Vundo Trojan

  1. 02-11-2007  #1
    gr8fldad
    gr8fldad is offline Junior Member

    Vundo Trojan

    Looks like I got it, at least according to Mcaffee. Can't seem to get rid of it.
    Here's my hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:37:22 AM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
    O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
    O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
    O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\System32\mljkifd.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.ticketmaster.com
    O15 - Trusted Zone: *.westlaw.com
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
    O20 - Winlogon Notify: mljkifd - C:\WINDOWS\SYSTEM32\mljkifd.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6202 bytes


    And here's my uninstall list:

    Ad-Aware SE Personal
    Adobe Acrobat Reader 3.0
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Download Manager 1.2 (Remove Only)
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0.8
    Adobe® Photoshop® Album Starter Edition 3.0
    AIM 6.0
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL Deskbar
    AOL Instant Messenger
    AOL Toolbar 2.0
    AOL Uninstaller (Choose which Products to Remove)
    AOL You've Got Pictures Screensaver
    Apple Software Update
    CCleaner (remove only)
    Dell ResourceCD
    DivX
    DivX Converter
    DivX Player
    DivX Web Player
    Easy CD Creator 5 Basic
    ESPN RunTime
    HaxFix 4.29
    Hijackthis 1.99.1
    HijackThis 2.0.2
    HP DeskJet 895C Series (Remove only)
    Internet Explorer Q903235
    iTunes
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_03
    Learn2 Player (Uninstall Only)
    LimeWire PRO 4.10.9
    Macromedia Shockwave Player
    McAfee SecurityCenter
    McAfee VirusScan
    Metric Conversion Calculator
    Microsoft .NET Framework 1.1
    Microsoft Data Access Components KB870669
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Word 2000 SR-1
    Microsoft Works 2001 Setup Launcher
    Microsoft Works 6.0
    Microsoft Works Suite Add-in for Microsoft Word
    Music Rescue 3.1.1
    Musicnotes Player V1.22.2
    NVIDIA Drivers
    OpenMG Limited Patch 4.1-05-14-24-01
    OpenMG Secure Module 4.1.00
    Photodex Presenter
    PSP Video 9 1.74
    Pure Networks Port Magic
    Quicken 2003 Deluxe
    QuickTime
    RealPlayer
    RTC Client API v1.2
    Spelling Dictionaries For Adobe Reader Package
    Spybot - Search & Destroy 1.4
    Viewpoint Media Player
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows XP Hotfix - KB822603
    Windows XP Uninstall
    WinZip Self-Extractor

    Hope you guys/gals can help. Brutally frustrating...

  3. 02-11-2007  #2
    Neal
    Neal is offline Dedicated Member
    Welcome and yep you got it!



    Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
    and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.


    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.



    1. Download this file - COMBOFIX
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it will produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    Post a new hijackthis log also please.
  4. 02-11-2007  #3
    gr8fldad
    gr8fldad is offline Junior Member
    Here'sthe renamed foolyou.exe log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:57:31 AM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    C:\WINDOWS\Explorer.EXE
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
    O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
    O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
    O2 - BHO: (no name) - {F4002052-AB29-4B33-8C8D-0E99084564EC} - C:\WINDOWS\System32\mljkifd.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.ticketmaster.com
    O15 - Trusted Zone: *.westlaw.com
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
    O20 - Winlogon Notify: mljkifd - C:\WINDOWS\SYSTEM32\mljkifd.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6136 bytes


    I'll be back with a new post with the vundo contents log.
  5. 02-11-2007  #4
    gr8fldad
    gr8fldad is offline Junior Member
    Here's the hijackthis log after running vundofix:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:29:56 AM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    F2 - REG:system.ini: UserInit=userinit.exe
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
    O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
    O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.ticketmaster.com
    O15 - Trusted Zone: *.westlaw.com
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 5990 bytes

    At first, some files couldn't be removed, but it didn't seem to have the same problem after running vundofix after reboot.

    I don't know how to get the contents of the vundofix.txt.

    I also don't recall ever seeing the F2 and 020 in prior hijackthis logs.

    I'll do combofix next and will post the log.

    Thanks again for your help...
  6. 02-11-2007  #5
    gr8fldad
    gr8fldad is offline Junior Member
    System had difficulty rebooting after combofix. Had to select "start computer with last settings that worked" in order to start it up. It wouldn't in normal start up mode.

    Here's the combofix log:


