Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I believe I have Vundo but cannot Seem to fix it.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I believe I have Vundo but cannot Seem to fix it.

Unread postby wolverinegod » April 18th, 2007, 5:57 am

I have nearly identical symptoms as this person: http://forums.spywareinfo.com/lofiversi ... 96680.html. So i ran and downloaded those tools in addition to the Vundo fix put out by symantec. Unfortunately, Symantecs product is at a point where it tells me there are no infected files. The other tools ALL find infected files but do not seem to fix them. I now also get a script error when windows starts related to my toshiba management console. Here is my hijackthis log. Any help would be appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:56:31 AM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\windows defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
E:\diskeeper\DkService.exe
E:\Common Framework\FrameworkService.exe
E:\mcafee\Mcshield.exe
E:\mcafee\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
e:\toshiba\tme3\Tmesbs32.exe
e:\toshiba\tme3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TFNF5.exe
E:\toshiba\tme3\TMERzCtl.EXE
e:\toshiba\tme3\TMEEJME.EXE
E:\toshiba\tme3\TMESBS32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TPSMain.exe
E:\mcafee\SHSTAT.EXE
E:\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
E:\windows defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
E:\palmOne\Hotsync.exe
E:\launchy\Launchy.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\texter\texter.exe
E:\FIREFOX\FIREFOX.EXE
E:\hijackthis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {209B0D08-56E9-49BE-B4DD-A1DDF295F471} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SDHelper.dll
O2 - BHO: (no name) - {6148028B-D532-4417-8C0B-5A4A0B745393} - C:\WINDOWS\system32\iifebca.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9772CB6D-C750-423F-90FD-B20F76B16B54} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\adobe\acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D4BFB257-D51A-42D1-A6EE-1EF55A93F884} - C:\WINDOWS\system32\jkheb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\adobe\acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\System32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TMESRV.EXE] e:\toshiba\tme3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] e:\toshiba\tme3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] e:\toshiba\tme3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "E:\mcafee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\windows defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - Startup: Texter.lnk = E:\texter\texter.exe
O4 - Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - User Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - User Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - User Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - User Startup: Texter.lnk = E:\texter\texter.exe
O4 - User Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - Global Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - Global Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3209803735
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmgdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = gmgdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gmgdomain.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: iifebca - C:\WINDOWS\SYSTEM32\iifebca.dll
O20 - Winlogon Notify: jkheb - C:\WINDOWS\system32\jkheb.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - E:\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - E:\mcafee\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\mcafee\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - e:\toshiba\tme3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - e:\toshiba\tme3\Tmesrv31.exe

--
End of file - 10108 bytes
wolverinegod
Active Member
 
Posts: 6
Joined: April 17th, 2007, 1:34 am
Advertisement
Register to Remove

Unread postby Bob4 » April 18th, 2007, 8:25 am

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!

Please follow my instuctions in the order given!!


_________________________________
You are using a beta version of Hijackthis which still may have a few bugs.
Please delete the one you have now and grab this one for me.


Download HiJackThis from here

unzip it to c:/ make sure the exe stays in it's own folder.
Open HJT and choose scan and save a log file. Post the contents of that log in your next reply. Each time I ask you to do this a new log will be saved within that folder replacing the last one.



____________________________
Lucky you! You have a new file we need to uplaod to the maker of the Vundo fix. This will help us and other greatly. After you do this we will safely remove this infection.
This will only take a few minutes of your time.


  • Please go to this Site.
  • Fill out the form
  • Where it says Topic where file was requsted paste this link in:

    http://www.malwareremoval.com/forum/viewtopic.php?t=19641
  • Where it says browse paste these in the spaces provided .


    C:\WINDOWS\system32\jkheb.dll
    C:\WINDOWS\system32\iifebca.dll

  • Then click send



Thanks now let's get rid of it.




_________________________________
We need to disable windows defender.
A good program but may interfere with our fixes.

Open Windows Defender
Click Tools
Click General Settings
Scroll down to Real Time Protection Options
Uncheck Turn on Real Time Protection (recommended)
After you uncheck this, click on the Save button
Close Windows Defender



_________________________________


Use this tool for Vundo if you don't already have it. You can delete any others you have tried.

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files
  • Copy&Paste the 2 entries below into the top 2 boxes


    • C:\WINDOWS\system32\jkheb.dll
    • C:\WINDOWS\system32\iifebca.dll

  • Click Add Files and Click Close Window
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.



