Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 2570

Oct 1st, 2007

my dads computer is filled with spam a little help please

Expand Post »

i have tryed a cupple times to remove the spam problem but it got worse and worse this is my last try before i format C:\ and start over again.here is my hijack this log file.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:05:59 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.0.0.0.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {042DF1EE-48DA-4DC9-883C-076B56A2B3AE} - \
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07FFBE6C-8240-4517-ABD1-63B6CEF77931} - C:\WINDOWS\system32\pmnlk.dll
O2 - BHO: (no name) - {296E1646-195C-482C-826C-A326951F8246} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: (no name) - {59307AE9-446E-4BF3-84F1-C4DB7C840042} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\nydlaymi.dll (file missing)
O2 - BHO: (no name) - {C9F0D1AF-9FF9-4A8F-ABD3-724E2469BB93} - C:\Program Files\Messenger\hotexy43855.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\iifecca.dll
O2 - BHO: (no name) - {E0A2E0AC-A01F-4D0E-9FBB-DEC0D05B6466} - C:\WINDOWS\system32\pmnnn.dll (file missing)
O4 - HKLM\..\Run: [MSCStart] C:\WINDOWS\system32\color\ShellExt\mru\Ltn\lssas.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [Vnc System] C:\Program Files\Internet Explorer\Custom\VNC2.exe s
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\tjhtptjc.dll",sitypnow
O4 - HKLM\..\RunServices: [DRam prosessor] plscd.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [Walgreens PhotoShow Media Manager] C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: AMV convert tool grab multimedia file - C:\Program Files\MP3??????? 4.10\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3??????? 4.10\MediaManager\grab.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10D1242B-6EFF-465D-B2F6-27AB9B310929} (WrapFrontend Control) - http://www.softwrap.com/wrapper800.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima.gov/gis/mapguide...5/mgaxctrl.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)
O20 - Winlogon Notify: iifecca - C:\WINDOWS\SYSTEM32\iifecca.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmnlk - C:\WINDOWS\system32\pmnlk.dll
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\iixfbfbq.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\jxpearo.exe (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\proprygegi.html

--
End of file - 8425 bytes

please help me fix his computer.

Similar Threads

Antivirus software? in Apple Rumors and Reports
Internet Gone Whacko in Web Browsers
Problem compiling with Dev-C++ in C++
Sound card driver - micro-star MS-6382 in Windows NT / 2000 / XP
Securely Allow users to add to Database in PHP

pdzoner

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

3 posts
since Oct 2007

Permalink

Oct 2nd, 2007

Re: my dads computer is filled with spam a little help please

Hello,
1. Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
2. Download SmitFraudFix
Clean:

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
* Double-click SmitfraudFix.exe
* Select 2 and hit Enter to delete infect files.
* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Then run HijackThis again and post fresh log here.

strix

Reputation Points: 10

Solved Threads: 1

Newbie Poster

Offline

17 posts
since Jun 2007

Permalink

Oct 3rd, 2007

Re: my dads computer is filled with spam a little help please

I might be missing something, but I cannot see a reason for running Smitfraudfix there and if you run option #2 on an uninfected machine, you can lose the desktop.
You definitely have a Vundo infection though and combofix should go a long way towards removing it. I would advise to do the following too;