    ComboFix 07-11-01.1 - Windows User 2007-11-02 9:38:02.1 - FAT32x86
    Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
    C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
    C:\Documents and Settings\Home\Start Menu\Programs\Startup\TA_Start.lnk
    C:\Documents and Settings\Home\Start Menu\Programs\Startup\think-adz.lnk
    C:\Documents and Settings\Windows User\Application Data\install.dat
    C:\Documents and Settings\Windows User\err.log
    C:\Program Files\mediapipe
    C:\Program Files\Microsoft Security Adviser
    C:\Program Files\winmsg
    C:\Program Files\winmsg\sb_bar.css
    C:\Program Files\winmsg\sb_bar.htm
    C:\Program Files\winmsg\sb_ep.htm
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\bass.exe
    C:\temp\brr
    C:\Temp\fCOe
    C:\Temp\fse
    C:\Temp\fse\tmpZTF.log
    C:\temp\iee
    C:\WINDOWS\start.exe
    C:\WINDOWS\system32\b02FdUe
    C:\WINDOWS\system32\drivers\lsisrmki.dat
    C:\WINDOWS\system32\f02WtR
    C:\WINDOWS\system32\f10WtR
    C:\WINDOWS\system32\ntos.exe
    C:\WINDOWS\system32\o02PrEz
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\spywarewarning.mht
    C:\WINDOWS\system32\twinlmds.exe
    C:\WINDOWS\system32\twinlmdt.exe
    C:\WINDOWS\system32\wsnpoem
    C:\WINDOWS\system32\wsnpoem\audio.dll
    C:\WINDOWS\system32\wsnpoem\video.dll
    C:\WINDOWS\system32\zxdnt3d.cfg
    C:\WINDOWS\system32\drivers\snkwevbj.dat . . . . failed to delete
    C:\WINDOWS\system32\ilsk.dll . . . . failed to delete
    C:\WINDOWS\system32\ilsk.dll.bak . . . . failed to delete
    C:\WINDOWS\system32\msrepl40p.dll . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_FCQWHXIK
    -------\LEGACY_FOPN
    -------\LEGACY_ICF
    -------\LEGACY_NOITTUKV
    -------\LEGACY_RUNTIME
    -------\fcqwhxik
    -------\ICF
    -------\noittukv
    -------\runtime


    ((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
    .

    2007-11-02 09:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 00:35 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-01 19:17 410,899 ---hs---- C:\WINDOWS\SYSTEM32\bbbeg.bak2
    2007-10-31 09:28 408,654 ---hs---- C:\WINDOWS\SYSTEM32\bbbeg.bak1
    2007-10-30 09:29 408,654 ---hs---- C:\WINDOWS\SYSTEM32\twycf.bak1
    2007-10-30 09:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz17r
    2007-10-30 09:24 507,217 --a------ C:\Temp\ocli.exe
    2007-10-30 09:23 <DIR> d-------- C:\Temp\mZOr
    2007-10-28 23:18 238,112 --a------ C:\Temp\cilo.exe
    2007-10-27 10:36 <DIR> d-------- C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
    2007-10-24 20:38 <DIR> d-------- C:\Temp\Tmp___21564
    2007-10-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
    2007-10-24 20:23 <DIR> d-------- C:\VundoFix Backups
    2007-10-24 20:21 <DIR> d-------- C:\Temp\Tmp___18292
    2007-10-24 17:58 <DIR> dr-h----- C:\$VAULT$.AVG
    2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\AVG7
    2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-24 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-19 18:45 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
    2007-10-19 18:45 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
    2007-10-19 18:29 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\BitTorrent
    2007-10-19 00:48 <DIR> d-------- C:\Program Files\Photodex Presenter
    2007-10-19 00:25 144 --ahs---- C:\WINDOWS\SYSTEM32\777197797.dat
    2007-10-15 23:38 741,632 --a------ C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
    2007-10-15 23:38 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
    2007-10-15 23:38 118,528 --a------ C:\WINDOWS\SYSTEM32\fkyedvcq.dat
    2007-10-15 23:38 41,728 --a------ C:\WINDOWS\SYSTEM32\gegwioew.dat
    2007-10-15 23:38 35,584 --a------ C:\WINDOWS\SYSTEM32\kngkujmi.dat
    2007-10-15 23:38 35,072 --a------ C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
    2007-10-15 23:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
    2007-10-15 23:33 82,432 --a------ C:\WINDOWS\SYSTEM32\ilsk.dll
    2007-10-15 23:33 81,920 --a------ C:\WINDOWS\SYSTEM32\ilsk(2).dll
    2007-10-15 23:33 18,688 C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
    2007-10-15 23:33 16,896 --a------ C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
    2007-10-15 23:32 119,552 --a------ C:\WINDOWS\SYSTEM32\msrepl40p.dll
    2007-10-15 23:32 107,893 --a------ C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
    2007-10-09 00:00 49,664 --a------ C:\WINDOWS\SYSTEM32\icf.exe
    2007-10-08 09:53 <DIR> d--hs---- C:\FOUND.064

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2007-09-24 05:39 --------- d-----w C:\Documents and Settings\Home\Application Data\acccore
    2007-09-18 02:31 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Netscape
    2007-09-11 21:00 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Apple
    2007-09-02 23:05 32,392 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT
    2007-08-08 05:31 6,421 --sh--w C:\WINDOWS\SYSTEM32\cfiii.bak1
    2003-11-29 20:37 271 --sh--w C:\Program Files\desktop.ini
    2003-11-29 20:37 23,357 ---h--w C:\Program Files\folder.htt
    2007-06-23 06:01:32 1,870,520 --sh--w C:\WINDOWS\SYSTEM32\onqss.bak2
    2007-06-23 02:23:54 1,870,520 --sh--w C:\WINDOWS\SYSTEM32\onqss.bak1
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB0138-A7B2-4B4B-B690-085B77BED5AA}]
    C:\WINDOWS\System32\tustq.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
    2003-07-16 20:36 119552 --a------ C:\WINDOWS\System32\msrepl40p.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
    2007-10-27 01:14 82432 --a------ c:\windows\system32\ilsk.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdl r.exe" [2003-08-08 18:02]
    "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2003-08-27 11:00]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupda te.exe" [2003-08-21 18:10]
    "HostManager"="C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe" [2007-04-12 17:23]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
    ilsk.dll 2007-10-27 01:14 82432 C:\WINDOWS\SYSTEM32\ilsk.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
    "Notification Packages"= :\WINDOWS\System32\srrst

