and Settings\Joe\Cookies\joe@www.burstnet[2].txt
C:\Documents and Settings\Joe\Cookies\joe@www.xctrk[2].txt
C:\Documents and Settings\Joe\Cookies\joe@yadro[1].txt
C:\Documents and Settings\Joe\Cookies\joe@yieldmanager[2].txt
C:\Documents and Settings\Jojo\Cookies\jojo@adknowledge[2].txt
C:\Documents and Settings\Jojo\Cookies\jojo@ath.belnk[2].txt
C:\Documents and Settings\Jojo\Cookies\jojo@belnk[1].txt
C:\Documents and Settings\Jojo\Cookies\jojo@dist.belnk[2].txt
C:\Documents and Settings\Jojo\Cookies\jojo@interclick[2].txt
C:\Documents and Settings\Jojo\Cookies\jojo@mywebsearch[1].txt
C:\Documents and Settings\Jojo\Cookies\jojo@top.addfreestats[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@a.websponsors[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@adecn[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@adknowledge[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@adlegend[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ads.digitalpoint[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ads.jokaroo[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ads.realtechnetwork[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ads2.drivelinemedia[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@adtrack.pichunter[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@ath.belnk[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@atwola[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@banners.nbcupromotes[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@banner[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@belnk[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@bigbanners[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@bigcocksex[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@click.cashengines[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@clicktracks.aristotle[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@creativeby.viewpoint[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@dist.belnk[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@focalex[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@icc.intellisrv[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@interclick[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@kanoodle[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@mywebsearch[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@nextag[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@onlinerewardcenter[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@revsci[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@server.cpmstar[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@smileycentral[1].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@stat.dealtime[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@vhost.oddcast[2].txt
C:\Documents and Settings\Jojo.DESKTOP-JBJNR9B\Cookies\jojo@www.0stats[1].txt
C:\Documents and Settings\Mom\Cookies\mom@banner.32vegas[1].txt
C:\Documents and Settings\Mom\Cookies\mom@toplist[1].txt

Trojan.Windows Overlay Components/SysMon
C:\WINDOWS\offun.exe

Adware.MediaMotor
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\ProxyStubClsid
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\ProxyStubClsid32
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\TypeLib
HKCR\Interface\{597AA130-F00B-40B8-ADAF-529D4DA9BE52}\TypeLib#Version
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\ProxyStubClsid
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\ProxyStubClsid32
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\TypeLib
HKCR\Interface\{7682C1A6-C500-4C78-93B9-5A76A91520F8}\TypeLib#Version
C:\WINDOWS\mm06y.ini
C:\Program Files\popupwithcast\Cast.dll
C:\Program Files\popupwithcast\CastAux.dll
C:\Program Files\popupwithcast\CastGen\Ant\f45187eb84d06.dat
C:\Program Files\popupwithcast\CastGen\Ant
C:\Program Files\popupwithcast\CastGen\h45187ea829.dat
C:\Program Files\popupwithcast\CastGen\u45187eaa4ae1.dat
C:\Program Files\popupwithcast\CastGen
C:\Program Files\popupwithcast\CastStat\cast.dat
C:\Program Files\popupwithcast\CastStat
C:\Program Files\popupwithcast\CastSys\log.txt
C:\Program Files\popupwithcast\CastSys
C:\Program Files\popupwithcast\cload.dat
C:\Program Files\popupwithcast\cp.dat
C:\Program Files\popupwithcast\csys.dat
C:\Program Files\popupwithcast\septpop06apsept.exe
C:\Program Files\popupwithcast

Adware.Elite Media
C:\WINDOWS\em06y.ini
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009302.ocx

Adware.Toolbar888
HKCR\CLSID\{CBCC61FA-0221-4ccc-B409-CEE865CACA3A}
HKCR\CLSID\{CBCC61FA-0221-4ccc-B409-CEE865CACA3A}\ProgID
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{CBCC61FA-0221-4ccc-B409-CEE865CACA3A}

Trojan.DollarRevenue
C:\WINDOWS\newname.dat

Browser Hijacker.Deskbar
HKCR\DBTB00001.DeskbarEnabler
HKCR\DBTB00001.DeskbarEnabler\CLSID
HKCR\DBTB00001.DeskbarEnabler.1
HKCR\DBTB00001.DeskbarEnabler.1\CLSID
C:\deskbar.exe
C:\deskbar_e13.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009279.dll