Please download VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

crunchie

Moderator

Featured Poster

Reputation Points: 1142

Solved Threads: 982

Most Valuable Poster

Online

12,163 posts
since Feb 2004

Permalink

Oct 8th, 2007

Re: my dads computer is filled with spam a little help please

hey guys thnaks for the help i got the combo fix log ad ran the vondo remover i havent checked for spam yet but heres the combo log file
ComboFix 07-10-07.2 - Owner 2007-10-08 14:10:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.634 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ActivationCode
C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2007\Data\ProductCode
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Owner\Application Data\installer_en[1].exe
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\#SharedObjects\3PDZUQ4U\www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Owner\Application Data\winantispyware2007freeinstall[1].exe
C:\Documents and Settings\Owner\Application Data\winantispyware2007freeinstall[1].exe
C:\Documents and Settings\Owner\Desktop\internet.lnk
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\ResErrors.log
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\AntiVirGear 3.8
C:\Program Files\AntiVirGear 3.8\vpp.ini
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\Common Files\drivecleaner free
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\WinAntiSpyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\00D0C09C.dat
C:\Program Files\Online Video Add-on
C:\Program Files\Online Video Add-on\icmntr.exe
C:\Program Files\Online Video Add-on\icthis.exe
C:\Program Files\Online Video Add-on\isfmm.exe
C:\Program Files\Online Video Add-on\isfun.exe
C:\Program Files\Online Video Add-on\ot.ico
C:\Program Files\Online Video Add-on\ts.ico
C:\Program Files\Online Video Add-on\uninst.exe
C:\Program Files\Windows NT\proprygegi.html
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\UWA7P
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\IA
C:\WINDOWS\IA\KE.vbs
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\NDNuninstall7_48.exe
C:\WINDOWS\system32\afjvgypn.exe
C:\WINDOWS\system32\appwrbgb.exe
C:\WINDOWS\system32\auncwoob.exe
C:\WINDOWS\system32\ayxhrupx.exe
C:\WINDOWS\system32\bnllopce.exe
C:\WINDOWS\system32\bsnzafqa.bin
C:\WINDOWS\system32\cdkogibr.exe
C:\WINDOWS\system32\cfg.dat
C:\WINDOWS\system32\cjultwqa.exe
C:\WINDOWS\system32\cnrdlhck.exe
C:\WINDOWS\system32\cykciujh.exe
C:\WINDOWS\system32\daeeednw.exe
C:\WINDOWS\system32\dfwybohq.exe
C:\WINDOWS\system32\dnkftwpj.exe
C:\WINDOWS\system32\dohoucic.exe
C:\WINDOWS\system32\dqcceviw.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\duhmxfga.exe
C:\WINDOWS\system32\dusyrrma.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\dxukvknk.exe
C:\WINDOWS\system32\ebwypwca.exe
C:\WINDOWS\system32\ecgpkeon.exe
C:\WINDOWS\system32\edwoxieu.exe
C:\WINDOWS\system32\edyygbhc.exe
C:\WINDOWS\system32\fncahkiv.exe
C:\WINDOWS\system32\focfpovq.exe
C:\WINDOWS\system32\fvadvuml.exe
C:\WINDOWS\system32\geperekw.exe
C:\WINDOWS\system32\gtrirnkl.exe
C:\WINDOWS\system32\hdnuwxeu.exe