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
    backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
    backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
    backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
    backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
    backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^TA_Start.lnk]
    path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\TA_Start.lnk
    backup=C:\WINDOWS\pss\TA_Start.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^w32.exe]
    path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\w32.exe
    backup=C:\WINDOWS\pss\w32.exeStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aDs8RWimT]
    msrcsp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    C:\Program Files\AIM\aim.exe -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltPayments]
    "C:\Program Files\AltPayments\AltPayments.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    "C:\Program Files\America Online 9.0\AOL.EXE" -b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
    "C:\Program Files\Ares\Ares.exe" -h

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
    "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
    C:\WINDOWS\Belt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    "C:\Program Files\BitTorrent_DNA\dna.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C5OT6]
    C:\WINDOWS\renvsyu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
    "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
    C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
    C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
    C:\Program Files\DIGStream\digstream.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
    "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.ex e"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eepaasj]
    C:\WINDOWS\System32\kydvsz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
    C:\WINDOWS\System32\twinlmds.exe CHD003

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\filit]
    C:\foobar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fwzcpfbbvjix]
    C:\WINDOWS\System32\kydvsz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
    rundll32.exe EGDHTML_1030.dll,InstantAccess

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
    "C:\Program Files\Internet Optimizer\optimize.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
    C:\Program Files\ISTsvc\istsvc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgn]
    C:\WINDOWS\jgn.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kydvsz]
    c:\windows\system32\kydvsz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
    "C:\Program Files\p2pnetworks\mpp2pl.exe" /H

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update 64 BIT]
    wininit32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    C:\Program Files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
    C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\200543017055_mc info.exe /insfin

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mslagent]
    C:\WINDOWS\mslagent\mslagent_.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxswkabdbc]
    C:\WINDOWS\System32\kydvsz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDrv]
    C:\WINDOWS\System32\NDrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
    "C:\Program Files\Outerinfo\Outerinfo.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
    "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p1h87d1fdmkc]
    C:\WINDOWS\system32\p1h87d1fdmkc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rm3U36O]
    msu2disp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    snd332.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
    c:\program files\180solutions\sais.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
    "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
    C:\WINDOWS\System32\Ooaqaq.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snd332]
    C:\WINDOWS\snd332.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service76]
    C:\WINDOWS\\\etb\\pokapoka76.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
    SysTray.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
    C:\WINDOWS\sysupd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
    C:\PROGRA~1\Toolbar\TBPS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
    "c:\documents and settings\windows user\local settings\temp\fsg_tmp\ginst_001.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
    C:\Program Files\Common files\updater\wupdater.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
    "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]
    C:\WINDOWS\System32\Togkio.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
    "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWuRFDf]
    C:\WINDOWS\spfkowpu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
    C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
    wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
    RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winad]
    C:\WINDOWS\Web\Wallpaper\winad.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client]
    C:\Program Files\Winad Client\Winad.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
    "C:\Program Files\WinAntiSpyware 2007\was7.exe" /min

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
    C:\winstall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    C:\Program Files\Microsoft Works\wkfud.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]
    NETSTATT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]
    c:\program files\zango\zango.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "Hidserv"=Hidserv.exe run

    R0 noittukv;noittukv;C:\WINDOWS\System32\drivers\snkw evbj.dat
    R1 cdudf;cdudf;C:\WINDOWS\System32\drivers\cdudf.sys
    R1 cmosa;cmosa;C:\WINDOWS\System32\drivers\cmosa.sys
    R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\ oreans32.sys
    R1 UdfReadr;UdfReadr;C:\WINDOWS\System32\drivers\UdfR eadr.sys
    R2 HPFECP15;HPFECP15;C:\WINDOWS\System32\drivers\HPFE CP15.SYS
    R3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiF iltr.sys


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    "C:\WINDOWS\System32\rundll32.exe" "C:\PROGRA~1\MESSEN~1\msgsc.dll",ShowIconsUser
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-08-05 04:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
    "2007-11-02 14:22:02 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
    "2007-11-02 14:46:12 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-Windows User).job"
    - c:\program files\mcafee.com\vso\mcmnhdlr.exe
    "2007-11-02 14:31:22 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Windows User).job"
    - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    "2007-11-02 07:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    "2007-08-24 19:51:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-02 14:47:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Home).job"
    - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    "2007-11-02 14:39:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Michael).job"
    - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    .
    ************************************************** ************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-02 09:46:45
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    Completion time: 2007-11-02 9:48:20 - machine was rebooted
    .
    --- E O F ---

    Hijackthis log after combofix run:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:52:52 AM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
    O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
    O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.ticketmaster.com
    O15 - Trusted Zone: *.westlaw.com
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6028 bytes


    That F2 I mentioned earlier now gone. Interesting...

