Pc infected through IE pop-ups & more(RESOLVED)

sox · #1 (**permalink**) 28-11-2007, 05:06 PM

First - thanks for trying to help!!! Ok here we go...........User clicked on something that said there was 'an important update needed' while using I.E. Pop-ups aplenty now and during boot-up it now states: "Please insert a disk into drive A" (?)

This is my sister's pc so I had her send me a log so that I can try to get her some help. Here is what she sent me:

here's what the notepad said after I told this new program to do a system scan and save a log file.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:59:45 AM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Judy\Desktop\HiJackThis_v2.exe

O2 - BHO: (no name) - {27A31A65-234F-46C8-AA70-1F7C2FE5F480} - C:\WINDOWS\system32\ddaya.dll
O2 - BHO: (no name) - {2CDA9E4B-DD82-4C9A-86B6-FF154E5B06AF} - C:\Program Files\ComPlus Applications\mepovyjC:\DOCUME~1\Judy\LOCALS~1\Temp \CEMG555077.exe.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\tuvurss.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C7D86B7-A9BF-4E98-B05C-7CEA4444007E} - C:\Program Files\ComPlus Applications\mepovyjC:\Program Files\InetGet2\gm3- 24418.exe.dll (file missing)
O2 - BHO: (no name) - {A1676B83-B850-4289-AB1C-FD59E7EF6CAB} - C:\Program Files\ComPlus Applications\mepovyjC:\WINDOWS\system32\h2\jumper8 3122.exe.dll (file missing)
O2 - BHO: {44cb2c58-ac46-4519-bd94-09fb1b00cb5a} - {a5bc00b1-bf90-49db-9154-64ca85c2bc44} - C:\WINDOWS\system32\cxkfeynt.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [{7A-A7-7C-C4-ZN}] C:\Documents and Settings\Judy\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [4487a76b] rundll32.exe "C:\WINDOWS\system32\kaoxfrpp.dll",b
O4 - HKCU\..\Run: [USB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - S-1-5-18 Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

Neal · #2 (**permalink**) 29-11-2007, 12:58 AM

You are useing a beta version of hijackthis, so...

Please delete the version of HiJackThis.exe you have installed, then download the new version from here:

HIJACKTHIS

Make sure hijackthis is in it's own folder like this:

Program Files\hijackthis\hijackthis.exe

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/winhelp2002/DelDomains.inf
Save the file to the desktop. Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

1. Download this file - COMBOFIX
to your Desktop.

2. Double click combofix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

If you are useing Firefox, you may have to right click COMBOFIX and
click on "Open Link in new window"

Post a new hijackthis log also please.

Also...

Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

It may take two posts to get all required informaton back here. Thanks.

sox · #3 (**permalink**) 29-11-2007, 03:48 AM

Thanks for your help. After running the vundofix..... Here is the combofix log:

ComboFix 07-11-19.4C - Judy 2007-11-27 20:40:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.216 [GMT -6:00]
Running from: C:\Documents and Settings\Judy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Judy\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Judy\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Judy\Favorites\Online Security Guide.lnk