C:\WINDOWS\system32\ibmbqnic.exe
C:\WINDOWS\system32\ibvdpgoy.exe
C:\WINDOWS\system32\ifoaowyv.exe
C:\WINDOWS\system32\iialqnqn.exe
C:\WINDOWS\system32\ilflkpvi.exe
C:\WINDOWS\system32\ilrqribc.exe
C:\WINDOWS\system32\ixhjsqxu.exe
C:\WINDOWS\system32\jcytyfgt.exe
C:\WINDOWS\system32\jpgyiixv.exe
C:\WINDOWS\system32\jqudmhcm.exe
C:\WINDOWS\system32\jsdibrbg.exe
C:\WINDOWS\system32\jvxybhwe.exe
C:\WINDOWS\system32\koklmkkf.exe
C:\WINDOWS\system32\ktdthwqs.exe
C:\WINDOWS\system32\lpprvjqr.exe
C:\WINDOWS\system32\lpsixlqx.exe
C:\WINDOWS\system32\lxllbook.exe
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\mbrrpqyu.exe
C:\WINDOWS\system32\mcwpelwq.exe
C:\WINDOWS\system32\mdxdhlsc.exe
C:\WINDOWS\system32\mjpbisyg.exe
C:\WINDOWS\system32\mywkqnak.exe
C:\WINDOWS\system32\ncsrvcss.exe
C:\WINDOWS\system32\nggbbofc.exe
C:\WINDOWS\system32\niedlpkj.exe
C:\WINDOWS\system32\niqxyicu.exe
C:\WINDOWS\system32\nqlipqty.exe
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\oikgcbpo.exe
C:\WINDOWS\system32\ojbbixrv.exe
C:\WINDOWS\system32\owinpndt.exe
C:\WINDOWS\system32\pcoygecv.exe
C:\WINDOWS\system32\plhlatjs.exe
C:\WINDOWS\system32\pmikknww.exe
C:\WINDOWS\system32\prfychxq.exe
C:\WINDOWS\system32\prwcjmgn.exe
C:\WINDOWS\system32\ptcchceo.exe
C:\WINDOWS\system32\pvogxxue.exe
C:\WINDOWS\system32\pwqgwalh.exe
C:\WINDOWS\system32\qhtvjvoq.exe
C:\WINDOWS\system32\qkedxltp.exe
C:\WINDOWS\system32\qkfwwgrc.exe
C:\WINDOWS\system32\qyluhkvr.exe
C:\WINDOWS\system32\rabrbfcg.exe
C:\WINDOWS\system32\rhrysron.exe
C:\WINDOWS\system32\rlmpgfjt.exe
C:\WINDOWS\system32\rwwykwqk.exe
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\saedmseu.exe
C:\WINDOWS\system32\sctfhfix.exe
C:\WINDOWS\system32\siowbsiw.exe
C:\WINDOWS\system32\skjswxrw.exe
C:\WINDOWS\system32\smtpvjrn.exe
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tacujnxp.exe
C:\WINDOWS\system32\tggqyiwh.exe
C:\WINDOWS\system32\tsmqxjmw.exe
C:\WINDOWS\system32\tutmarrj.exe
C:\WINDOWS\system32\ucvsmnud.exe
C:\WINDOWS\system32\ufnysyhy.exe
C:\WINDOWS\system32\ugymhlpq.exe
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\utvqnjlj.exe
C:\WINDOWS\system32\uvgynikj.exe
C:\WINDOWS\system32\uxlnmwea.exe
C:\WINDOWS\system32\uypurqhp.exe
C:\WINDOWS\system32\vjdgdkje.exe
C:\WINDOWS\system32\vtvmyorm.exe
C:\WINDOWS\system32\vwvoxyiw.exe
C:\WINDOWS\system32\wbstfgfw.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wmqlhrep.exe
C:\WINDOWS\system32\wtssu.exe
C:\WINDOWS\system32\wtssu.exe
C:\WINDOWS\system32\wwhyqvcq.exe
C:\WINDOWS\system32\xqbxtsbt.exe
C:\WINDOWS\system32\xyiqegtt.exe
C:\WINDOWS\system32\yeawcmhc.exe
C:\WINDOWS\system32\yejqtcro.exe
C:\WINDOWS\system32\ykvnmjig.exe
C:\WINDOWS\system32\ylmdesyd.exe
C:\WINDOWS\system32\ypgvkpab.exe
C:\WINDOWS\system32\yppntbaa.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\tsks~1
C:\WINDOWS\tsks~1\rundll32.exe
C:\WINDOWS\tsks~1\T?sks\
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wbun.exe
C:\WINDOWS\wr.txt
C:\WINDOWS\ystem3~1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\cmdService
-------\core
-------\DomainService
-------\Net Agent
-------\Windows Overlay Components