    Let me know your thoughts. Thanks.
  7. 02-11-2007  #6
    Neal
    Neal is offline Dedicated Member
    That is a very infected computer, I hope it will recover from infection.


    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to your desktop.
    Close out of that and now you should have a backup copy of your registry which looks like


    Open notepad(Not WordPad) and copy/paste the text in the quotebox below into it:Not the word quote


    File::
    C:\WINDOWS\SYSTEM32\bbbeg.bak2
    C:\WINDOWS\SYSTEM32\bbbeg.bak1
    C:\WINDOWS\SYSTEM32\twycf.bak1
    C:\Temp\ocli.exe
    C:\Temp\cilo.exe
    C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
    C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
    C:\WINDOWS\SYSTEM32\777197797.dat
    C:\WINDOWS\SYSTEM32\fkyedvcq.dat
    C:\WINDOWS\SYSTEM32\gegwioew.dat
    C:\WINDOWS\SYSTEM32\kngkujmi.dat
    C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
    C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
    C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
    C:\WINDOWS\SYSTEM32\msrepl40p.dll
    C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
    C:\FOUND.064
    C:\WINDOWS\SYSTEM32\cfiii.bak1
    C:\WINDOWS\SYSTEM32\onqss.bak2
    C:\WINDOWS\SYSTEM32\onqss.bak1

    Folder::
    C:\Temp\Tmp___21564
    C:\VundoFix Backups
    C:\Temp\Tmp___18292

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ECB0138-A7B2-4B4B-B690-085B77BED5AA}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EbatesMoeMoneyMaker0]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eepaasj]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\filit]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fwzcpfbbvjix]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IST Service]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kydvsz]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaPipe P2P Loader]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mslagent]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxswkabdbc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDrv]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p1h87d1fdmkc]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rm3U36O]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sais]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snd332]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uwas7cw]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VWuRFDf]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winad]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winad Client]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAntiSpyware 2007 Free]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows installer]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zango]



    Save this as CFScript

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.






    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.



    what is this folder: something from work possibly

    C:\WINDOWS\SYSTEM32\Mz17r - find and post what is inside please.
    C:\Temp\mZOr



    Also...



    Open Hijackthis.

    Click the "Open the Misc Tools" section Button.

    Click the "Open Uninstall Manager" Button.

    Click the "Save list..." Button.

    Save it to your desktop. Copy and paste the contents into your reply.
    Last edited by Neal; 03-11-2007 at 08:55 PM.
  8. 03-11-2007  #7
    gr8fldad
    gr8fldad is offline Junior Member
    Don't give up on me yet...
    Think of it as a bit more challenging than some of your easier fixes...

    Here's the combofix:

    ComboFix 07-11-01.1 - Windows User 2007-11-03 16:13:52.2 - FAT32x86
    Running from: C:\Documents and Settings\Windows User\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Windows User\Desktop\CFScript.txt
    * Created a new restore point

    FILE::
    C:\FOUND.064
    C:\Temp\cilo.exe
    C:\Temp\ocli.exe
    C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
    C:\WINDOWS\SYSTEM32\777197797.dat
    C:\WINDOWS\SYSTEM32\bbbeg.bak1
    C:\WINDOWS\SYSTEM32\bbbeg.bak2
    C:\WINDOWS\SYSTEM32\cfiii.bak1
    C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
    C:\WINDOWS\SYSTEM32\fkyedvcq.dat
    C:\WINDOWS\SYSTEM32\gegwioew.dat
    C:\WINDOWS\SYSTEM32\kngkujmi.dat
    C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
    C:\WINDOWS\SYSTEM32\msrepl40p.dll
    C:\WINDOWS\SYSTEM32\onqss.bak1
    C:\WINDOWS\SYSTEM32\onqss.bak2
    C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
    C:\WINDOWS\SYSTEM32\twycf.bak1
    C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
    C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Temp\cilo.exe
    C:\Temp\ocli.exe
    C:\Temp\Tmp___18292
    C:\Temp\Tmp___18292\CSICore.dll
    C:\Temp\Tmp___18292\CSIGUI.dll
    C:\Temp\Tmp___18292\PrevxCSI.exe
    C:\Temp\Tmp___21564
    C:\Temp\Tmp___21564\CSICore.dll
    C:\Temp\Tmp___21564\CSIGUI.dll
    C:\Temp\Tmp___21564\PrevxCSI.exe
    C:\VundoFix Backups
    C:\VundoFix Backups\qtsut.bak1.bad
    C:\VundoFix Backups\qtsut.bak2.bad
    C:\VundoFix Backups\qtsut.ini.bad
    C:\VundoFix Backups\qtsut.ini2.bad
    C:\VundoFix Backups\qtsut.tmp.bad
    C:\WINDOWS\SYSTEM32\777197797.dat
    C:\WINDOWS\SYSTEM32\bbbeg.bak1
    C:\WINDOWS\SYSTEM32\bbbeg.bak2
    C:\WINDOWS\SYSTEM32\cfiii.bak1
    C:\WINDOWS\system32\drivers\lsisrmki.dat
    C:\WINDOWS\SYSTEM32\fkyedvcq.dat
    C:\WINDOWS\SYSTEM32\gegwioew.dat
    C:\WINDOWS\SYSTEM32\kngkujmi.dat
    C:\WINDOWS\SYSTEM32\msrepl40p(2).dll
    C:\WINDOWS\SYSTEM32\onqss.bak1
    C:\WINDOWS\SYSTEM32\onqss.bak2
    C:\WINDOWS\SYSTEM32\p1h87d1fdmkc.exe
    C:\WINDOWS\SYSTEM32\twycf.bak1
    C:\WINDOWS\SYSTEM32\wmrmfhnx.dat
    C:\WINDOWS\SYSTEM32\zpcjpsfs.dat
    C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat . . . . failed to delete
    C:\WINDOWS\system32\ilsk.dll . . . . failed to delete
    C:\WINDOWS\system32\ilsk.dll.bak . . . . failed to delete
    C:\WINDOWS\system32\msrepl40p.dll . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_FCQWHXIK
    -------\LEGACY_FOPN
    -------\LEGACY_ICF
    -------\LEGACY_NOITTUKV
    -------\LEGACY_RUNTIME
    -------\fcqwhxik
    -------\noittukv