______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


Please download to your Desktop or to your usual Download Folder.
AVG Anti-Spyware
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit.
  • Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________
It will save a log in C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports


Exit AVG.
Reboot normaly.
Post that for me.



1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


In your next reply I would like to see:
  • A new HJT log
  • The report from combo fix
  • The report from vundo
  • The report from AVG anti spyware


User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Here ya go...

Unread postby wolverinegod » April 18th, 2007, 12:16 pm

A decent amount of the "spyware" in AVG is just a bunch of harmless cookies that reside in an old backup folder from a hard drive.

Here you go with everything:
07-04-18 12:01:27 Service Pack 2
ComboFix 07-04-18.2V - Running from: F:\desktop\


((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))


2007-04-18 09:22 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-17 16:45 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-04-17 07:53 <DIR> d-------- C:\DOCUME~1\THEODO~1\DoctorWeb
2007-04-17 07:11 <DIR> d-------- C:\VundoFix Backups
2007-04-17 01:55 <DIR> d-------- C:\Program Files\InterMute
2007-04-16 13:49 <DIR> d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\Lavasoft
2007-04-16 13:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-15 09:29 <DIR> d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\iSproggler
2007-04-14 21:11 <DIR> d-------- C:\Program Files\ReflexiveArcade
2007-04-13 11:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Meetro
2007-04-13 09:09 <DIR> d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\vlc
2007-04-08 07:01 208,896 --a------ C:\WINDOWS\system\lame_enc.dll
2007-04-06 18:48 <DIR> d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\DivX
2007-03-27 03:55 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-03-27 03:55 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-03-27 03:55 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-03-27 03:55 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-03-27 03:49 73,728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-03-27 03:49 593,920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-03-27 03:49 57,344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-03-27 03:49 53,248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-03-27 03:49 344,064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-03-27 03:49 294,912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-03-27 03:49 294,912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-03-27 03:49 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-03-27 03:48 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-03-27 03:48 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-03-27 03:48 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-03-27 03:48 639,066 --a------ C:\WINDOWS\system32\DivX.dll
2007-03-19 19:32 <DIR> d-------- C:\Program Files\iPod
2007-03-19 11:34 <DIR> d-------- C:\Program Files\Palm Inc
2007-03-19 11:20 53,248 --a------ C:\WINDOWS\PalmDevC.dll
2007-03-19 11:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\HotSync
2007-03-19 11:19 <DIR> d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\HotSync