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-08 14:07 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-10-08 14:05 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 05:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\WinAnonymous
2007-10-03 19:46 <DIR> d-------- C:\VundoFix Backups
2007-09-29 21:38 1,524,118 ---hs---- C:\WINDOWS\system32\klnmp.ini2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-08 12:25 --------- d-------- C:\Program Files\Steam
2007-10-03 20:02 --------- d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-24 23:49 --------- d-------- C:\Documents and Settings\Owner\Application Data\Walgreens
2007-09-11 13:01 --------- d-------- C:\Program Files\Diablo II
2007-09-06 19:35 --------- d-------- C:\Program Files\MySpace
2007-08-29 17:19 --------- d-------- C:\Documents and Settings\Owner\Application Data\SmartDraw
2007-08-29 17:04 --------- d-------- C:\Program Files\SmartDraw 2008
2007-08-27 04:39 --------- d-------- C:\Program Files\CONEXANT
2007-08-27 03:36 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-27 03:33 --------- d-------- C:\Program Files\My Photo Adventure 2
2007-08-27 03:31 --------- d--h----- C:\Documents and Settings\Owner\Application Data\Move Networks
2007-08-26 12:05 --------- d-------- C:\Program Files\Yahoo! Games
2007-08-16 06:15 --------- d-------- C:\Documents and Settings\All Users\Application Data\RoboForm
2007-08-16 06:14 --------- d-------- C:\Program Files\Siber Systems
2007-08-15 00:49 --------- d-------- C:\Program Files\MSXML 4.0
2007-08-14 01:28 --------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-14 01:26 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-14 01:26 --------- d-------- C:\Program Files\Ahead
2007-01-10 20:52 376901 --a------ C:\Program Files\Uninstall My Web Search.dll
2002-07-26 17:02 153088 --a--c--- C:\Program Files\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{042DF1EE-48DA-4DC9-883C-076B56A2B3AE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{296E1646-195C-482C-826C-A326951F8246}]
C:\WINDOWS\system32\ddccc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59307AE9-446E-4BF3-84F1-C4DB7C840042}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB297C4D-8F76-49D1-9461-4A45BF02FD45}]
C:\WINDOWS\system32\pmnlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C9F0D1AF-9FF9-4A8F-ABD3-724E2469BB93}]
2007-06-14 04:54 163840 --a------ C:\Program Files\Messenger\hotexy43855.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D579A683-0CC7-4023-BAE7-0544D0D1DA3A}]
C:\Program Files\Online Video Add-on\isfmdl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0A2E0AC-A01F-4D0E-9FBB-DEC0D05B6466}]
C:\WINDOWS\system32\pmnnn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 17:34]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 17:51]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinAnonymous"="C:\Program Files\WinAnonymous\GDC.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"DRam prosessor"=plscd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccc]
C:\WINDOWS\system32\ddccc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkhh]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnn]
C:\WINDOWS\system32\pmnnn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkbMonitor.exe.lnk
backup=C:\WINDOWS\pss\NkbMonitor.exe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YourScreen.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YourScreen.lnk
backup=C:\WINDOWS\pss\YourScreen.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^hc_tray.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\hc_tray.lnk
backup=C:\WINDOWS\pss\hc_tray.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PictureProject In Touch.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\PictureProject In Touch.lnk
backup=C:\WINDOWS\pss\PictureProject In Touch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^wkcalrem.LNK]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\wkcalrem.LNK
backup=C:\WINDOWS\pss\wkcalrem.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Atari icon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtariBanner]
"C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COMODO Firewall Pro]
"C:\Program Files\Comodo\Firewall\CPF.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ealb]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\owinpndt.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FilmLoop]
"C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hcsystray]
C:\Program Files\Kuma Games\hcsystray\Kumawar_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jws]
C:\WINDOWS\?ystem32\n?tdde.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jxpearoA]
C:\WINDOWS\jxpearoA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lmctmj]
"C:\Program Files\Common Files\F?nts\?hkntfs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\McAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFEXE]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mschkdsk.exe]
C:\WINDOWS\system32\mschkdsk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSCStart]
C:\WINDOWS\system32\color\ShellExt\mru\Ltn\lssas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
rundll32 C:\PROGRA~1\MYWEBS~1\bar\3.bin\MWSBAR.DLL,S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Community Tools]
"C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\3.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
"C:\Program Files\Outerinfo\Outerinfo.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
"C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\\PSDrvCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
C:\Program Files\Digital Media Reader\readericon45G.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegPowerClean]
"C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SearchIndexer]
rundll32.exe "C:\WINDOWS\system32\mmbkcryr.dll",sitypnow