    ((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
    .

    2007-11-02 09:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-02 00:35 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-30 09:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Mz17r
    2007-10-30 09:23 <DIR> d-------- C:\Temp\mZOr
    2007-10-27 10:36 <DIR> d-------- C:\WINDOWS\259682D2C528479CBEA06F793E73B99F.TMP
    2007-10-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
    2007-10-24 17:58 <DIR> dr-h----- C:\$VAULT$.AVG
    2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\AVG7
    2007-10-24 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2007-10-24 17:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-19 18:45 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll
    2007-10-19 18:45 9,336 --------- C:\WINDOWS\SYSTEM32\DRIVERS\cdr4_xp.sys
    2007-10-19 18:29 <DIR> d-------- C:\Documents and Settings\Windows User\Application Data\BitTorrent
    2007-10-19 00:48 <DIR> d-------- C:\Program Files\Photodex Presenter
    2007-10-15 23:38 246,545 --a------ C:\WINDOWS\SYSTEM32\libssl32.dll
    2007-10-15 23:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\AppCert
    2007-10-15 23:33 82,432 --a------ C:\WINDOWS\SYSTEM32\ilsk.dll
    2007-10-15 23:33 81,920 --a------ C:\WINDOWS\SYSTEM32\ilsk(2).dll
    2007-10-15 23:33 18,688 C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
    2007-10-15 23:32 119,552 --a------ C:\WINDOWS\SYSTEM32\msrepl40p.dll
    2007-10-09 00:00 49,664 --a------ C:\WINDOWS\SYSTEM32\icf.exe
    2007-10-08 09:53 <DIR> d--hs---- C:\FOUND.064

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
    .
    2007-09-24 05:39 --------- d-----w C:\Documents and Settings\Home\Application Data\acccore
    2007-09-18 02:31 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Netscape
    2007-09-11 21:00 --------- d-----w C:\Documents and Settings\Windows User\Application Data\Apple
    2007-09-02 23:05 32,392 ----a-w C:\Documents and Settings\Windows User\Application Data\GDIPFONTCACHEV1.DAT
    2003-11-29 20:37 271 --sh--w C:\Program Files\desktop.ini
    2003-11-29 20:37 23,357 ---h--w C:\Program Files\folder.htt
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-02_ 9.47.28.46 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
    + 2007-11-03 2112 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Cookies\i ndex.dat
    - 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-03 2112 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-11-02 14:44:54 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-11-03 2112 32,768 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-11-02 14:37:52 385,024 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t
    + 2007-11-03 21:13:38 385,024 ----a-w C:\WINDOWS\SYSTEM32\config\systemprofile\ntuser.da t
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC}]
    2003-07-16 20:36 119552 --a------ C:\WINDOWS\System32\msrepl40p.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2FD5F8D-7716-453D-B69D-F5062FC26681}]
    2007-10-27 01:14 82432 --a------ c:\windows\system32\ilsk.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
    "VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdl r.exe" [2003-08-08 18:02]
    "VirusScan Online"="c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" [2003-08-17 21:50]
    "MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent .exe" [2003-08-27 11:00]
    "MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupda te.exe" [2003-08-21 18:10]
    "HostManager"="C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe" [2007-04-12 17:23]
    "NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
    "Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-08-08 15:00]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hpghulnk]
    ilsk.dll 2007-10-27 01:14 82432 C:\WINDOWS\SYSTEM32\ilsk.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
    "Notification Packages"= :\WINDOWS\System32\srrst