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-18 12:01 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\launchy
2007-04-17 00:27 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\utorrent
2007-03-19 19:29 -------- d-------- C:\Program Files\apple software update
2007-03-19 11:19 16694 --a------ C:\WINDOWS\system32\drivers\PalmUSBD.sys
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-15 19:41 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\smith micro
2007-03-15 01:30 1449 --a------ C:\WINDOWS\mozver.dat
2007-03-15 01:30 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\sun
2007-03-15 01:29 -------- d-------- C:\Program Files\java
2007-03-15 01:28 -------- d-------- C:\Program Files\Common Files\java
2007-03-13 21:57 -------- d-------- C:\Program Files\Common Files\macrovision shared
2007-03-12 02:19 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\gtk-2.0
2007-03-09 06:06 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\apple computer
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 00:32 -------- d-------- C:\Program Files\quicktime
2007-03-06 23:31 0 --a------ C:\WINDOWS\nsreg.dat
2007-03-06 17:13 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\leadertech
2007-03-06 16:12 -------- d--h----- C:\Program Files\installshield installation information
2007-03-06 16:07 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\windows desktop search
2007-03-06 16:05 -------- d-------- C:\Program Files\windows desktop search
2007-03-06 15:34 -------- d-------- C:\Program Files\msbuild
2007-03-06 15:34 -------- d-------- C:\Program Files\microsoft works
2007-03-06 15:32 -------- d-------- C:\Program Files\microsoft.net
2007-03-06 15:30 -------- d-------- C:\Program Files\microsoft visual studio 8
2007-03-06 15:20 -------- d-------- C:\Program Files\ltmoh
2007-03-06 06:40 -------- d-------- C:\Program Files\windows media connect 2
2007-03-06 06:35 -------- d-------- C:\Program Files\reference assemblies
2007-03-06 06:24 -------- d-------- C:\Program Files\Common Files\installshield
2007-03-06 05:35 -------- d-------- C:\Program Files\Common Files\network associates
2007-03-06 05:35 -------- d-------- C:\Program Files\Common Files\cisco systems
2007-03-06 05:23 -------- d-------- C:\Program Files\messenger
2007-03-06 05:21 -------- d-------- C:\Program Files\msxml 4.0
2007-03-06 05:11 -------- d-------- C:\Program Files\toshiba
2007-03-06 04:55 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\toshiba
2007-03-06 04:43 21419 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-03-06 04:43 -------- d-------- C:\DOCUME~1\THEODO~1\APPLIC~1\intel
2007-03-06 04:42 -------- d-------- C:\Program Files\intel
2007-03-06 04:29 -------- d-------- C:\Program Files\movie maker
2007-03-06 04:25 -------- d-------- C:\Program Files\windows nt
2007-03-06 04:12 0 -rahs---- C:\MSDOS.SYS
2007-03-06 04:12 0 -rahs---- C:\IO.SYS
2007-03-06 04:12 0 --a------ C:\CONFIG.SYS
2007-03-06 04:12 0 --a------ C:\AUTOEXEC.BAT
2007-03-06 04:12 -------- d-------- C:\Program Files\microsoft frontpage
2007-03-06 04:09 -------- d-------- C:\Program Files\Common Files\mssoap
2007-03-06 04:08 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-03-06 04:08 -------- d--h----- C:\Program Files\windowsupdate
2007-03-06 04:08 -------- d-------- C:\Program Files\online services
2007-03-06 04:07 -------- d-------- C:\Program Files\msn gaming zone
2007-03-05 23:01 -------- d-------- C:\Program Files\Common Files\speechengines
2007-03-05 23:01 -------- d-------- C:\Program Files\Common Files\odbc
2007-03-05 23:00 62 --ahs---- C:\DOCUME~1\THEODO~1\APPLIC~1\desktop.ini
2007-02-15 21:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-13 19:55 224256 --a------ C:\WINDOWS\system32\autofat.exe
2007-02-13 19:55 185344 --a------ C:\WINDOWS\system32\autontfs.exe
2007-02-05 16:43 1481728 --------- C:\WINDOWS\system32\mssrch.dll
2007-02-05 16:42 1504768 --------- C:\WINDOWS\system32\tquery.dll
2007-02-05 16:41 134656 --------- C:\WINDOWS\system32\uncdms.dll
2007-02-05 16:41 122368 --------- C:\WINDOWS\system32\uncph.dll
2007-02-05 16:41 108544 --------- C:\WINDOWS\system32\uncne.dll
2007-02-05 16:40 98304 --------- C:\WINDOWS\system32\unccplext.dll
2007-02-05 16:40 260096 --------- C:\WINDOWS\system32\oeph.dll
2007-02-05 16:36 52224 --------- C:\WINDOWS\system32\msstrc.dll
2007-02-05 16:36 27136 --------- C:\WINDOWS\system32\rtffilt.dll
2007-02-05 16:36 111104 --------- C:\WINDOWS\system32\xmlfilter.dll
2007-02-05 16:35 248320 --------- C:\WINDOWS\system32\msshsq.dll
2007-02-05 16:35 167424 --------- C:\WINDOWS\system32\mssphtb.dll
2007-02-05 16:34 300032 --------- C:\WINDOWS\system32\searchindexer.exe
2007-02-05 16:33 331776 --------- C:\WINDOWS\system32\mssph.dll
2007-02-05 16:32 65536 --------- C:\WINDOWS\system32\propdefs.dll
2007-02-05 16:32 182784 --------- C:\WINDOWS\system32\searchprotocolhost.exe
2007-02-05 16:31 76800 --------- C:\WINDOWS\system32\searchfilterhost.exe
2007-02-05 16:30 23552 --------- C:\WINDOWS\system32\msscb.dll
2007-02-05 16:29 98816 --------- C:\WINDOWS\system32\mssitlb.dll
2007-02-05 16:29 51200 --------- C:\WINDOWS\system32\msscntrs.dll
2007-02-05 16:29 255488 --------- C:\WINDOWS\system32\srchadmin.dll
2007-02-05 16:28 733696 --------- C:\WINDOWS\system32\propsys.dll
2007-02-05 16:28 32256 --------- C:\WINDOWS\system32\mssprxy.dll
2007-02-05 16:24 2048 --------- C:\WINDOWS\system32\uncres.dll
2007-02-05 16:24 11264 --------- C:\WINDOWS\system32\oephres.dll
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-05 15:24 99999 --------- C:\WINDOWS\system32\structuredqueryschema.bin
2007-02-05 15:24 18271 --------- C:\WINDOWS\system32\structuredqueryschematrivial.bin