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpamBlocker]
C:\Program Files\SpamBlockerUtility\Bin\4.8.0.0\SbOEAddOn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"C:\Program Files\Steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\system32\ityvtptb.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USB2Check]
RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USBToolTip]
"C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vnc System]
C:\Program Files\Internet Explorer\Custom\VNC2.exe s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Walgreens PhotoShow Media Manager]
C:\PROGRA~1\WALGRE~1\WALGRE~1\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.7.4\webbuying.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPop]
C:\Program Files\WinPop\winpop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
"c:\program files\zango\zango.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{06-69-9C-CB-ZN}]
C:\windows\system32\modsregq.exe CHD003

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]
C:\windows\system32\modsregq.exe CHD003

R2 X4HSX32;X4HSX32;\??\C:\Program Files\GameTap\bin\Release\X4HSX32.Sys
S3 MR97310_USB_DUAL_CAMERA;MR97310 CIF Dual Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{192cb114-5378-11dc-b1a9-0016171d2471}]
AutoRun\command- J:\RavMon.exe
explore\Command- J:\RavMon.exe -e
open\Command- J:\RavMon.exe

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 14:16:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-08 14:19:23 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-08 14:19
.
--- E O F ---

pdzoner

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

3 posts
since Oct 2007

Permalink

Oct 8th, 2007

Re: my dads computer is filled with spam a little help please

and now to make this thread any longer the hijack this fix i have to go to work aigan please reply if there still seems to b a problem i havent hade a chance to check if it worked
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:23:14 PM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.0.0.0.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {042DF1EE-48DA-4DC9-883C-076B56A2B3AE} - \
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {296E1646-195C-482C-826C-A326951F8246} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: (no name) - {59307AE9-446E-4BF3-84F1-C4DB7C840042} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {BB297C4D-8F76-49D1-9461-4A45BF02FD45} - C:\WINDOWS\system32\pmnlk.dll (file missing)
O2 - BHO: (no name) - {C9F0D1AF-9FF9-4A8F-ABD3-724E2469BB93} - C:\Program Files\Messenger\hotexy43855.dll
O2 - BHO: (no name) - {D579A683-0CC7-4023-BAE7-0544D0D1DA3A} - C:\Program Files\Online Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {E0A2E0AC-A01F-4D0E-9FBB-DEC0D05B6466} - C:\WINDOWS\system32\pmnnn.dll (file missing)
O3 - Toolbar: (no name) - {41F6170D-6AF8-4188-8D92-9DDAB3C71A78} - (no file)
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [DRam prosessor] plscd.exe
O4 - HKCU\..\Run: [WinAnonymous] C:\Program Files\WinAnonymous\GDC.exe
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Online Video Add-on\icthis.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: AMV convert tool grab multimedia file - C:\Program Files\MP3??????? 4.10\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3??????? 4.10\MediaManager\grab.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10D1242B-6EFF-465D-B2F6-27AB9B310929} (WrapFrontend Control) - http://www.softwrap.com/wrapper800.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.dot.pima.gov/gis/mapguide...5/mgaxctrl.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll (file missing)
O20 - Winlogon Notify: pmnnn - C:\WINDOWS\system32\pmnnn.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6693 bytes

pdzoner

Reputation Points: 10

Solved Threads: 0

Newbie Poster

Offline

3 posts
since Oct 2007

Permalink

Oct 9th, 2007

Re: my dads computer is filled with spam a little help please

Please run vundofix a few times until it comes back clean. Post it's log when done.

crunchie

Moderator

Featured Poster

Reputation Points: 1142

Solved Threads: 982

Most Valuable Poster

Online

12,163 posts
since Feb 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Security Toolbar 7.1

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: IE 6.0 not working

DaniWeb Message

Cancel Changes

User Name
Password