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
    backup=C:\WINDOWS\pss\Billminder.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\GStartup.lnk
    backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
    backup=C:\WINDOWS\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware InterCom.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MySoftware InterCom.lnk
    backup=C:\WINDOWS\pss\MySoftware InterCom.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PrecisionTime.lnk
    backup=C:\WINDOWS\pss\PrecisionTime.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
    backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
    backup=C:\WINDOWS\pss\Quicken Startup.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^TA_Start.lnk]
    path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\TA_Start.lnk
    backup=C:\WINDOWS\pss\TA_Start.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^Think-Adz.lnk]
    path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\Think-Adz.lnk
    backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Windows User^Start Menu^Programs^Startup^w32.exe]
    path=C:\Documents and Settings\Windows User\Start Menu\Programs\Startup\w32.exe
    backup=C:\WINDOWS\pss\w32.exeStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
    "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aDs8RWimT]
    msrcsp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    C:\Program Files\AIM\aim.exe -cnetwait.odl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltPayments]
    "C:\Program Files\AltPayments\AltPayments.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
    "C:\Program Files\America Online 9.0\AOL.EXE" -b

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
    "C:\Program Files\Ares\Ares.exe" -h

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoUpdater]
    "C:\Program Files\AutoUpdate\AutoUpdate.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Belt]
    C:\WINDOWS\Belt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
    "C:\Program Files\BitTorrent_DNA\dna.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C5OT6]
    C:\WINDOWS\renvsyu.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClamWin]
    "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CleanUp]
    C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
    C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
    C:\Program Files\DIGStream\digstream.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
    C:\WINDOWS\System32\twinlmds.exe CHD003

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Instant Access]
    rundll32.exe EGDHTML_1030.dll,InstantAccess

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
    "C:\Program Files\Internet Optimizer\optimize.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    "C:\Program Files\iTunes\iTunesHelper.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgn]
    C:\WINDOWS\jgn.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    %systemroot%\system32\dumprep 0 -k

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update 64 BIT]
    wininit32.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
    C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
    C:\Program Files\Microsoft Works\WkDetect.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
    C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    "C:\Program Files\Messenger\msmsgs.exe" /background

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    nwiz.exe /install

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
    "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    snd332.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure]
    C:\WINDOWS\System32\Ooaqaq.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System service76]
    C:\WINDOWS\\\etb\\pokapoka76.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
    SysTray.Exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysUpd]
    C:\WINDOWS\sysupd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
    C:\PROGRA~1\Toolbar\TBPS.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Trickler]
    "c:\documents and settings\windows user\local settings\temp\fsg_tmp\ginst_001.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
    "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updater]
    C:\Program Files\Common files\updater\wupdater.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
    "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" /disabled

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
    "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
    C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
    RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
    C:\Program Files\Microsoft Works\wkfud.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo Messenger]
    NETSTATT.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\setup\disabledrunkeys]
    "LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    "Hidserv"=Hidserv.exe run

    R0 noittukv;noittukv;C:\WINDOWS\System32\drivers\snkw evbj.dat
    R1 cdudf;cdudf;C:\WINDOWS\System32\drivers\cdudf.sys
    R1 cmosa;cmosa;C:\WINDOWS\System32\drivers\cmosa.sys
    R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\ oreans32.sys
    R1 UdfReadr;UdfReadr;C:\WINDOWS\System32\drivers\UdfR eadr.sys
    R2 fcqwhxik;Terminal Device Controller;C:\WINDOWS\System32\svchost.exe -k netsvcs
    R2 HPFECP15;HPFECP15;C:\WINDOWS\System32\drivers\HPFE CP15.SYS
    R3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiF iltr.sys
    S4 InstallTest;InstallTest;"C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\InstallTest.exe" /test
    S4 Metric Conversion Calculator Installer;Metric Conversion Calculator Installer;"C:\Program Files\Digital Design Ltd\Metric Conversion Calculator\MCCINST.EXE" /update


    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    "C:\WINDOWS\System32\rundll32.exe" "C:\PROGRA~1\MESSEN~1\msgsc.dll",ShowIconsUser
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-03 19:00:02 C:\WINDOWS\Tasks\Tune-up Application Start.job"
    "2007-11-03 21:02:04 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job"
    "2007-11-03 21:23:16 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (FAMILY-Windows User).job"
    "2007-11-03 17:27:20 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Windows User).job"
    - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    "2007-11-03 07:00:02 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
    - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    "2007-11-02 19:51:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-03 21:22:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Home).job"
    - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    "2007-11-03 21:24:02 C:\WINDOWS\Tasks\McAfee.com Update Check (FAMILY-Michael).job"
    - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    .
    ************************************************** ************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 16:23:45
    Windows 5.1.2600 Service Pack 1 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    ************************************************** ************************
    .
    Completion time: 2007-11-03 16:25:13 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-02 09:48
    .
    --- E O F ---

    Again, I had to go to Last Known Good Configuraiton to start up after combofix ran. Also, I noticed Copying Permissions Was Not Successful and Reason:Unknown Error in one of the last Combofix boxes.

    More funfacts: Computer actually doesn't run that bad overall, but problems with Internet I think due to Vundo. McAfee keeps coming up with:
    C:\SystemVolume Information\_restore{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP26\A0006668.dll and then lists Vundo.dll as the virus. McAfee then lists 2 more which appear identical except with the last part A000669.dll and A0006673.dll. The 4th finding by McAfee is C:\VundoFixBackups|mljkfd.dll.bad. I quarrantine these files each time.


    The folder you listed- C:\windows\system32\Mz17r and the mZOr are unknown to me and most likely don't belong. I wouldn't do my work on this computer since it's shared by 2 teenage sons.

    Listed below is the hijack this request:
    Ad-Aware SE Personal
    Adobe Acrobat Reader 3.0
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Download Manager 1.2 (Remove Only)
    Adobe Flash Player 9 ActiveX
    Adobe Reader 7.0.8
    Adobe® Photoshop® Album Starter Edition 3.0
    AIM 6.0
    AOL Coach Version 2.0(Build:20041026.5 en)
    AOL Deskbar
    AOL Instant Messenger
    AOL Toolbar 2.0
    AOL Uninstaller (Choose which Products to Remove)
    AOL You've Got Pictures Screensaver
    Apple Software Update
    CCleaner (remove only)
    Dell ResourceCD
    DivX
    DivX Converter
    DivX Player
    DivX Web Player
    Easy CD Creator 5 Basic
    ESPN RunTime
    HaxFix 4.29
    Hijackthis 1.99.1
    HijackThis 2.0.2
    HP DeskJet 895C Series (Remove only)
    Internet Explorer Q903235
    iTunes
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_03
    Learn2 Player (Uninstall Only)
    LimeWire PRO 4.10.9
    Macromedia Shockwave Player
    McAfee SecurityCenter
    McAfee VirusScan
    Metric Conversion Calculator
    Microsoft .NET Framework 1.1
    Microsoft Data Access Components KB870669
    Microsoft Office PowerPoint Viewer 2003
    Microsoft Word 2000 SR-1
    Microsoft Works 2001 Setup Launcher
    Microsoft Works 6.0
    Microsoft Works Suite Add-in for Microsoft Word
    Music Rescue 3.1.1
    Musicnotes Player V1.22.2
    NVIDIA Drivers
    OpenMG Limited Patch 4.1-05-14-24-01
    OpenMG Secure Module 4.1.00
    Photodex Presenter
    PSP Video 9 1.74
    Pure Networks Port Magic
    Quicken 2003 Deluxe
    QuickTime
    RealPlayer
    RTC Client API v1.2
    Spelling Dictionaries For Adobe Reader Package
    Spybot - Search & Destroy 1.4
    Viewpoint Media Player
    Windows Media Format Runtime
    Windows Media Player 10
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows XP Hotfix - KB822603
    Windows XP Uninstall
    WinZip Self-Extractor


    Finally, I still get a popup on the task bar which appears only for 4-5 seconds usually around startup time and it then disappears. I think it's one of those sites to click on claiming it found a virus on the computer and if you click on it, it will take you to a site (illegitimate) so you can remove the virus.

    McAfee Virusscan window also keeps popping up saying Potential Worm Activity Detected since "5 emails have been sent within the last 30 seconds". Of course, I'm not sending the emails and I hit Stop this email each time. Sometimes the window will pop up 3-5 times in a row.

    Just trying to let you know everything, so hopefully something will click on how to resolve the headache. Thanks again.
  9. 03-11-2007  #8
    Neal
    Neal is offline Dedicated Member
    don't worry about the vundo stuff mcafee is finding it is easily taken care of later as it is in backup folder of vundofix and system restore.


    print these instructions or save as a text document(desktop) useing notepad


    There are more serious issues at hand I'm afraid, I need you to do two scans, one is an online scanner, the other needs to be downloaded and installed then ran.


    And this...



    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat
      C:\WINDOWS\system32\ilsk.dll
      C:\WINDOWS\system32\ilsk.dll.bak
      C:\WINDOWS\system32\msrepl40p.dll

    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




    * Click here to use the F-Secure Online Scanner
    • Then click the Start Scanning button below.
    • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
    • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
    • In case you are having problems with installing the ActiveX/starting the scan, please read here.
    • Click the Full System Scan button.
    • It will start to download scanner components and databases. This can take a while.
    • The main scan will start.
    • Once the scan finished scanning, click the Automatic cleaning (recommended) button
    • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
    • The cleaning can take a while, so please be patient.
    • Then click the Show report button and copy and paste what's present under results in your next reply.




    You may want to printout the following instructions:

    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to the words Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update successful message.
      • Click on Scanner on the toolbar at top of this screen.
      • Click on the Settings tab.
        • Under How to act?
          • Click on Recommended Action and choose Quarantine from the popup menu.
        • Under How to scan?
          • All checkboxes should be ticked.
        • Under Possibly unwanted software:
          • All checkboxes should be ticked.
        • Under Reports:
          • Select Automatically generate report after every scan and uncheck Only if threats were found.
        • Under What to scan?
          • Select Scan every file.
      • Close AVG Anti-Spyware without running yet.
    Now disable (turn off AVG Anti-Spyware)
    • Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
    ______________________________

    Reboot your computer in Safe Mode.If you can't go to safe mode or run from safe mode, use NORMAL MODE.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________


    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    Note: If AVG Anti-Spyware screen does not fit your monitor screen Hold down the Alt button on keyboard then tap spacebar, menu should pop up then choose maximize. AVG Anti-Spyware screen should now fit to the screen a lot better.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.


    IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button.(3)
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop. I will need you to post this in your next reply.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot in Normal Mode.
  10. 04-11-2007  #9
    gr8fldad
    gr8fldad is offline Junior Member
    Here's the OTMoveIt Results:

    File move failed. C:\WINDOWS\SYSTEM32\DRIVERS\snkwevbj.dat scheduled to be moved on reboot.
    C:\WINDOWS\system32\ilsk.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\ilsk.dll scheduled to be moved on reboot.
    File move failed. C:\WINDOWS\system32\ilsk.dll.bak scheduled to be moved on reboot.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\msrepl40p.dll
    C:\WINDOWS\system32\msrepl40p.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\msrepl40p.dll scheduled to be moved on reboot.

    Created on 11/04/2007 11:38:57


    However, it asked to reboot and I did, but OTM didn't do anything different after start up. I followed the same procedure without rebooting a second time (even though it asked).

    Here's the F-Secure report:
    Scanning Report
    Sunday, November 04, 2007 11:50:06 - 14:13:15
    Computer name: FAMILY
    Scanning type: Scan system for viruses, rootkits, spyware
    Target: C:\


    --------------------------------------------------------------------------------

    Result: 25 malware found
    SpamTool.Win32.Agent.bk (virus)
    C:\WINDOWS\SYSTEM32\APPCERT\PRX66B.DLL (Submitted)
    Tracking Cookie (spyware)
    System (Disinfected)
    System
    System
    System
    System
    System
    System
    Trojan-Clicker.Win32.Agent.mk (virus)
    C:\WINDOWS\SYSTEM32\ILSK(2).DLL (Renamed & Submitted)
    Trojan-Clicker.Win32.Agent.mu (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP12\A0002024.DLL (Renamed & Submitted)
    Trojan-Downloader.Win32.Agent.dng (virus)
    C:\WINDOWS\SYSTEM32\APPCERT\WNL32.DLL (Renamed & Submitted)
    Trojan-Downloader.Win32.Small.gkq (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005523.EXE (Renamed & Submitted)
    Trojan-Downloader.Win32.VB.blj (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005521.EXE (Renamed)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005522.EXE (Renamed)
    Trojan-Spy.Win32.Zbot.bg (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP27\A0006686.EXE (Renamed & Submitted)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP25\A0005635.EXE (Renamed & Submitted)
    Trojan.Win32.Obfuscated.iz (virus)
    C:\WINDOWS\SYSTEM32\ICF.EXE (Renamed & Submitted)
    W32/Adload.gen3 (virus)
    C:\GETTER.EXE (Submitted)
    W32/BHO.QG (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP29\A0006782.EXE (Submitted)
    W32/DLoader.ANVE (virus)
    C:\PROGRAM FILES\ALTPAYMENTS\ALTPAYMENTS.EXE (Submitted)
    W32/Zapchast.AQK (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005506.EXE (Submitted)
    W32/Zapchast.AQT (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005502.EXE (Submitted)
    W32/Zapchast.ARC (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005501.EXE (Submitted)
    W32/Zapchast.ARD (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005499.EXE (Submitted)
    W32/Zapchast.ARF (virus)
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{398B3581-ED6C-4B77-8DC0-0E4BEBDE90F5}\RP22\A0005500.EXE (Submitted)

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 29974
    System: 4625
    Not scanned: 3
    Actions:
    Disinfected: 1
    Renamed: 9
    Deleted: 0
    None: 15
    Submitted: 16
    Files not scanned:
    C:\PAGEFILE.SYS
    C:\HIBERFIL.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

    Time for AVG. I'll be back with the results...
  11. 05-11-2007  #10
    gr8fldad
    gr8fldad is offline Junior Member
    Save 20% on AVG Internet Security 2012 Suite!
    Everything seemed to be going fine until I got up to rebooting in safe mode to run AVG. I don't know if it's because of AVG alone or AVG combined with running McAfee in the background, or it it was the result of one of the other programs we ran, but the computer wouldn't start up in safe mode or regular mode. Would take 45 minutes plus to get to the desktop. Didn't think I had much of a choice, so I did a system resore back to the Combofix restore point. I hope I didn't undo anything beneficial from the programs after Combofix, but again, not much of a choice. AVG now gone and computer running...Should I redo OTMoveIT and/or F-Secure?

    Didn't know if it would help at all, but here's a current Hijackthis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:47, on 2007-11-04
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
    C:\WINDOWS\wanmpsvc.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O2 - BHO: (no name) - {9ECB0138-A7B2-4B4B-B690-085B77BED5AA} - C:\WINDOWS\System32\tustq.dll (file missing)
    O2 - BHO: (no name) - {B16EE9E5-852A-4FFA-B9B4-E1BB1B63C0CC} - C:\WINDOWS\System32\msrepl40p.dll
    O2 - BHO: (no name) - {D2FD5F8D-7716-453D-B69D-F5062FC26681} - c:\windows\system32\ilsk.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1120096280\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.ticketmaster.com
    O15 - Trusted Zone: *.westlaw.com
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbi...3/mcinsctl.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1124288862560
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbi...20/McGDMgr.cab
    O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
    O20 - Winlogon Notify: hpghulnk - C:\WINDOWS\SYSTEM32\ilsk.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFSERVICE.exe (file missing)
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 6045 bytes



    Suggestions? Thanks.
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« HijackThis Log - Help | Win32.P2P-Worm.Alcan.a HELP PLEASE!(RESOLVED) »