Adware.VSToolbar
HKU\S-1-5-21-1214440339-152049171-1060284298-1003\Software\Search Toolbar Corp
C:\Program Files\VSToolbar\VSToolBar.dll
C:\Program Files\VSToolbar
C:\Documents and Settings\faja4\Application Data\SearchToolbarCorp\Toolbar Vision\PageHistory.txt
C:\Documents and Settings\faja4\Application Data\SearchToolbarCorp\Toolbar Vision\WebHistory.txt
C:\Documents and Settings\faja4\Application Data\SearchToolbarCorp\Toolbar Vision
C:\Documents and Settings\faja4\Application Data\SearchToolbarCorp
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP45\A0011791.dll

Adware.SysMon
C:\921_135.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP41\A0010656.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP42\A0010670.exe

Adware.ClickSpring
C:\Documents and Settings\Ant\Application Data\SSTEM3~1\PLORER~1.EXE
C:\Program Files\Common Files\WNSXS~1\msconfig.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010706.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010740.dll

Adware.webHancer
C:\Documents and Settings\Ant\Local Settings\Temp\RarSFX0\whAgent.exe
C:\Documents and Settings\Ant\Local Settings\Temp\RarSFX0\whiehlpr.dll
C:\Documents and Settings\Ant\Local Settings\Temp\RarSFX0\whInstaller.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009287.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009288.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009290.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009300.exe

Trojan.Freeprod
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun15.exe

Trojan.Downloader-Affiliate/Gen
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun162560.exe

Trojan.Enhance
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun7.exe

Trojan.Downloader-AutoSearch
C:\Documents and Settings\Ant\Local Settings\Temp\stdrun8.exe

Trojan.BHOPlugin/Terp
C:\Documents and Settings\Ant\Local Settings\Temp\uninstall.exe
C:\Program Files\BHO Plugin\plugin.dll
C:\Program Files\BHO Plugin\uninstall.exe

Adware.ClickSpring/Yazzle
C:\Documents and Settings\Ant\Local Settings\Temp\YazzleBundle-1281.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

Trojan.ZenoSearch
C:\Documents and Settings\Ant\Local Settings\Temporary Internet Files\Content.IE5\OPO5EN4L\es[1].exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010739.exe

Trojan.ErrorSafe
C:\Documents and Settings\faja4\Local Settings\Temp\ErrorSafeScannerSetup.exe
C:\Documents and Settings\faja4\Local Settings\Temp\NI.UERS_9999_N91S2507\setup.exe

Trojan.Downloader-DoWork
C:\Documents and Settings\Joe\Local Settings\Temp\wqgaepnd.dll
C:\WINDOWS\system32\loacrbrt.dll
C:\WINDOWS\system32\rbprjewl.dll

Adware.FullContext
C:\Program Files\PSDream\PSDream.exe

Trojan.Drop/Gen Variant
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0008281.exe

Unclassified.Unknown Origin/System
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009260.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009262.exe
C:\WINDOWS\srvlhyyhbn.exe

Adware.WebNexus
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009261.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009308.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009313.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP41\A0009636.dll

Trojan.YourEnhancement
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009263.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009267.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010709.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010710.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010711.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010718.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP45\A0010774.exe
C:\WINDOWS\uni_e6h.exe

Adware.Mirar/NetNucleus
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009307.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010727.exe

Adware.NicTech Networks
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009332.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP39\A0009342.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010732.dll
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010733.dll

Adware.Qoologic/QoolAid
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP41\A0009634.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP41\A0009638.exe

Trojan.Downloader-SysMon
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP41\A0010655.exe

Trojan.AC3
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP42\A0010671.exe

Adware.Adservs
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010701.exe

Trojan.Downloader-Gen/Win
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010702.exe

Adware.Numb-Soft/Resident
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010703.exe

Trojan.Downloader-Loader
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010707.exe

Adware.Avenue Media
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010708.exe

Adware.AutoSearch
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010719.dll

Adware.SearchClickAds
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010725.exe
C:\WINDOWS\Uninstall.exe

Trojan.Override
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010726.exe

Trojan.ThisELT
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010729.exe

Adware.Director
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010730.exe

Adware.ZenoSearch
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010737.exe
C:\System Volume Information\_restore{732DF73C-2D14-44A6-8D21-FA89788D1CD9}\RP43\A0010738.exe

Trojan.Unknown Origin
C:\WINDOWS\QQ\kk.vbs
C:\WINDOWS\system32\wcptr.exe
C:\WINDOWS\Uninst2.htm
C:\WINDOWS\uninstall_nmon.vbs

Adware.FullContext/SCA
C:\WINDOWS\srvdklvxlz.exe

jmoney3457 · October 2006

whoa, that's alot of stuff, ok please delete everything from super's quarentine and also you can delete the combofix file/folder..then reboot and post new hjt log along with how the pc is running now as it must improved somewhat as it did remove quite a bit of malware:thumbup

[inactive]pop ups adware hellp hjt log

Comments