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{1A4F9D2D-CE42-424D-B43E-4B8DB3E1CDD3} C:\WINDOWS\system32\cbabb.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} E:\spybot\SDHelper.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} E:\MICROS~1\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{D4BFB257-D51A-42D1-A6EE-1EF55A93F884} C:\WINDOWS\system32\jkheb.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"NVRotateSysTray"="rundll32.exe C:\\WINDOWS\\System32\\nvsysrot.dll,Enable"
"00THotkey"="C:\\WINDOWS\\system32\\00THotkey.exe"
"000StTHK"="000StTHK.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"TFNF5"="TFNF5.exe"
"TMESRV.EXE"="e:\\toshiba\\tme3\\TMESRV31.EXE /Logon"
"TMERzCtl.EXE"="e:\\toshiba\\tme3\\TMERzCtl.EXE /Service"
"TMESBS.EXE"="e:\\toshiba\\tme3\\TMESBS32.EXE /Client"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"TPSMain"="TPSMain.exe"
"ShStatEXE"="\"E:\\mcafee\\SHSTAT.EXE\" /STANDALONE"
"McAfeeUpdaterUI"="\"E:\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\""
"AGRSMMSG"="AGRSMMSG.exe"
"Windows Defender"="\"E:\\windows defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=hex:00,00,00,00
"NoRecentDocsMenu"=hex:01,00,00,00
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Theodore Golden^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
"path"="C:\\Documents and Settings\\Theodore Golden\\Start Menu\\Programs\\Startup\\OneNote 2007 Screen Clipper and Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\OneNote 2007 Screen Clipper and Launcher.lnkStartup"
"location"="Startup"
"command"="E:\\MICROS~1\\Office12\\ONENOTEM.EXE /tsr"
"item"="OneNote 2007 Screen Clipper and Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Theodore Golden^Start Menu^Programs^Startup^palmOne Registration.lnk]
"path"="C:\\Documents and Settings\\Theodore Golden\\Start Menu\\Programs\\Startup\\palmOne Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\palmOne Registration.lnkStartup"
"location"="Startup"
"command"="E:\\palmOne\\register.exe /remind /language=EN /INTL=\"true\" /_NBL=\"true\" /PRNM=\"palmOne\""
"item"="palmOne Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"E:\\adobe\\acrobat\\Acrobat\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GrooveMonitor"
"hkey"="HKLM"
"command"="\"E:\\microsoft office\\Office12\\GrooveMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"E:\\itunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-18 12:06:32
C:\ComboFix-quarantined-files.txt ... 07-04-18 12:06


VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.11

Scan started at 7:11:30 AM 4/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\hghkj.bak2
C:\WINDOWS\system32\hghkj.ini
C:\WINDOWS\system32\hghkj.ini2
C:\WINDOWS\system32\hghkj.tmp
C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\mdckrtwq.dll
C:\WINDOWS\system32\wrxhbwga.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hghkj.bak2
C:\WINDOWS\system32\hghkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hghkj.ini
C:\WINDOWS\system32\hghkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\hghkj.ini2
C:\WINDOWS\system32\hghkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hghkj.tmp
C:\WINDOWS\system32\hghkj.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhgh.dll
C:\WINDOWS\system32\jkhgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mdckrtwq.dll
C:\WINDOWS\system32\mdckrtwq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wrxhbwga.dll
C:\WINDOWS\system32\wrxhbwga.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.11

Scan started at 4:27:45 PM 4/17/2007

Listing files found while scanning....