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-27 20:27 <DIR> d-------- C:\VundoFix Backups
2007-11-27 20:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-27 06:19 85,056 --a------ C:\WINDOWS\system32\srsxmire.dll
2007-11-27 06:13 71,232 --a------ C:\WINDOWS\system32\rsdvcjio.exe
2007-11-26 06:41 78,912 --a------ C:\WINDOWS\system32\cxkfeynt.dll
2007-11-26 06:16 85,056 --a------ C:\WINDOWS\system32\kaoxfrpp.dll
2007-11-26 06:16 354 --ahs---- C:\WINDOWS\system32\pprfxoak.ini
2007-11-26 06:13 71,232 --a------ C:\WINDOWS\system32\qmexhwjg.exe
2007-11-25 06:22 294 --ahs---- C:\WINDOWS\system32\vnwjghew.ini
2007-11-25 06:13 71,232 --a------ C:\WINDOWS\system32\gjyuelhc.exe
2007-11-25 05:04 80,960 --a------ C:\WINDOWS\system32\rvrvvxol.dll
2007-11-24 20:19 85,056 --a------ C:\WINDOWS\system32\fnnhrnpn.dll.ren
2007-11-24 20:19 414 --a------ C:\WINDOWS\system32\npnrhnnf.ini.ren
2007-11-24 20:16 79,936 --a------ C:\WINDOWS\system32\knfnxlfo.dll
2007-11-24 20:13 71,232 --a------ C:\WINDOWS\system32\drpvkooj.exe
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\Judy\Goett Family Photos
2007-11-23 20:19 354 --ahs---- C:\WINDOWS\system32\yilirqcs.ini
2007-11-23 20:18 85,056 --a------ C:\WINDOWS\system32\scqriliy.dll.ren
2007-11-23 20:15 81,472 --a------ C:\WINDOWS\system32\xnyftfwu.dll
2007-11-23 20:10 71,232 --a------ C:\WINDOWS\system32\glqrlmov.exe
2007-11-23 20:08 85,056 --a------ C:\WINDOWS\system32\mwjcgorf.dll
2007-11-23 20:03 71,232 --a------ C:\WINDOWS\system32\jrmykvpo.exe .ren
2007-11-21 22:20 354 --a------ C:\WINDOWS\system32\qfodbged.ini.ren
2007-11-21 22:19 85,056 --a------ C:\WINDOWS\system32\degbdofq.dll.ren
2007-11-21 22:13 71,232 --a------ C:\WINDOWS\system32\pwqtitio.exe
2007-11-21 21:05 71,232 --a------ C:\WINDOWS\system32\ncdvpuew.exe
2007-11-21 20:51 71,232 --a------ C:\WINDOWS\system32\ciwgnfdh.exe
2007-11-21 20:08 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2007-11-21 19:53 85,056 --a------ C:\WINDOWS\system32\ixobdpry.dll.ren
2007-11-21 19:53 354 --ahs---- C:\WINDOWS\system32\yrpdboxi.ini
2007-11-21 19:45 79,936 --a------ C:\WINDOWS\system32\fthphise.dll
2007-11-21 19:43 71,232 --a------ C:\WINDOWS\system32\ffgrlohf.exe
2007-11-21 19:35 71,232 --a------ C:\WINDOWS\system32\byhjucbh.exe .ren
2007-11-21 17:20 <DIR> d-------- C:\Program Files\7 Artifacts
2007-11-21 16:20 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-21 16:20 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-21 16:20 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-21 16:20 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-20 06:45 85,056 --a------ C:\WINDOWS\system32\ppdjgwxk.dll
2007-11-20 06:39 80,960 --a------ C:\WINDOWS\system32\qhfvfkas.dll
2007-11-19 06:39 85,056 --a------ C:\WINDOWS\system32\obrhvjyw.dll.ren
2007-11-19 06:39 1,374 --ahs---- C:\WINDOWS\system32\wyjvhrbo.ini
2007-11-19 06:36 84,544 --a------ C:\WINDOWS\system32\lwbgcgya.dll
2007-11-18 06:43 83,008 --a------ C:\WINDOWS\system32\skfuwpvc.dll
2007-11-18 06:40 1,134 --ahs---- C:\WINDOWS\system32\npvlcuye.ini
2007-11-18 06:32 71,232 --a------ C:\WINDOWS\system32\nygqetio.exe
2007-11-17 05:16 1,014 --ahs---- C:\WINDOWS\system32\wwhuoihl.ini
2007-11-17 05:10 79,424 --a------ C:\WINDOWS\system32\flremcob.dll
2007-11-17 05:10 71,232 --a------ C:\WINDOWS\system32\nudndjxf.exe.ren
2007-11-17 03:29 36,352 --a------ C:\WINDOWS\system32\ddcdaxv.dll
2007-11-17 03:28 36,352 --a------ C:\WINDOWS\system32\vtuvtrs.dll
2007-11-16 05:12 82,496 --a------ C:\WINDOWS\system32\vlbkbfix.dll
2007-11-16 05:09 71,232 --a------ C:\WINDOWS\system32\ocbgstip.exe
2007-11-15 05:13 81,984 --a------ C:\WINDOWS\system32\vjurfhqw.dll
2007-11-15 05:10 71,232 --a------ C:\WINDOWS\system32\oeuqxcte.exe
2007-11-14 18:49 38,912 --a------ C:\WINDOWS\system32\yayywxy.dll
2007-11-14 18:48 38,912 --a------ C:\WINDOWS\system32\iifedbc.dll
2007-11-14 18:47 38,912 --a------ C:\WINDOWS\system32\ddcywwv.dll
2007-11-14 05:40 534 --ahs---- C:\WINDOWS\system32\mpythbqg.ini
2007-11-14 05:28 71,232 --a------ C:\WINDOWS\system32\ptausmgh.exe
2007-11-13 05:19 414 --ahs---- C:\WINDOWS\system32\rrxyaaga.ini
2007-11-13 05:16 81,472 --a------ C:\WINDOWS\system32\btoelwqq.dll
2007-11-13 05:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-13 05:06 <DIR> d-------- C:\Program Files\Cool
2007-11-13 05:04 71,232 --a------ C:\WINDOWS\system32\hfwdfqtc.exe
2007-11-11 15:08 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-11 15:08 35,840 --a------ C:\WINDOWS\mrofinu572.exe.ren
2007-11-11 15:00 434,225 --a------ C:\WINDOWS\system32\ayadd.ini2.ren
2007-11-11 15:00 434,225 --ahs---- C:\WINDOWS\system32\ayadd.ini.ren
2007-11-11 14:53 35,840 --a------ C:\WINDOWS\mrofinu77.exe
2007-11-11 14:53 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-11 14:52 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-11 14:52 <DIR> d-------- C:\Temp\abW9
2007-11-11 14:52 <DIR> d-------- C:\Temp
2007-11-03 07:16 <DIR> d-------- C:\Program Files\Picasa2
2007-11-03 07:16 <DIR> d-------- C:\Program Files\Google
2007-11-03 06:53 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-11-03 06:53 <DIR> d-------- C:\Program Files\Jewel Match
2007-11-02 22:51 <DIR> d-------- C:\WINDOWS\Sun
2007-11-02 18:44 <DIR> d-------- C:\Program Files\Nero
2007-11-02 18:44 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-02 17:54 <DIR> d-------- C:\Program Files\Limewire
2007-11-02 17:54 <DIR> d-------- C:\Documents and Settings\Judy\Shared
2007-11-02 17:50 <DIR> d-------- C:\Documents and Settings\Judy\Incomplete
2007-11-02 17:50 <DIR> d-------- C:\Documents and Settings\Judy\.limewire
2007-11-02 16:53 <DIR> dr------- C:\Program Files\Dazzle
2007-11-02 16:53 <DIR> d-------- C:\Program Files\Common Files\SCM
2007-11-02 16:53 36,864 --a------ C:\WINDOWS\system32\Stlhook.dll
2007-11-02 16:53 13,325 --------- C:\WINDOWS\system32\drivers\Stltrk2k.sys
2007-11-02 16:47 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-02 16:47 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-02 16:45 <DIR> d-------- C:\EPSONREG
2007-11-02 16:45 436 --a------ C:\WINDOWS\PowerReg.dat
2007-11-02 16:44 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-02 16:44 212,480 --a------ C:\WINDOWS\pcdlib32.dll
2007-11-02 16:44 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-11-02 16:43 <DIR> d-------- C:\Program Files\Common Files\Python
2007-11-02 16:43 708,696 --a------ C:\WINDOWS\system32\python21.dll
2007-11-02 16:43 290,919 --a------ C:\WINDOWS\system32\pythoncom21.dll
2007-11-02 16:43 57,344 --a------ C:\WINDOWS\system32\PyWinTypes21.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-27 12:16 81,984 ----a-w C:\WINDOWS\system32\kwewxjrp.dll
2007-11-25 12:16 80,960 ----a-w C:\WINDOWS\system32\kwtkplyh.dll
2007-11-25 11:02 71,232 ----a-w C:\WINDOWS\system32\sxwpwgjk.exe .ren
2007-11-22 04:16 79,936 ----a-w C:\WINDOWS\system32\vduebjwp.dll
2007-11-22 02:56 71,232 ----a-w C:\WINDOWS\system32\tgwxusjr.exe
2007-11-20 12:33 71,232 ----a-w C:\WINDOWS\system32\thautppd.exe
2007-11-19 12:33 71,232 ----a-w C:\WINDOWS\system32\ljvnkrbj.exe
2007-11-14 11:34 79,936 ----a-w C:\WINDOWS\system32\kymwehhw.dll
2007-11-11 20:53 171,520 ----a-w C:\WINDOWS\system32\lsvxpxg.dll.ren
2007-11-11 20:52 36,352 ----a-w C:\WINDOWS\system32\tuvurss.dll.ren
2007-11-01 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-22 00:51 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-12 02:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 01:57 416,280 ----a-w C:\WINDOWS\system32\lvcodec2.dll
2007-10-12 01:57 195,096 ----a-w C:\WINDOWS\system32\lvci1150.dll
2007-10-12 01:55 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 01:55 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_19.47.51.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 02:32:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_694.dat
+ 2007-11-28 02:32:34 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_70.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CDA9E4B-DD82-4C9A-86B6-FF154E5B06AF}]
C:\Program Files\ComPlus Applications\mepovyjC:\DOCUME~1\Judy\LOCALS~1\Temp \CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{43ba4dbf-2059-465f-9db0-ff6e7f8a8038}]
2007-11-27 06:16 81984 --a------ C:\WINDOWS\system32\kwewxjrp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C7D86B7-A9BF-4E98-B05C-7CEA4444007E}]
C:\Program Files\ComPlus Applications\mepovyjC:\Program Files\InetGet2\gm3-24418.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1676B83-B850-4289-AB1C-FD59E7EF6CAB}]
C:\Program Files\ComPlus Applications\mepovyjC:\WINDOWS\system32\h2\jumper8 3122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"USB Safely Remove"="C:\Program Files\USB Safely Remove\USBSafelyRemove.exe" [2007-09-22 07:40]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 15:18]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-09-06 05:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 05:42 C:\WINDOWS\soundman.exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"{7A-A7-7C-C4-ZN}"="C:\Documents and Settings\Judy\Local Settings\Temp\T0CHD001.exe" []
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" []
"4487a76b"="C:\WINDOWS\system32\srsxmire.dll" [2007-11-27 06:19]

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system3 2\DRIVERS\iteraid.sys
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
S3 ATE_PROCMON;ATE_PROCMON;\??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{96DEEE3E-4F2A-C3E1-1707-E35CA017F612}]
C:\WINDOWS\system32:calc.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 20:41:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-27 20:42:26
C:\ComboFix2.txt ... 2007-11-27 20:00
C:\ComboFix3.txt ... 2007-11-27 19:48
.
--- E O F ---
and here is the latest hijack log as requested:

6-in-1 Reader
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Stock Photos 1.0
ArcSoft PhotoImpression
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
avast! Antivirus
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon i9900
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities ZoomBrowser EX
Cool
Diskeeper 2007 Pro Premier
Easy-WebPrint
EPSON Copy Utility
EPSON Photo Print
EPSON Scanner Reference Guide
EPSON Smart Panel
EPSON TWAIN 5
EVEREST Ultimate Edition v4.20
FlashGet 1.9.6.1073
HijackThis 2.0.2
iCF Skin Pack
iColorFolder
Java(TM) 6 Update 3
Jewel Match
Logitech QuickCam
Logitech QuickCam Driver Package
Marvell Miniport Driver
Microsoft .NET Framework 2.0
Mozilla Firefox (2.0.0.10)
Nero 8
neroxml
Norton PartitionMagic 8.0
NVIDIA Drivers
Picasa 2
PowerDVD Ultra
QuickTime
Realtek AC'97 Audio
Recover My Files
ScanToWeb
Spybot - Search & Destroy
USB Safely Remove 3.0
VCRedistSetup
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver
WinZip 11.1
XP Repair Pro 2007
Your Uninstaller! 2006 Version 5

I noticed that some icons are now removed that had been installed by the attack etc. so I'm hoping we are on our way to fixing this - thanks to your help!!!!

Neal · #4 (**permalink**) 29-11-2007, 06:08 AM

Did you keep the vundofix log?

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on:

COOL

Click on Delete this entry

Reboot your computer.

Very infected, seriously actually, seems to be the norm these days.

Please download and install SUPERAntiSpyware Trial Pro Edition http://www.superantispyware.com/superantispyware.html

* Load SUPERAntiSpyware and click the Check for Updates button.
* Once the update has finished, exit SUPERAntiSpyware. Please do NOT run a scan yet!

IMPORTANT: Do NOT open any other windows or programs while SUPERAntiSpyware is scanning, it may interfere with the scanning process.

* Open SUPERAntiSpyware and click the Scan your Computer button.
* Check Perform Complete Scan and then click Next.
* SUPERAntiSpyware will now scan your computer and when it’s finished it will list all the infections it has found.
* Make sure that they all have a check next to them, and then click Next.
* Click Finish and you will be taken back to the main interface.
* It could be possible that it will ask you to reboot your computer in order to delete some files after reboot.
* I'll need a log afterwards of what has been found.
* To get the log, click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.
* Please post the results of the SUPERAntiSpyware log in your next reply.

New combofix scan and log after super antispyware scan and log.

I need a new hijackthis log also. Thanks.

sox · #5 (**permalink**) 29-11-2007, 09:52 PM

OK - here is the vondu log from last night:

VundoFix V6.6.2

Checking Java version...

Scan started at 8:27:36 PM 11/27/2007

Listing files found while scanning....

C:\windows\system32\iifddbx.dll
C:\windows\system32\nwgnuwrx.dll
C:\windows\system32\ognklvix.dll
C:\windows\system32\ognklvix.dllbox
C:\windows\system32\pmnnoom.dll
C:\WINDOWS\system32\tuvurss.dll
C:\windows\system32\tyjylqcj.dll

Beginning removal...

Attempting to delete C:\windows\system32\iifddbx.dll
C:\windows\system32\iifddbx.dll Has been deleted!

Attempting to delete C:\windows\system32\nwgnuwrx.dll
C:\windows\system32\nwgnuwrx.dll Has been deleted!

Attempting to delete C:\windows\system32\ognklvix.dll
C:\windows\system32\ognklvix.dll Has been deleted!

Attempting to delete C:\windows\system32\ognklvix.dllbox
C:\windows\system32\ognklvix.dllbox Has been deleted!

Attempting to delete C:\windows\system32\pmnnoom.dll
C:\windows\system32\pmnnoom.dll Has been deleted!

Attempting to delete C:\windows\system32\tyjylqcj.dll
C:\windows\system32\tyjylqcj.dll Has been deleted!

Performing Repairs to the registry.
Done!

****************************************

November 28, 2007......I followed your instructions and SuperAntiSpyware did want to reboot - unfortunately upon reboot I got an error "RUNDLL Error loading C: WINDOWS\System 32\Srsxmire.dll The specified module could not be found."

Anyway - here is the log from SuperAntifSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/28/2007 at 01:22 PM

Application Version : 3.9.1008

Core Rules Database Version : 3352
Trace Rules Database Version: 1351

Scan type : Complete Scan
Total Scan Time : 01:09:28

Memory items scanned : 554
Memory threats detected : 1
Registry items scanned : 5482
Registry threats detected : 19
File items scanned : 78514
File threats detected : 366

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\SRSXMIRE.DLL
C:\WINDOWS\SYSTEM32\SRSXMIRE.DLL
HKLM\Software\Classes\CLSID\{43ba4dbf-2059-465f-9db0-ff6e7f8a8038}
HKCR\CLSID\{43BA4DBF-2059-465F-9DB0-FF6E7F8A8038}
HKCR\CLSID\{43BA4DBF-2059-465F-9DB0-FF6E7F8A8038}\InprocServer32
HKCR\CLSID\{43BA4DBF-2059-465F-9DB0-FF6E7F8A8038}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\KWEWXJRP.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{43ba4dbf-2059-465f-9db0-ff6e7f8a8038}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006770.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP69\A0006791.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP70\A0006851.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP72\A0006872.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP72\A0006873.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP72\A0006884.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0006936.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0008011.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0009084.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP75\A0009147.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP75\A0009148.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP77\A0010204.DLL
C:\WINDOWS\SYSTEM32\CXKFEYNT.DLL
C:\WINDOWS\SYSTEM32\FLREMCOB.DLL
C:\WINDOWS\SYSTEM32\FTHPHISE.DLL
C:\WINDOWS\SYSTEM32\KAOXFRPP.DLL
C:\WINDOWS\SYSTEM32\KNFNXLFO.DLL
C:\WINDOWS\SYSTEM32\KWTKPLYH.DLL
C:\WINDOWS\SYSTEM32\KYMWEHHW.DLL
C:\WINDOWS\SYSTEM32\LWBGCGYA.DLL
C:\WINDOWS\SYSTEM32\MWJCGORF.DLL
C:\WINDOWS\SYSTEM32\PPDJGWXK.DLL
C:\WINDOWS\SYSTEM32\QHFVFKAS.DLL
C:\WINDOWS\SYSTEM32\RVRVVXOL.DLL
C:\WINDOWS\SYSTEM32\SKFUWPVC.DLL
C:\WINDOWS\SYSTEM32\VDUEBJWP.DLL
C:\WINDOWS\SYSTEM32\VJURFHQW.DLL
C:\WINDOWS\SYSTEM32\VLBKBFIX.DLL
C:\WINDOWS\SYSTEM32\XNYFTFWU.DLL

Trojan.Downloader-Gen/Cool
HKLM\Software\Classes\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}#AppID
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}\InprocServer32
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}\InprocServer32#ThreadingModel
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}\ProgID
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}\Programmable
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}\TypeLib
HKCR\CLSID\{5C2A9795-B130-4622-B036-BDCAD28602DC}\VersionIndependentProgID
C:\PROGRAM FILES\COOL\COOL.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks#{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP67\A0006703.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0006932.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Judy\Cookies\judy@advertising[1].txt
C:\Documents and Settings\Judy\Cookies\judy@msnportal.112.2o7[1].txt
C:\Documents and Settings\Judy\Cookies\judy@trafficmp[1].txt
C:\Documents and Settings\Judy\Cookies\judy@ads.monster[2].txt
C:\Documents and Settings\Judy\Cookies\judy@atdmt[1].txt
C:\Documents and Settings\Judy\Cookies\judy@adopt.specificclick[2].txt
C:\Documents and Settings\Judy\Cookies\judy@ads.adengage[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@1.marketbanker[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@112.2o7[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@2.adbrite[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@247realmedia[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@2o7[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@3.adbrite[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@4.adbrite[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@a.websponsors[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@aaascreensavers[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad.adocean[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad.cibleclick[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad.iconadserver[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad.yieldmanager[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad.zanox[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad1.clickhype[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad1.doublepimp[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad12.bannerbank[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ad2.adnetinteractive[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adbrite[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adecn[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adinterax[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adlegend[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@admarketplace[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adopt.euroclick[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adopt.hbmediapro[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adopt.specificclick[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.adbrite[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.addesktop[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.addynamix[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.adgoto[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.as4x.tmcs[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.associatedcontent[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.clubplanet[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.cnn[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.mediamayhemcorp[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.miarroba[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.napkinnights[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.pointroll[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.realtechnetwork[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.sfomedia[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.svnt[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.traderonline[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ads.us.e-planning[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adserver.cyberdusk[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adserver[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adsrevenue[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adtech[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adult-pornstar-mall[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adultadworld[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@adv.surinter[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@advertising.about[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@advertising[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@anad.tacoda[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@analytics.clickpathmedia[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@anat.tacoda[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@artehouse.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@as-eu.falkag[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@atdmt[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@atwola[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@audit.median[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@azjmp[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@bannerads.zwire[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@bannerads[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@bannerspace[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@banner[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@belnk[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@bizrate[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@blockbuster.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@brightcove.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@bs.serving-sys[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@buycom.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@casalemedia[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cbs.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cc.bridgetrack[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@chokertraffic[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@click-fr[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@clickntrack[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@clicksor[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@clicktorrent[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cnn.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@counter.mtree[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@counter.plugin[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@counter.top.dating[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cpvfeed[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cs.sexcounter[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cz3.clickzs[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cz4.clickzs[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cz5.clickzs[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cz7.clickzs[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@cz8.clickzs[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@data2.perf.overture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@dealtime[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@dist.belnk[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@doubleclick[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wbkosndpsco.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wfl4wnajebp.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wgkichczwdq.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6whkyekazsfp.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6whmyuhcpsfp.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjkoulcjidq.stats.esomniture[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjlyoid5aeq.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjlyondzweo.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjmighdzkap.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjmiukdjmgo.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjny-1pdpkk.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@e-2dj6wjnysmc5mao.stats.esomniture[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@easy-hit-counters[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ecnext.advertserve[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@edge.ru4[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ehg-zvents.hitbox[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@elite002.intervigil[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@enhance[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@epilot[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@epochstats[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@eroticlick[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@exitexchange[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@ezzs.valueclick[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@fastclick[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@femaleorgasmblackbook[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@firstcommandfinancial.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@funnysuperxxx[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@greateporn[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@gtmedia.us.intellitxt[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@h.starware[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@heavycom.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@hitbox[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@homestore.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@hornyoyster.us.intellitxt[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@hornyoyster[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@hotlog[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@i.screensavers[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@iacas.adbureau[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@icc.intellisrv[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@id.teenblvd[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@image.masterstats[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@indextools[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@itxt.vibrantmedia[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@jennifer-anniston-sexy-pictures[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@kanoodle[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@keywordmax[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@lettherebeporn[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@linksynergy[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@m1.webstats.motigo[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@maxim.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@maxserving[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@media.adrevolver[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@media.hotels[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@mediabust[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@metacafe.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@msnportal.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@naked-jokes[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@nakedbabes[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@nextag[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@onlinerewardcenter[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@overture[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@partner2profit[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@paypal.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@perf.overture[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@perfectpornstars[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@popularscreensavers[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@pornspinner[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@pornstar.dvdempire[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@premiumtv.122.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@primedia.us.intellitxt[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@pro-market[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@pt.crossmediaservices[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@publishers.clickbooth[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@qnsr[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@questionmarket[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@realmedia[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@realnetworks.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@redorbit[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@reduxads.valuead[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@revenue[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@revsci[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@romancetips4u.tripod[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@rotator.adjuggler[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@rotator.dex.adjuggler[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@s.teenblvd[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sales.liveperson[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@serv12.bluffmedia[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@server.iad.liveperson[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@serving-sys[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@serving.rpowermedia[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sex-superstore[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sex-team[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexgallerypost[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexmovies[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexuality.about[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexy-photos[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexycollegegirl.blogspot[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexydesktop.co[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@sexywrestlingbabes[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@shopping.112.2o7[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@smartcpc.advertserve[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@socialporn[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@specificclick[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@spylog[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@starsinporn[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@stat.dealtime[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@stat.onestat[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@statcounter[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@stats.privacyprotector[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@stats.rubbermaid[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@stolenpornpasswords[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@store.sex-superstore[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@studenti.adbureau[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@superstats[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@tacoda[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@tdstats[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@teenhollywood[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@thunderbolt.adjuggler[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@toplist[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@track.searchignite[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@track.vivid[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@tracker.affistats[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@tracker.esecure-transaction[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@traffic.buyservices[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@trafficmp[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@tremor.adbureau[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@tribalfusion[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@try.screensavers[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@try.starware[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@twelvefifteen[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@usenext[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@valueclick[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@vip.clickzs[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@vip2.clickzs[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@warlog[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@web4.realtracker[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@weborama[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@wvw.silkroadtech[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.3pintracking[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.adult-pornstar-mall[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.adultvideonetwork[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.burstbeacon[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.clickmanage[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.clicktorrent[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.eroticlick[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.eurocarsex[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.ezytrack[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.fatpenguinmedia[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.female-orgasm-revealed[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.jointheporn[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.mediabust[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.morepornstars[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.penisbot[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.pornstars[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.ppctracking[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.screensavers[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.setsofsexygirls[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.sexkey[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.sexy-photos[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.sexyavenue[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.sexydesktop.co[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.thepornobserver[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.thesexblog[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@www.xxxseek[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@wwwcf.10dollarxxxvideos[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@xiti[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@yadro[2].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@yieldmanager[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@you_sexy_thing[1].txt
G:\Documents and Settings\Judy Henson\Cookies\judy henson@zedo[1].txt

Malware.LocusSoftware Inc/SpyGuardPro
HKLM\Software\SpyGuardPro
HKLM\Software\SpyGuardPro#EulaUGA6P_0001_N122M2210

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\JUDY\APPLICATION DATA\INSTALLER_EN[1].EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010296.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\B147.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\H2\JUMPER8 3122.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP73\A0006919.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010301.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010305.EXE

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\F1\DNSLOOK 11.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010304.EXE

Adware.WebBuying Assistant-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP66\A0005695.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006726.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006727.EXE

Trojan.Downloader-Gen/MROFIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP67\A0005703.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006784.EXE
C:\WINDOWS\MROFINU1000106.EXE
C:\WINDOWS\MROFINU77.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006725.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006741.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010312.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010453.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010454.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010456.DLL
C:\WINDOWS\SYSTEM32\BTOELWQQ.DLL

Trojan.Downloader-Gen/BundleBase
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP68\A0006783.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP70\A0006863.EXE
C:\WINDOWS\SYSTEM32\RMA01YY\RMA01YY1065.EXE
C:\WINDOWS\SYSTEM32\RMA02YY\RMA02YY1099.EXE

Adware.WebBuying Assistant/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0006934.DLL
C:\WINDOWS\SYSTEM32\LSVXPXG.DLL.REN

Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0006941.EXE
C:\WINDOWS\SYSTEM32\BYHJUCBH.EXE .REN
C:\WINDOWS\SYSTEM32\CIWGNFDH.EXE
C:\WINDOWS\SYSTEM32\DRPVKOOJ.EXE
C:\WINDOWS\SYSTEM32\FFGRLOHF.EXE
C:\WINDOWS\SYSTEM32\GJYUELHC.EXE
C:\WINDOWS\SYSTEM32\GLQRLMOV.EXE
C:\WINDOWS\SYSTEM32\HFWDFQTC.EXE
C:\WINDOWS\SYSTEM32\JRMYKVPO.EXE .REN
C:\WINDOWS\SYSTEM32\LJVNKRBJ.EXE
C:\WINDOWS\SYSTEM32\NCDVPUEW.EXE
C:\WINDOWS\SYSTEM32\NUDNDJXF.EXE.REN
C:\WINDOWS\SYSTEM32\NYGQETIO.EXE
C:\WINDOWS\SYSTEM32\OCBGSTIP.EXE
C:\WINDOWS\SYSTEM32\OEUQXCTE.EXE
C:\WINDOWS\SYSTEM32\PTAUSMGH.EXE
C:\WINDOWS\SYSTEM32\PWQTITIO.EXE
C:\WINDOWS\SYSTEM32\QMEXHWJG.EXE
C:\WINDOWS\SYSTEM32\RSDVCJIO.EXE
C:\WINDOWS\SYSTEM32\SXWPWGJK.EXE .REN
C:\WINDOWS\SYSTEM32\TGWXUSJR.EXE
C:\WINDOWS\SYSTEM32\THAUTPPD.EXE

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP74\A0006982.DLL
C:\WINDOWS\SYSTEM32\DDCDAXV.DLL
C:\WINDOWS\SYSTEM32\TUVURSS.DLL.REN
C:\WINDOWS\SYSTEM32\VTUVTRS.DLL

Adware.Vundo-Variant/Small
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010452.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{2E14456A-F56A-4A32-B00A-6297F806AA64}\RP78\A0010455.DLL
C:\WINDOWS\SYSTEM32\DDCYWWV.DLL
C:\WINDOWS\SYSTEM32\IIFEDBC.DLL
C:\WINDOWS\SYSTEM32\YAYYWXY.DLL
************************************************** **

Here is the combofix scan after the SuperAntiSpyware scan:

ComboFix 07-11-19.4C - Judy 2007-11-28 14:43:42.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.182 [GMT -6:00]
Running from: C:\Documents and Settings\Judy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-28 12:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-28 12:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 12:10 <DIR> d-------- C:\Documents and Settings\Judy\Application Data\SUPERAntiSpyware.com
2007-11-28 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-28 06:00 <DIR> d-------- C:\Documents and Settings\Judy\Application Data\URSE Games
2007-11-28 04:57 <DIR> d-------- C:\Program Files\Holiday Bonus
2007-11-27 20:27 <DIR> d-------- C:\VundoFix Backups
2007-11-27 20:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 06:16 354 --ahs---- C:\WINDOWS\system32\pprfxoak.ini
2007-11-25 06:22 294 --ahs---- C:\WINDOWS\system32\vnwjghew.ini
2007-11-24 20:19 85,056 --a------ C:\WINDOWS\system32\fnnhrnpn.dll.ren
2007-11-24 20:19 414 --a------ C:\WINDOWS\system32\npnrhnnf.ini.ren
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\Judy\Goett Family Photos
2007-11-23 20:19 354 --ahs---- C:\WINDOWS\system32\yilirqcs.ini
2007-11-23 20:18 85,056 --a------ C:\WINDOWS\system32\scqriliy.dll.ren
2007-11-21 22:20 354 --a------ C:\WINDOWS\system32\qfodbged.ini.ren
2007-11-21 22:19 85,056 --a------ C:\WINDOWS\system32\degbdofq.dll.ren
2007-11-21 20:08 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2007-11-21 19:53 85,056 --a------ C:\WINDOWS\system32\ixobdpry.dll.ren
2007-11-21 19:53 354 --ahs---- C:\WINDOWS\system32\yrpdboxi.ini
2007-11-21 17:20 <DIR> d-------- C:\Program Files\7 Artifacts
2007-11-21 16:20 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-21 16:20 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-21 16:20 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-21 16:20 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-21 16:20 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-21 16:20 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-19 06:39 85,056 --a------ C:\WINDOWS\system32\obrhvjyw.dll.ren
2007-11-19 06:39 1,374 --ahs---- C:\WINDOWS\system32\wyjvhrbo.ini
2007-11-18 06:40 1,134 --ahs---- C:\WINDOWS\system32\npvlcuye.ini
2007-11-17 05:16 1,014 --ahs---- C:\WINDOWS\system32\wwhuoihl.ini
2007-11-14 05:40 534 --ahs---- C:\WINDOWS\system32\mpythbqg.ini
2007-11-13 05:19 414 --ahs---- C:\WINDOWS\system32\rrxyaaga.ini
2007-11-13 05:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-13 05:06 <DIR> d-------- C:\Program Files\Cool
2007-11-11 15:08 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-11 15:00 434,225 --a------ C:\WINDOWS\system32\ayadd.ini2.ren
2007-11-11 15:00 434,225 --ahs---- C:\WINDOWS\system32\ayadd.ini.ren
2007-11-11 14:52 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-11 14:52 <DIR> d-------- C:\Temp\abW9
2007-11-11 14:52 <DIR> d-------- C:\Temp
2007-11-03 07:16 <DIR> d-------- C:\Program Files\Picasa2
2007-11-03 07:16 <DIR> d-------- C:\Program Files\Google
2007-11-03 06:53 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-11-03 06:53 <DIR> d-------- C:\Program Files\Jewel Match
2007-11-02 22:51 <DIR> d-------- C:\WINDOWS\Sun
2007-11-02 18:44 <DIR> d-------- C:\Program Files\Nero
2007-11-02 18:44 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-02 17:54 <DIR> d-------- C:\Program Files\Limewire
2007-11-02 17:54 <DIR> d-------- C:\Documents and Settings\Judy\Shared
2007-11-02 17:50 <DIR> d-------- C:\Documents and Settings\Judy\Incomplete
2007-11-02 17:50 <DIR> d-------- C:\Documents and Settings\Judy\.limewire
2007-11-02 16:53 <DIR> dr------- C:\Program Files\Dazzle
2007-11-02 16:53 <DIR> d-------- C:\Program Files\Common Files\SCM
2007-11-02 16:53 36,864 --a------ C:\WINDOWS\system32\Stlhook.dll
2007-11-02 16:53 13,325 --------- C:\WINDOWS\system32\drivers\Stltrk2k.sys
2007-11-02 16:47 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-02 16:47 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-02 16:45 <DIR> d-------- C:\EPSONREG
2007-11-02 16:44 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-02 16:44 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-11-02 16:43 <DIR> d-------- C:\Program Files\Common Files\Python
2007-11-02 16:43 708,696 --a------ C:\WINDOWS\system32\python21.dll
2007-11-02 16:43 290,919 --a------ C:\WINDOWS\system32\pythoncom21.dll
2007-11-02 16:43 57,344 --a------ C:\WINDOWS\system32\PyWinTypes21.dll
2007-11-02 16:42 73,216 --a------ C:\WINDOWS\ADE.DLL
2007-11-02 16:42 3,136 --a------ C:\WINDOWS\Ade001.bin
2007-11-02 16:41 <DIR> d-------- C:\Program Files\EPSON
2007-11-02 16:41 <DIR> d-------- C:\EPSON
2007-11-02 16:33 <DIR> d-------- C:\WINDOWS\I9900
2007-11-02 16:33 113,152 --a------ C:\WINDOWS\system32\CNMLM5p.DLL
2007-11-02 16:33 86,016 -ra------ C:\WINDOWS\system32\CNMCP5p.exe
2007-11-02 16:33 7,680 --a------ C:\WINDOWS\system32\CNMVS5p.DLL
2007-11-02 16:32 <DIR> d-------- C:\Program Files\Canon
2007-11-02 16:23 73,728 -ra------ C:\WINDOWS\system32\cnm6C.tmp
2007-11-02 16:21 73,728 -ra------ C:\WINDOWS\system32\cnm32.tmp
2007-11-02 16:19 <DIR> d-------- C:\WINDOWS\StartHtmico
2007-11-02 16:19 <DIR> d-------- C:\WINDOWS\I900D
2007-11-02 16:19 105,984 --a------ C:\WINDOWS\system32\CNMLM5e.DLL
2007-11-02 16:19 73,728 -ra------ C:\WINDOWS\system32\CNMCP5e.exe
2007-11-02 16:19 6,656 --a------ C:\WINDOWS\system32\CNMVS5e.DLL
2007-11-02 16:19 6,184 -ra------ C:\WINDOWS\system32\cmglue.vxd
2007-11-02 16:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-02 16:16 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-02 16:13 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-11-02 16:13 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-11-02 16:13 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2007-11-02 16:13 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-11-02 16:13 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-11-02 16:06 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2007-11-02 16:06 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-11-02 16:06 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-11-02 16:06 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2007-11-02 16:06 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2007-11-02 16:06 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2007-11-02 16:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-02 16:05 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-11-02 16:05 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-11-02 16:05 21,138 --a------ C:\WINDOWS\system32\Repository.reg
2007-11-02 16:04 <DIR> d-------- C:\Program Files\Logitech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-17 09:29 35,840 ----a-w C:\WINDOWS\mrofinu572.exe.ren
2007-11-02 07:26 512,000 ----a-w C:\WINDOWS\SERVER-NME.EXE
2007-11-01 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-22 00:51 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-12 02:00 490,008 ----a-w C:\WINDOWS\system32\LVUI2.dll
2007-10-12 02:00 465,432 ----a-w C:\WINDOWS\system32\LVUI2RC.dll
2007-10-12 02:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 01:57 416,280 ----a-w C:\WINDOWS\system32\lvcodec2.dll
2007-10-12 01:57 195,096 ----a-w C:\WINDOWS\system32\lvci1150.dll
2007-10-12 01:55 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 01:55 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_19.47.51.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 18:10:23 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-28 18:10:23 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-28 18:10:23 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-11-28 20:34:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_330.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CDA9E4B-DD82-4C9A-86B6-FF154E5B06AF}]
C:\Program Files\ComPlus Applications\mepovyjC:\DOCUME~1\Judy\LOCALS~1\Temp \CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C7D86B7-A9BF-4E98-B05C-7CEA4444007E}]
C:\Program Files\ComPlus Applications\mepovyjC:\Program Files\InetGet2\gm3-24418.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1676B83-B850-4289-AB1C-FD59E7EF6CAB}]
C:\Program Files\ComPlus Applications\mepovyjC:\WINDOWS\system32\h2\jumper8 3122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"USB Safely Remove"="C:\Program Files\USB Safely Remove\USBSafelyRemove.exe" [2007-09-22 07:40]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 15:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-09-06 05:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 05:42 C:\WINDOWS\soundman.exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"{7A-A7-7C-C4-ZN}"="C:\Documents and Settings\Judy\Local Settings\Temp\T0CHD001.exe" []
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" []
"4487a76b"="C:\WINDOWS\system32\srsxmire.dll" []

[hklm\software\microsoft\windows\currentversion\exp lorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system3 2\DRIVERS\iteraid.sys
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
S3 ATE_PROCMON;ATE_PROCMON;\??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{96DEEE3E-4F2A-C3E1-1707-E35CA017F612}]
C:\WINDOWS\system32:calc.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 14:44:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-28 14:45:12
C:\ComboFix2.txt ... 2007-11-27 20:42
C:\ComboFix3.txt ... 2007-11-27 20:00
.
--- E O F ---
************************************************** ******

Here is the new hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:16 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

O2 - BHO: (no name) - {2CDA9E4B-DD82-4C9A-86B6-FF154E5B06AF} - C:\Program Files\ComPlus Applications\mepovyjC:\DOCUME~1\Judy\LOCALS~1\Temp \CEMG555077.exe.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C7D86B7-A9BF-4E98-B05C-7CEA4444007E} - C:\Program Files\ComPlus Applications\mepovyjC:\Program Files\InetGet2\gm3-24418.exe.dll (file missing)
O2 - BHO: (no name) - {A1676B83-B850-4289-AB1C-FD59E7EF6CAB} - C:\Program Files\ComPlus Applications\mepovyjC:\WINDOWS\system32\h2\jumper8 3122.exe.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [{7A-A7-7C-C4-ZN}] C:\Documents and Settings\Judy\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [4487a76b] rundll32.exe "C:\WINDOWS\system32\srsxmire.dll",b
O4 - HKCU\..\Run: [USB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 8068 bytes

Then this is the result of the hijack log as you instructed previously - "open misc tools......uninstall manager............"

6-in-1 Reader
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.1
Adobe Stock Photos 1.0
ArcSoft PhotoImpression
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
avast! Antivirus
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon i9900
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PhotoPrint Plus
Canon Utilities ZoomBrowser EX
Diskeeper 2007 Pro Premier
Easy-WebPrint
EPSON Copy Utility
EPSON Photo Print
EPSON Scanner Reference Guide
EPSON Smart Panel
EPSON TWAIN 5
EVEREST Ultimate Edition v4.20
FlashGet 1.9.6.1073
HijackThis 2.0.2
iCF Skin Pack
iColorFolder
Java(TM) 6 Update 3
Jewel Match
Logitech QuickCam
Logitech QuickCam Driver Package
Marvell Miniport Driver
Microsoft .NET Framework 2.0
Mozilla Firefox (2.0.0.10)
Nero 8
neroxml
Norton PartitionMagic 8.0
NVIDIA Drivers
Picasa 2
PowerDVD Ultra
QuickTime
Realtek AC'97 Audio
Recover My Files
ScanToWeb
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
USB Safely Remove 3.0
VCRedistSetup
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver
WinZip 11.1
XP Repair Pro 2007
Your Uninstaller! 2006 Version 5

Thank you again for your help - please let me know what to do next.

Neal · #6 (**permalink**) 30-11-2007, 01:04 AM

It looks like you are getting help elsewhere with this.

Here:

http://boards.cexx.org/index.php?topic=16812.msg69709

sox · #7 (**permalink**) 30-11-2007, 01:25 AM

I'm sorry Neal - I did post over at that other website but had problems posting my logs there so I did not check back. I will go over there and close that post if you will continue to help me. I've only followed your instructions to this point.

Will you still help us?

Neal · #8 (**permalink**) 30-11-2007, 06:31 AM

Yes I will, but it is a bad practice to get help from two forums, it makes it confuseing for both places.

Let us continue then:

Lots to do, still very infected:

Open notepad and copy/paste the text in the quotebox below into it:NOT THE WORD QUOTE

Quote:

Files::
C:\WINDOWS\system32\pprfxoak.ini
C:\WINDOWS\system32\vnwjghew.ini
C:\WINDOWS\system32\fnnhrnpn.dll.ren
C:\WINDOWS\system32\npnrhnnf.ini.ren
C:\WINDOWS\system32\yilirqcs.ini
C:\WINDOWS\system32\scqriliy.dll.ren
C:\WINDOWS\system32\qfodbged.ini.ren
C:\WINDOWS\system32\degbdofq.dll.ren
C:\WINDOWS\system32\ixobdpry.dll.ren
C:\WINDOWS\system32\yrpdboxi.ini
C:\WINDOWS\system32\obrhvjyw.dll.ren
C:\WINDOWS\system32\wyjvhrbo.ini
C:\WINDOWS\system32\npvlcuye.ini
C:\WINDOWS\system32\wwhuoihl.ini
C:\WINDOWS\system32\mpythbqg.ini
C:\WINDOWS\system32\rrxyaaga.ini
C:\WINDOWS\system32\ayadd.ini2.ren
C:\WINDOWS\system32\ayadd.ini.ren
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\ADE.DLL
C:\WINDOWS\Ade001.bin
C:\WINDOWS\mrofinu572.exe.ren

Folders::
C:\VundoFix Backups
C:\Program Files\Cool
C:\WINDOWS\system32\rMa01yy
C:\Temp\abW9

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"{7A-A7-7C-C4-ZN}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"4487a76b"=-

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

sox · #9 (**permalink**) 30-11-2007, 04:58 PM

Thank you Neal! I closed that thread on the other forum and once again apologize.

Here is the log from ComboFix (it did not reboot):

ComboFix 07-11-19.4C - Judy 2007-11-29 9:46:49.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.227 [GMT -6:00]
Running from: C:\Documents and Settings\Judy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Judy\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-29 )))))))))))))))))))))))))))))))
.

2007-11-28 12:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-28 12:10 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-28 12:10 <DIR> d-------- C:\Documents and Settings\Judy\Application Data\SUPERAntiSpyware.com
2007-11-28 12:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-28 06:00 <DIR> d-------- C:\Documents and Settings\Judy\Application Data\URSE Games
2007-11-28 04:57 <DIR> d-------- C:\Program Files\Holiday Bonus
2007-11-27 20:27 <DIR> d-------- C:\VundoFix Backups
2007-11-27 20:15 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-26 06:16 354 --ahs---- C:\WINDOWS\system32\pprfxoak.ini
2007-11-25 06:22 294 --ahs---- C:\WINDOWS\system32\vnwjghew.ini
2007-11-24 20:19 85,056 --a------ C:\WINDOWS\system32\fnnhrnpn.dll.ren
2007-11-24 20:19 414 --a------ C:\WINDOWS\system32\npnrhnnf.ini.ren
2007-11-23 21:00 <DIR> d-------- C:\Documents and Settings\Judy\Goett Family Photos
2007-11-23 20:19 354 --ahs---- C:\WINDOWS\system32\yilirqcs.ini
2007-11-23 20:18 85,056 --a------ C:\WINDOWS\system32\scqriliy.dll.ren
2007-11-21 22:20 354 --a------ C:\WINDOWS\system32\qfodbged.ini.ren
2007-11-21 22:19 85,056 --a------ C:\WINDOWS\system32\degbdofq.dll.ren
2007-11-21 20:08 <DIR> d-------- C:\Program Files\Anti Trojan Elite
2007-11-21 19:53 85,056 --a------ C:\WINDOWS\system32\ixobdpry.dll.ren
2007-11-21 19:53 354 --ahs---- C:\WINDOWS\system32\yrpdboxi.ini
2007-11-21 17:20 <DIR> d-------- C:\Program Files\7 Artifacts
2007-11-21 16:20 <DIR> d-------- C:\Program Files\Trojan Remover
2007-11-21 16:20 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-21 16:20 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-21 16:20 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-21 16:20 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-21 16:20 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-19 06:39 85,056 --a------ C:\WINDOWS\system32\obrhvjyw.dll.ren
2007-11-19 06:39 1,374 --ahs---- C:\WINDOWS\system32\wyjvhrbo.ini
2007-11-18 06:40 1,134 --ahs---- C:\WINDOWS\system32\npvlcuye.ini
2007-11-17 05:16 1,014 --ahs---- C:\WINDOWS\system32\wwhuoihl.ini
2007-11-14 05:40 534 --ahs---- C:\WINDOWS\system32\mpythbqg.ini
2007-11-13 05:19 414 --ahs---- C:\WINDOWS\system32\rrxyaaga.ini
2007-11-13 05:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-13 05:06 <DIR> d-------- C:\Program Files\Cool
2007-11-11 15:08 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-11 15:00 434,225 --a------ C:\WINDOWS\system32\ayadd.ini2.ren
2007-11-11 15:00 434,225 --ahs---- C:\WINDOWS\system32\ayadd.ini.ren
2007-11-11 14:52 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-11 14:52 <DIR> d-------- C:\Temp\abW9
2007-11-11 14:52 <DIR> d-------- C:\Temp
2007-11-03 07:16 <DIR> d-------- C:\Program Files\Picasa2
2007-11-03 07:16 <DIR> d-------- C:\Program Files\Google
2007-11-03 06:53 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-11-03 06:53 <DIR> d-------- C:\Program Files\Jewel Match
2007-11-02 22:51 <DIR> d-------- C:\WINDOWS\Sun
2007-11-02 18:44 <DIR> d-------- C:\Program Files\Nero
2007-11-02 18:44 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-11-02 17:54 <DIR> d-------- C:\Program Files\Limewire
2007-11-02 17:54 <DIR> d-------- C:\Documents and Settings\Judy\Shared
2007-11-02 17:50 <DIR> d-------- C:\Documents and Settings\Judy\Incomplete
2007-11-02 17:50 <DIR> d-------- C:\Documents and Settings\Judy\.limewire
2007-11-02 16:53 <DIR> dr------- C:\Program Files\Dazzle
2007-11-02 16:53 <DIR> d-------- C:\Program Files\Common Files\SCM
2007-11-02 16:53 36,864 --a------ C:\WINDOWS\system32\Stlhook.dll
2007-11-02 16:53 13,325 --------- C:\WINDOWS\system32\drivers\Stltrk2k.sys
2007-11-02 16:47 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-02 16:47 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-02 16:45 <DIR> d-------- C:\EPSONREG
2007-11-02 16:44 <DIR> d-------- C:\Program Files\ArcSoft
2007-11-02 16:44 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-11-02 16:43 <DIR> d-------- C:\Program Files\Common Files\Python
2007-11-02 16:43 708,696 --a------ C:\WINDOWS\system32\python21.dll
2007-11-02 16:43 290,919 --a------ C:\WINDOWS\system32\pythoncom21.dll
2007-11-02 16:43 57,344 --a------ C:\WINDOWS\system32\PyWinTypes21.dll
2007-11-02 16:42 73,216 --a------ C:\WINDOWS\ADE.DLL
2007-11-02 16:42 3,136 --a------ C:\WINDOWS\Ade001.bin
2007-11-02 16:41 <DIR> d-------- C:\Program Files\EPSON
2007-11-02 16:41 <DIR> d-------- C:\EPSON
2007-11-02 16:33 <DIR> d-------- C:\WINDOWS\I9900
2007-11-02 16:33 113,152 --a------ C:\WINDOWS\system32\CNMLM5p.DLL
2007-11-02 16:33 86,016 -ra------ C:\WINDOWS\system32\CNMCP5p.exe
2007-11-02 16:33 7,680 --a------ C:\WINDOWS\system32\CNMVS5p.DLL
2007-11-02 16:32 <DIR> d-------- C:\Program Files\Canon
2007-11-02 16:23 73,728 -ra------ C:\WINDOWS\system32\cnm6C.tmp
2007-11-02 16:21 73,728 -ra------ C:\WINDOWS\system32\cnm32.tmp
2007-11-02 16:19 <DIR> d-------- C:\WINDOWS\StartHtmico
2007-11-02 16:19 <DIR> d-------- C:\WINDOWS\I900D
2007-11-02 16:19 105,984 --a------ C:\WINDOWS\system32\CNMLM5e.DLL
2007-11-02 16:19 73,728 -ra------ C:\WINDOWS\system32\CNMCP5e.exe
2007-11-02 16:19 6,656 --a------ C:\WINDOWS\system32\CNMVS5e.DLL
2007-11-02 16:19 6,184 -ra------ C:\WINDOWS\system32\cmglue.vxd
2007-11-02 16:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-02 16:16 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-02 16:13 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2007-11-02 16:13 19,328 --a--c--- C:\WINDOWS\system32\dllcache\wstcodec.sys
2007-11-02 16:13 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2007-11-02 16:13 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2007-11-02 16:13 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2007-11-02 16:06 90,624 --a--c--- C:\WINDOWS\system32\dllcache\kswdmcap.ax
2007-11-02 16:06 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-11-02 16:06 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-11-02 16:06 43,008 --a--c--- C:\WINDOWS\system32\dllcache\ksxbar.ax
2007-11-02 16:06 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2007-11-02 16:06 28,672 --a--c--- C:\WINDOWS\system32\dllcache\vidcap.ax
2007-11-02 16:05 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-11-02 16:05 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-11-02 16:05 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-11-02 16:05 21,138 --a------ C:\WINDOWS\system32\Repository.reg
2007-11-02 16:04 <DIR> d-------- C:\Program Files\Logitech

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-17 09:29 35,840 ----a-w C:\WINDOWS\mrofinu572.exe.ren
2007-11-02 07:26 512,000 ----a-w C:\WINDOWS\SERVER-NME.EXE
2007-11-01 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-22 00:51 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-10-19 19:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
2007-10-12 02:00 490,008 ----a-w C:\WINDOWS\system32\LVUI2.dll
2007-10-12 02:00 465,432 ----a-w C:\WINDOWS\system32\LVUI2RC.dll
2007-10-12 02:00 41,752 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-12 01:57 416,280 ----a-w C:\WINDOWS\system32\lvcodec2.dll
2007-10-12 01:57 195,096 ----a-w C:\WINDOWS\system32\lvci1150.dll
2007-10-12 01:55 13,848 ----a-w C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-12 01:55 1,279,000 ----a-w C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-12 00:59 25,624 ----a-w C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-10-12 00:59 2,142,488 ----a-w C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-10-12 00:15 85,302 ----a-w C:\WINDOWS\system32\drivers\LVFeL002.cfg
2007-10-12 00:15 69,592 ----a-w C:\WINDOWS\system32\drivers\LVFaL000.cfg
2007-10-12 00:15 227,172 ----a-w C:\WINDOWS\system32\drivers\LVFeL000.cfg
2007-10-12 00:15 146,680 ----a-w C:\WINDOWS\system32\drivers\LVFeL001.cfg
2007-09-20 15:59 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2007-09-20 15:55 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-09-20 15:55 95,600 ----a-w C:\WINDOWS\system32\NeroCo.dll
.

((((((((((((((((((((((((((((( snapshot@2007-11-27_19.47.51.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 18:10:23 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-28 18:10:23 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-28 18:10:23 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-11-29 15:36:12 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_368.dat
+ 2007-11-29 15:36:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2CDA9E4B-DD82-4C9A-86B6-FF154E5B06AF}]
C:\Program Files\ComPlus Applications\mepovyjC:\DOCUME~1\Judy\LOCALS~1\Temp \CEMG555077.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C7D86B7-A9BF-4E98-B05C-7CEA4444007E}]
C:\Program Files\ComPlus Applications\mepovyjC:\Program Files\InetGet2\gm3-24418.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A1676B83-B850-4289-AB1C-FD59E7EF6CAB}]
C:\Program Files\ComPlus Applications\mepovyjC:\WINDOWS\system32\h2\jumper8 3122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"USB Safely Remove"="C:\Program Files\USB Safely Remove\USBSafelyRemove.exe" [2007-09-22 07:40]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 15:18]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-09-06 05:06]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41]
"SoundMan"="SOUNDMAN.EXE" [2006-06-21 05:42 C:\WINDOWS\soundman.exe]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"{7A-A7-7C-C4-ZN}"="C:\Documents and Settings\Judy\Local Settings\Temp\T0CHD001.exe" []
"Anti Trojan Elite"="C:\Program Files\Anti Trojan Elite\TJEnder.exe" []
"4487a76b"="C:\WINDOWS\system32\srsxmire.dll" []

[hklm\software\microsoft\windows\currentversion\exp lorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system3 2\DRIVERS\iteraid.sys
R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
S3 ATE_PROCMON;ATE_PROCMON;\??\C:\Program Files\Anti Trojan Elite\ATEPMon.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{96DEEE3E-4F2A-C3E1-1707-E35CA017F612}]
C:\WINDOWS\system32:calc.exe
.
************************************************** ************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 09:48:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-29 9:48:37
C:\ComboFix2.txt ... 2007-11-28 14:45
C:\ComboFix3.txt ... 2007-11-27 20:42
.
--- E O F ---

Here is the hijackthis log after running the CFScript:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:00 AM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\USB Safely Remove\USBSafelyRemove.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Cool\X_cool.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {2CDA9E4B-DD82-4C9A-86B6-FF154E5B06AF} - C:\Program Files\ComPlus Applications\mepovyjC:\DOCUME~1\Judy\LOCALS~1\Temp \CEMG555077.exe.dll (file missing)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7C7D86B7-A9BF-4E98-B05C-7CEA4444007E} - C:\Program Files\ComPlus Applications\mepovyjC:\Program Files\InetGet2\gm3-24418.exe.dll (file missing)
O2 - BHO: (no name) - {A1676B83-B850-4289-AB1C-FD59E7EF6CAB} - C:\Program Files\ComPlus Applications\mepovyjC:\WINDOWS\system32\h2\jumper8 3122.exe.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [{7A-A7-7C-C4-ZN}] C:\Documents and Settings\Judy\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan Elite\TJEnder.exe :NO
O4 - HKLM\..\Run: [4487a76b] rundll32.exe "C:\WINDOWS\system32\srsxmire.dll",b
O4 - HKCU\..\Run: [USB Safely Remove] C:\Program Files\USB Safely Remove\USBSafelyRemove.exe /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe (User 'Default user')
O4 - Startup: Cool - Auto Update.lnk = C:\Program Files\Cool\cool.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 7982 bytes

Please let me know what to do next. Thanks!!!

Neal · #10 (**permalink**) 01-12-2007, 12:11 AM

It did not work. Did you drag the CF Script over to combofix by holding down left click on mouse and when over combofix let go of left click button.