C:\WINDOWS\system32\cdfii.bak1
C:\WINDOWS\system32\cdfii.ini
C:\WINDOWS\system32\iifdc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdfii.bak1
C:\WINDOWS\system32\cdfii.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdfii.ini
C:\WINDOWS\system32\cdfii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifdc.dll
C:\WINDOWS\system32\iifdc.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.11

Scan started at 8:56:59 AM 4/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\behkj.bak1
C:\WINDOWS\system32\behkj.ini
C:\WINDOWS\system32\jkheb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\behkj.bak1
C:\WINDOWS\system32\behkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\behkj.ini
C:\WINDOWS\system32\behkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifebca.dll
C:\WINDOWS\system32\iifebca.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkheb.dll
C:\WINDOWS\system32\jkheb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.11

Scan started at 9:32:35 AM 4/18/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbabc.bak1
C:\WINDOWS\system32\bbabc.ini
C:\WINDOWS\system32\cbabb.dll
C:\WINDOWS\system32\mnadodns.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbabc.bak1
C:\WINDOWS\system32\bbabc.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbabc.ini
C:\WINDOWS\system32\bbabc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbabb.dll
C:\WINDOWS\system32\cbabb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifebca.dll
C:\WINDOWS\system32\iifebca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnadodns.dll
C:\WINDOWS\system32\mnadodns.dll Has been deleted!

Performing Repairs to the registry.
Done!

//////////

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:54:25 AM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\windows defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
e:\avg\spyware\guard.exe
E:\diskeeper\DkService.exe
E:\Common Framework\FrameworkService.exe
E:\mcafee\Mcshield.exe
E:\mcafee\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
e:\toshiba\tme3\Tmesbs32.exe
e:\toshiba\tme3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TFNF5.exe
E:\toshiba\tme3\TMERzCtl.EXE
e:\toshiba\tme3\TMEEJME.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
E:\toshiba\tme3\TMESBS32.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\TPSMain.exe
E:\mcafee\SHSTAT.EXE
E:\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\AGRSMMSG.exe
E:\windows defender\MSASCui.exe
E:\avg\spyware\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
E:\palmOne\Hotsync.exe
E:\launchy\Launchy.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\texter\texter.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
E:\hijackthis\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A4F9D2D-CE42-424D-B43E-4B8DB3E1CDD3} - C:\WINDOWS\system32\cbabb.dll (file missing)
O2 - BHO: (no name) - {209B0D08-56E9-49BE-B4DD-A1DDF295F471} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SDHelper.dll
O2 - BHO: (no name) - {6148028B-D532-4417-8C0B-5A4A0B745393} - C:\WINDOWS\system32\iifebca.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9772CB6D-C750-423F-90FD-B20F76B16B54} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\adobe\acrobat\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D4BFB257-D51A-42D1-A6EE-1EF55A93F884} - C:\WINDOWS\system32\jkheb.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\adobe\acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\System32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TMESRV.EXE] e:\toshiba\tme3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] e:\toshiba\tme3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] e:\toshiba\tme3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "E:\mcafee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\windows defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "e:\avg\spyware\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - Startup: Texter.lnk = E:\texter\texter.exe
O4 - Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - User Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - User Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - User Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - User Startup: Texter.lnk = E:\texter\texter.exe
O4 - User Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - Global Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - Global Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3209803735
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmgdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = gmgdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gmgdomain.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\MICROS~1\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\avg\spyware\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - E:\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - E:\mcafee\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\mcafee\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - e:\toshiba\tme3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - e:\toshiba\tme3\Tmesrv31.exe

--
End of file - 10399 bytes

//////

To view the AVG log, i uploaded it to a site, it seems unusually large to me:
http://www.blacksoxfan.com/files/avg.txt
wolverinegod
Active Member
 
Posts: 6
Joined: April 17th, 2007, 1:34 am

Unread postby Bob4 » April 18th, 2007, 1:32 pm

You still have the HJT file from trend micro. I'de rather be using a version I know and trust.
See the beginning of my first post to you.




Once again be sure windows defender is disabled.
______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {1A4F9D2D-CE42-424D-B43E-4B8DB3E1CDD3} - C:\WINDOWS\system32\cbabb.dll (file missing)
O2 - BHO: (no name) - {209B0D08-56E9-49BE-B4DD-A1DDF295F471} - (no file)
O2 - BHO: (no name) - {6148028B-D532-4417-8C0B-5A4A0B745393} - C:\WINDOWS\system32\iifebca.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: (no name) - {9772CB6D-C750-423F-90FD-B20F76B16B54} - (no file)
O2 - BHO: (no name) - {D4BFB257-D51A-42D1-A6EE-1EF55A93F884} - C:\WINDOWS\system32\jkheb.dll (file missing)

_________________________________

Do you know this domain name ?
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmgdomain.local

_____________________________

Where AVG antimalware said error during cleaning.
I would rerun AVG as I described and have it quarintine what it found.



________________________________________
You need to update SunJava for security reasons.
Updating Java:
Download the latest version of
Java Runtime Environment (JRE) 6u1
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1... allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

________________________________
In your next reply :
  • Please post 1 more HJT log and let me know how things are running
  • Let me know you know what this domain is gmgdomain.local
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby wolverinegod » April 18th, 2007, 4:27 pm

I run that domain out of my house

Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 4:26:51 PM, on 4/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
E:\windows defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
e:\avg\spyware\guard.exe
E:\diskeeper\DkService.exe
E:\Common Framework\FrameworkService.exe
E:\mcafee\Mcshield.exe
E:\mcafee\VsTskMgr.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
e:\toshiba\tme3\Tmesbs32.exe
e:\toshiba\tme3\Tmesrv31.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\TFNF5.exe
E:\toshiba\tme3\TMERzCtl.EXE
E:\toshiba\tme3\TMESBS32.EXE
e:\toshiba\tme3\TMEEJME.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\TPSMain.exe
E:\mcafee\SHSTAT.EXE
E:\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\TPSBattM.exe
E:\palmOne\Hotsync.exe
E:\launchy\Launchy.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
E:\texter\texter.exe
C:\WINDOWS\system32\wuauclt.exe
E:\avg\spyware\avgas.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\msiexec.exe
E:\firefox\firefox.exe
E:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\spybot\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - E:\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\adobe\acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\adobe\acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\System32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TMESRV.EXE] e:\toshiba\tme3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] e:\toshiba\tme3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] e:\toshiba\tme3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ShStatEXE] "E:\mcafee\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "E:\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\windows defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - Startup: Texter.lnk = E:\texter\texter.exe
O4 - Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - User Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - User Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - User Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - User Startup: Texter.lnk = E:\texter\texter.exe
O4 - User Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: hotsync.lnk = E:\palmOne\Hotsync.exe
O4 - Global Startup: Launchy.lnk = E:\launchy\Launchy.exe
O4 - Global Startup: PC Health.lnk = E:\toshiba\toshiba management console\TOSHealthLocalS.vbs
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - E:\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3209803735
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gmgdomain.local
O17 - HKLM\Software\..\Telephony: DomainName = gmgdomain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gmgdomain.local
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - E:\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - e:\avg\spyware\guard.exe
O23 - Service: Diskeeper - Diskeeper Corporation - E:\diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - E:\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - E:\mcafee\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - E:\mcafee\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - e:\toshiba\tme3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - e:\toshiba\tme3\Tmesrv31.exe

Thanks for all your help! Things seem to be running smoothly again.
wolverinegod
Active Member
 
Posts: 6
Joined: April 17th, 2007, 1:34 am

Unread postby Bob4 » April 18th, 2007, 6:00 pm

Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!






___________________________________
Please create a 'clean' System Restore Point:
The reason for doing this is in case you need system restore you don't put back all we just took out.
Wouldn't be a smart move now would it ?

Right click My Computer
Then Propeties then system restore
Place a check mark by turn off system restore
Click APPLY
Windows will give you a warning click yes
REBOOT

Now go right back to the same place and unchecksystem restore
Click APPLYand OK





___________________________________
A few things to help with possible threats
SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware





___________________________________
Download and Install a HOSTS File
A Hosts file is a plain text file which prevents your computer from connecting to malware and spyware sites by redirecting the connection request to 127.0.0.1, which is your local address. If you use a proxy server, or if you are on AOL, be sure to read the special instructions.
You can download the MVPS Hosts File and see a HOSTS file tutorial here :
This website also contains useful tips, and links to other resources and utilities.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.




___________________________________
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.
The infections you had was Vundo

Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby wolverinegod » April 18th, 2007, 6:49 pm

Thanks for the help, I'm gonna have to learn a little bit more about HiJackThis! I very rarely (and i do mean VERY rarely) touch IE so i'm not as inclined to use software to protect it. I don't visit any sites except windows update through IE. That being said, i did create a "clean" restore point shortly after following your advice. Great job!!!
wolverinegod
Active Member
 
Posts: 6
Joined: April 17th, 2007, 1:34 am

Unread postby Bob4 » April 18th, 2007, 9:58 pm

Your more than welcome.
I was a victum once myself.
I joined this school right here to learn more. You can too.

http://www.malwareremoval.com/university_access/
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby Shaba » April 20th, 2007, 2:08 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. See Nellie2's blog here or post in our dedicated forum here
The infection you had was ......
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware