Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

KFRLS.DLL REmoval

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

KFRLS.DLL REmoval

Unread postby duffer » January 1st, 2009, 5:59 pm

I had virus in the kfrls.dll file in system32 folder. I removed the file and ran hijacthis.
It has an entry O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing) That I cannot fix.

Any ideas on how to fix this entry?

Logfile of HijackThis v1.99.1
Scan saved at 3:52:28 PM, on 1/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\highjackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {5ea35d6f-370f-62d9-3d54-c655200c7c97} - {79c7c002-556c-45d3-9d26-f073f6d53ae5} - C:\WINDOWS\system32\wxetty.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3661854406
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm
Advertisement
Register to Remove

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 6th, 2009, 3:19 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant.
Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear.
So lets do this to the end!



  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.
  • DO NOT be installing new programs while you run Hijackthis.
  • If I do not hear from you in 5 days from my last post this topic will be closed.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!




______________________________
RUN HJT




HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked


O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)


Close that.





_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste this filepath in there.
If theres is more than one file to scan, insert them 1 at a time.


C:\WINDOWS\system32\wxetty.dll


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

You may recieve a message stating "
"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Just let me know if that is what you saw.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html





______________________________
Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Image to insert the attachment into your post



_______________________________________
Open Malwarebytes >>click on the LOG tab
Open and copy the first report you had done.
It will be in a dated value such as:
mbam-log-2009-01-02 (21-39-41).txt
I want the oldest log. That will be the earliest dated.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Jottis/virus total
  • The report from Malwarebytes anti malware
  • The reports (2) from DDS
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 6th, 2009, 8:15 pm

the wxetty.dll file could not be found on my computer so no report from jotti.org.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:31 PM, on 1/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\zimbra\zdesktop\zdesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\rundll32.exe
C:\highjackthis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3661854406
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe

--
End of file - 9213 bytes

DDS (Version 1.1.0) - NTFSx86
Run by Tom at 18:04:11.67 on Tue 01/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.856 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\zimbra\zdesktop\zdesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\rundll32.exe
C:\highjackthis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/advanced_search?hl=en
uLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uSearch Bar = hxxp://www.google.com/ie
mLocal Page = c:\windows\pchealth\helpctr\system\panels\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: {0536321f-23fa-464f-8b53-12f03cff164e} - c:\windows\system32\kfrls.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CheckIt 86 Extension Class: {82df1118-9b92-45d8-b78f-1737a69a06e1} - c:\program files\checkit\86\CheckIt86.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Spamihilator] "c:\program files\spamihilator\spamihilator.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [MXO Auto Loader] c:\windows\MXOaldr.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRun: [msiexec.exe] msiconf.exe
StartupFolder: c:\docume~1\tom\startm~1\programs\startup\no-ipd~1.lnk - c:\program files\no-ip\DUC20.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp officejet g series\bin\hpoavn07.exe
IE: Add To CheckIt &86 Trust List - c:\progra~1\checkit\86\AddToTrustList.js
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: com.tw\www.msi
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgwlntf - avgwlntf.dll
Notify: LMIinit - LMIinit.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - Eudora's Shell Extension
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido\security suite\shellhook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\rqRKCsqo

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tom\applic~1\mozilla\firefox\profiles\default.vt9\
FF - prefs.js: browser.startup.homepage - hxxp://www.okhistory.org
FF - component: c:\program files\mozilla firefox\\components\browserdirprovider.dll
FF - component: c:\program files\mozilla firefox\\components\brwsrcmp.dll
FF - plugin: c:\documents and settings\tom\application data\mozilla\firefox\profiles\default.vt9\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npsnapfish.dll

============= SERVICES / DRIVERS ===============

R0 AVG Anti-Rootkit;AVG Anti-Rootkit;c:\windows\system32\drivers\avgarkt.sys [2007-1-31 5632]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-1-5 28544]
R0 pkwwjrdy;pkwwjrdy;c:\windows\system32\drivers\pkwwjrdy.sys [2002-8-29 23424]
R1 AvgArCln;Avg Anti-Rootkit Clean Driver;c:\windows\system32\drivers\AvgArCln.sys [2008-5-20 3968]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2006-12-8 10760]
R1 AvgMfx86;AVG Minifilter x86 Resident Driver;c:\windows\system32\drivers\avgmfx86.sys [2006-12-8 26952]
R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-3-19 607576]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-3-2 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-3-2 49664]
R4 AvgCoreSvc;AVG7 Resident Shield Service;c:\progra~1\grisoft\avg7\avgrssvc.exe [2008-3-2 192512]
R4 ewido security suite control;ewido security suite control;c:\program files\ewido\security suite\ewidoctrl.exe [2005-11-30 13888]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-6 47640]
R4 Yahoo! Zimbra Desktop Service;Yahoo! Zimbra Desktop Service;c:\zimbra\zdesktop\zdesktop.exe [2008-12-5 139264]
S3 ATICDSDr;ATICDSDr; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys --> c:\windows\system32\drivers\radpms.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\drivers\TPP300.SYS [2003-9-29 33669]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2005-10-7 24447]
S4 Backup Server;Backup Server;c:\progra~1\novane~1\BACKUP~2.EXE [2004-1-5 576512]
S4 gupdate1c9202de24f0e3e;Google Update Service (gupdate1c9202de24f0e3e);c:\program files\google\update\GoogleUpdate.exe [2008-9-26 133104]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\rainfo.sys --> c:\program files\logmein\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 RLOOCCUE;RLOOCCUE;c:\docume~1\tom\locals~1\temp\rlooccue.exe --> c:\docume~1\tom\locals~1\temp\RLOOCCUE.exe [?]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-20 16:25 2,180 -------- c:\windows\system32\d3d8caps.dat
2008-12-03 19:52 38,496 -------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:52 15,504 -------- c:\windows\system32\drivers\mbam.sys
2008-11-25 15:11 0 ----h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-25 15:02 92,064 -------- c:\documents and settings\tom\mqdmmdm.sys
2008-11-25 15:02 79,328 -------- c:\documents and settings\tom\mqdmserd.sys
2008-11-25 15:02 66,656 -------- c:\documents and settings\tom\mqdmbus.sys
2008-11-25 15:02 25,600 -------- c:\documents and settings\tom\usbsermptxp.sys
2008-11-25 15:02 22,768 -------- c:\documents and settings\tom\usbsermpt.sys
2008-11-25 15:02 9,232 -------- c:\documents and settings\tom\mqdmmdfl.sys
2008-11-25 15:02 6,208 -------- c:\documents and settings\tom\mqdmcmnt.sys
2008-11-25 15:02 5,936 -------- c:\documents and settings\tom\mqdmwhnt.sys
2008-11-25 15:02 4,048 -------- c:\documents and settings\tom\mqdmcr.sys
2008-11-21 15:47 524,288 -------- c:\windows\system32\DivXsm.exe
2008-11-21 15:47 3,596,288 -------- c:\windows\system32\qt-dx331.dll
2008-11-21 15:47 129,784 -------- c:\windows\system32\pxafs.dll
2008-11-21 15:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 15:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 15:46 1,044,480 -------- c:\windows\system32\libdivx.dll
2008-11-21 15:46 200,704 -------- c:\windows\system32\ssldivx.dll
2008-11-21 15:44 161,096 -------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 15:44 12,288 -------- c:\windows\system32\DivXWMPExtType.dll
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:35 83,288 -------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-16 20:35 28,984 -------- c:\windows\system32\LMIport.dll
2008-10-16 20:35 10,040 -------- c:\windows\system32\lmimirr2.dll
2008-10-16 20:35 23,736 -------- c:\windows\system32\lmimirr.dll
2008-10-16 20:35 87,352 -------- c:\windows\system32\LMIinit.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 -------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 -------- c:\windows\system32\muweb.dll
2004-02-11 18:25 560 -------- c:\documents and settings\tom\PCDOC.BAT
2004-02-06 20:00 26,296 -------- c:\docume~1\tom\applic~1\GDIPFONTCACHEV1.DAT
2008-05-06 20:53 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050620080507\index.dat

============= FINISH: 18:05:04.10 ===============
Malwarebytes' Anti-Malware 1.31
Database version: 1589
Windows 5.1.2600 Service Pack 3

1/1/2009 3:00:55 PM
mbam-log-2009-01-01 (15-00-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 198374
Time elapsed: 1 hour(s), 13 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoci (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Local Settings\Temp\winsinstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyYRhf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Pmupubizebufisaw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekajiybyxyl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaqgdnjdwy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekawtykcnru.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaoyutowkt.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msiconf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\result.txt (Malware.Trace) -> Quarantined and deleted successfully.
You do not have the required permissions to view the files attached to this post.
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 7th, 2009, 11:22 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Utorrent

We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programmes.

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new HJT scan when finished and post the log back here.




________________________________

Go to
Start/control panel/add remove programs ;
And Uninstall


J2SE Runtime Environment 5.0 Update 7
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7 << they're outadated and replaced by update 11 which you have


ewido security suite This program is no longer supported or Updated. Malwarebytes does what it used to and more.




__________________________________



OK that 02 is being stubborn isn't it!

Back up the registry


Download ERUNT
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.






______________________________
Make a new folder on your desktop. Call it reg finder

Download Reg Finder
Extract the files to that folder on the desktop you just created..
Go into that folder and double click RegFinder.vbs.
If any of your software gives you a warning about running this just allow it. It's safe.
Type in kfrls.dll exactly into the text field that appears and hit enter.
Again... Some protection software may probably flag the script...
just let it run.
It will let you know when its done and a log should pop up ..If it doesn't there will be a file in the folder called results.txt

Post that for me.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 7th, 2009, 8:31 pm

Stubborn is one word that did not come to mind for me.....

I uninstalled all as requested but get and error when attempting regscan.vbs

Line 235
char 1
Error Library not registered
code 8002801D
source (null)
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 7th, 2009, 8:56 pm

Let's try this one

Run Registry Search by Bobbi Flekman
Download (LINK >>>) Registry Search (<<< LINK) to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • In the top window copy/paste the following line
      kfrls.dll
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please save the text file at you desktop and call it found-entries.
Paste the results in your reply
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 7th, 2009, 11:16 pm

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.6.0

; Results at 1/7/2009 9:14:26 PM for strings:
; 'kfrls.dll'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0536321F-23FA-464F-8B53-12F03CFF164E}\InprocServer32]
@="C:\\WINDOWS\\system32\\kfrls.dll"

; End Of The Log...
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 8th, 2009, 8:24 am

Back up the registry


Open note pad and copy the text in the box exactly to notepad.


Code: Select all
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0536321F-23FA-464F-8B53-12F03CFF164E}




Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

The file should look like this now.
Image



Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file.

Now double click the file on the desktop
When asked if you want this to merge with the registry.
Click YES!

Reboot the machine
________________________________

Post a new HJT log.

How are things running ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 8th, 2009, 6:52 pm

It appears there was something missing from your code but I ran it anyway. It appeared to make some change to the registry, but as you can see in the log. It did not fix the problem.

I have three boot disks in this computer. The primary Disk XP PRo that we are working on. A vista disk that I used for awhile but never got used to VIsta, and a UBUNTU disk that I play with once in a while.

Could we boot to the vista disk and is there a tool that would allow us to access the registry on the XP disk were we could try and fix these entries?

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:47:40 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\zimbra\zdesktop\zdesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\highjackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3661854406
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe

--
End of file - 9094 bytes
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 8th, 2009, 7:12 pm

Let's try this first.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 9th, 2009, 2:02 am

ComboFix 09-01-08.02 - Tom 2009-01-08 23:45:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1041 [GMT -6:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\windows media player\mplayer2.exe
.
---- Previous Run -------
.
c:\program files\windows media player\mplayer2.exe
c:\windows\Downloaded Program Files\rave
c:\windows\Downloaded Program Files\rave\avirexe.vdm
c:\windows\Downloaded Program Files\rave\avirscr.vdm
c:\windows\Downloaded Program Files\rave\base.vdm
c:\windows\Downloaded Program Files\rave\daily.vdm
c:\windows\Downloaded Program Files\rave\daily.vdt
c:\windows\Downloaded Program Files\rave\filters.vdm
c:\windows\Downloaded Program Files\rave\kernel.vdk
c:\windows\Downloaded Program Files\rave\keyring.vdk
c:\windows\Downloaded Program Files\rave\mapi_vdm.vdm
c:\windows\Downloaded Program Files\rave\modules.vdk
c:\windows\Downloaded Program Files\rave\rav8def.vdm
c:\windows\Downloaded Program Files\rave\rufs.vdm
c:\windows\Downloaded Program Files\rave\rufsplg.vdm
c:\windows\Downloaded Program Files\rave\unarch.vdm
c:\windows\Downloaded Program Files\rave\unmail.vdm
c:\windows\Downloaded Program Files\rave\unpack.vdm
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Downloaded Program Files\Temp
c:\windows\IE4 Error Log.txt
c:\windows\system32\open.ico
c:\windows\system32\system
c:\windows\system32\system\msxml4.dll
c:\windows\system32\system\msxml4r.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_R_SERVER
-------\Service_seneka
-------\Legacy_NPF
-------\Legacy_R_SERVER


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 21:13 . 2009-01-07 21:16 <DIR> d-------- C:\regsearch
2009-01-07 12:35 . 2009-01-07 12:35 <DIR> d-------- c:\program files\ERUNT
2009-01-07 12:32 . 2009-01-07 18:24 <DIR> d-------- C:\Reg Finder
2009-01-05 17:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-05 17:24 . 2009-01-05 17:24 <DIR> d-------- c:\program files\Panda Security
2009-01-01 16:37 . 2009-01-01 16:37 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-01 12:27 . 2009-01-01 12:27 <DIR> d-------- c:\documents and settings\Georgia\Application Data\Malwarebytes
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\Opera
2008-12-31 21:17 . 2008-12-31 21:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 19:33 . 2009-01-07 21:08 <DIR> d-------- C:\1avgtemp1
2008-12-24 15:09 . 2009-01-07 21:32 250 --a------ c:\windows\gmer.ini
2008-12-24 12:59 . 2009-01-07 21:59 <DIR> d-------- C:\1avgtemp
2008-12-24 12:44 . 2008-12-24 12:47 11,164,087 --------- c:\windows\system32\TAQAUEZOZJR
2008-12-23 03:24 . 2008-12-23 03:24 665,088 --------- c:\windows\system32\spsplib1.dll
2008-12-17 17:16 . 2008-12-17 17:32 <DIR> d-------- c:\windows\NV36961336.TMP
2008-12-17 17:16 . 2008-09-17 23:55 453,152 --------- c:\windows\system32\nvuninst.exe
2008-12-17 17:16 . 2008-09-17 23:55 201,050 --------- c:\windows\system32\nvapps.nvb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 05:36 --------- d-----w c:\documents and settings\Tom\Application Data\Spamihilator
2009-01-08 22:44 --------- d-----w c:\documents and settings\Tom\Application Data\AVG7
2009-01-07 18:34 --------- d-----w c:\documents and settings\Tom\Application Data\uTorrent
2009-01-07 18:33 --------- d-----w c:\program files\Java
2009-01-07 18:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-04 23:12 --------- d-----w c:\program files\QuoteTracker
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 18:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-01 18:13 --------- d-----w c:\program files\Spamihilator
2009-01-01 03:46 --------- d-----w c:\program files\YPOPs
2008-12-27 01:04 --------- d-----w c:\documents and settings\Tom\Application Data\Move Networks
2008-12-18 23:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 21:29 --------- d-----w c:\documents and settings\Tom\Application Data\Thinstall
2008-12-06 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-12-06 16:58 --------- d-----w c:\documents and settings\Tom\Application Data\DivX
2008-12-06 16:56 --------- d-----w c:\program files\DivX
2008-12-05 03:06 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-25 21:11 0 ---h--w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-25 21:08 --------- d-----w c:\program files\Motorola Phone Tools
2008-11-25 21:04 --------- d-----w c:\program files\Common Files\Motorola Shared
2008-11-25 21:02 92,064 ------w c:\documents and settings\Tom\mqdmmdm.sys
2008-11-25 21:02 9,232 ------w c:\documents and settings\Tom\mqdmmdfl.sys
2008-11-25 21:02 79,328 ------w c:\documents and settings\Tom\mqdmserd.sys
2008-11-25 21:02 66,656 ------w c:\documents and settings\Tom\mqdmbus.sys
2008-11-25 21:02 6,208 ------w c:\documents and settings\Tom\mqdmcmnt.sys
2008-11-25 21:02 5,936 ------w c:\documents and settings\Tom\mqdmwhnt.sys
2008-11-25 21:02 4,048 ------w c:\documents and settings\Tom\mqdmcr.sys
2008-11-25 21:02 25,600 ------w c:\documents and settings\Tom\usbsermptxp.sys
2008-11-25 21:02 22,768 ------w c:\documents and settings\Tom\usbsermpt.sys
2004-02-12 00:25 560 ------w c:\documents and settings\Tom\PCDOC.BAT
2004-02-07 02:00 26,296 ------w c:\documents and settings\Tom\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 02:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Spamihilator"="c:\program files\Spamihilator\spamihilator.exe" [2008-12-23 1321984]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-11-16 1172992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 3.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-03-02 16:20 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 2.lnk]
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
backup=c:\windows\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinVNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2002-08-29 06:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 23:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2002-08-29 06:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2008-09-17 23:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDRealtime]
--------- 2003-03-15 22:46 168448 c:\windows\realtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2003-09-20 19:12 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 11:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-10-30 08:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2008-09-17 23:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=3 (0x3)
"TermService"=2 (0x2)
"Backup Server"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SoundMan"=SOUNDMAN.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TPP Auto Loader"=c:\windows\tppaldr.exe
"ATIPTA"=c:\mea\WINDOWS\SYSTEM32\atiptaxx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Spamihilator\\cdcc.exe"=
"c:\\Program Files\\Spamihilator\\dccproc.exe"=
"c:\\Program Files\\Spamihilator\\spamihilator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-05 28544]
R0 pkwwjrdy;pkwwjrdy;c:\windows\system32\drivers\pkwwjrdy.sys [2002-08-29 23424]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-06 47640]
R4 Yahoo! Zimbra Desktop Service;Yahoo! Zimbra Desktop Service;c:\zimbra\zdesktop\zdesktop.exe [2008-12-05 139264]
S3 ATICDSDr;ATICDSDr; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\drivers\TPP300.SYS [2003-09-29 33669]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2005-10-07 24447]
S4 Backup Server;Backup Server;c:\progra~1\NOVANE~1\BACKUP~2.EXE [2004-01-05 576512]
S4 gupdate1c9202de24f0e3e;Google Update Service (gupdate1c9202de24f0e3e);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 133104]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 RLOOCCUE;RLOOCCUE;c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe --> c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 17:54]

2009-01-09 c:\windows\Tasks\mnyzdial.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0536321F-23FA-464F-8B53-12F03CFF164E} - c:\windows\system32\kfrls.dll
HKU-Default-Run-msiexec.exe - msiconf.exe
ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - (no file)
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
mLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add To CheckIt &86 Trust List - c:\progra~1\CheckIt\86\AddToTrustList.js
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.msi.com.tw

O16 -: DirectAnimation Java Classes - file://c:\i386\DAJAVA.CAB
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\i386\XMLDSO.CAB
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://tw.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\
FF - prefs.js: browser.startup.homepage - hxxp://www.okhistory.org
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 23:53:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avgwlntf.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-01-08 23:58:49 - machine was rebooted [Tom]
ComboFix-quarantined-files.txt 2009-01-09 05:58:27

Pre-Run: 50,560,655,360 bytes free
Post-Run: 50,480,070,656 bytes free

302 --- E O F --- 2008-12-12 09:03:41

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:14 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\zimbra\zdesktop\zdesktop.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\highjackthis\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3661854406
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe

--
End of file - 8981 bytes
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 9th, 2009, 8:12 am

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you need help on disabling your anitvirus visit this link.
http://www.bleepingcomputer.com/forums/topic114351.html

3. Open notepad and copy/paste the text in the quotebox below into it:


File::
c:\windows\NV36961336.TMP

DirLook::
c:\windows\system32\TAQAUEZOZJR
C:\1avgtemp1

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0536321F-23FA-464F-8B53-12F03CFF164E}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0536321F-23FA-464F-8B53-12F03CFF164E}]



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.






_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from ComboFix
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 9th, 2009, 9:14 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:32 AM, on 1/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\zimbra\zdesktop\zdesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spamihilator\spamihilator.exe
C:\WINDOWS\MXOaldr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\Program Files\No-IP\DUC20.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\highjackthis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0536321F-23FA-464F-8B53-12F03CFF164E} - C:\WINDOWS\system32\kfrls.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 3.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3661854406
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://www.youbet.net/wr_5_8/controls/ybrequest.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp ... atools.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Google Update Service (gupdate1c9202de24f0e3e) (gupdate1c9202de24f0e3e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Yahoo! Zimbra Desktop Service - Unknown owner - C:\zimbra\zdesktop\zdesktop.exe

--
End of file - 8934 bytes
ComboFix 09-01-08.04 - Tom 2009-01-09 6:33:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.951 [GMT -6:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\NV36961336.TMP
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_R_SERVER


((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-07 21:13 . 2009-01-07 21:16 <DIR> d-------- C:\regsearch
2009-01-07 12:35 . 2009-01-07 12:35 <DIR> d-------- c:\program files\ERUNT
2009-01-07 12:32 . 2009-01-07 18:24 <DIR> d-------- C:\Reg Finder
2009-01-05 17:25 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-01-05 17:24 . 2009-01-05 17:24 <DIR> d-------- c:\program files\Panda Security
2009-01-01 16:37 . 2009-01-01 16:37 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-01 12:27 . 2009-01-01 12:27 <DIR> d-------- c:\documents and settings\Georgia\Application Data\Malwarebytes
2008-12-31 21:22 . 2008-12-31 21:22 <DIR> d-------- c:\program files\Opera
2008-12-31 21:17 . 2008-12-31 21:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-26 19:33 . 2009-01-07 21:08 <DIR> d-------- C:\1avgtemp1
2008-12-24 15:09 . 2009-01-09 00:06 250 --a------ c:\windows\gmer.ini
2008-12-24 12:59 . 2009-01-09 06:25 <DIR> d-------- C:\1avgtemp
2008-12-24 12:44 . 2008-12-24 12:47 11,164,087 --------- c:\windows\system32\TAQAUEZOZJR
2008-12-23 03:24 . 2008-12-23 03:24 665,088 --------- c:\windows\system32\spsplib1.dll
2008-12-17 17:16 . 2008-12-17 17:32 <DIR> d-------- c:\windows\NV36961336.TMP
2008-12-17 17:16 . 2008-09-17 23:55 453,152 --------- c:\windows\system32\nvuninst.exe
2008-12-17 17:16 . 2008-09-17 23:55 201,050 --------- c:\windows\system32\nvapps.nvb

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 05:36 --------- d-----w c:\documents and settings\Tom\Application Data\Spamihilator
2009-01-08 22:44 --------- d-----w c:\documents and settings\Tom\Application Data\AVG7
2009-01-07 18:34 --------- d-----w c:\documents and settings\Tom\Application Data\uTorrent
2009-01-07 18:33 --------- d-----w c:\program files\Java
2009-01-07 18:31 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 00:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 00:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-04 23:12 --------- d-----w c:\program files\QuoteTracker
2009-01-01 18:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-01 18:46 --------- d-----w c:\program files\SpywareBlaster
2009-01-01 18:13 --------- d-----w c:\program files\Spamihilator
2009-01-01 03:46 --------- d-----w c:\program files\YPOPs
2008-12-27 01:04 --------- d-----w c:\documents and settings\Tom\Application Data\Move Networks
2008-12-18 23:04 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-06 21:29 --------- d-----w c:\documents and settings\Tom\Application Data\Thinstall
2008-12-06 21:23 --------- d-----w c:\documents and settings\All Users\Application Data\LogMeIn
2008-12-06 16:58 --------- d-----w c:\documents and settings\Tom\Application Data\DivX
2008-12-06 16:56 --------- d-----w c:\program files\DivX
2008-12-05 03:06 --------- d-----w c:\program files\Windows Live Safety Center
2008-11-25 21:11 0 ---h--w c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2008-11-25 21:08 --------- d-----w c:\program files\Motorola Phone Tools
2008-11-25 21:04 --------- d-----w c:\program files\Common Files\Motorola Shared
2008-11-25 21:02 92,064 ------w c:\documents and settings\Tom\mqdmmdm.sys
2008-11-25 21:02 9,232 ------w c:\documents and settings\Tom\mqdmmdfl.sys
2008-11-25 21:02 79,328 ------w c:\documents and settings\Tom\mqdmserd.sys
2008-11-25 21:02 66,656 ------w c:\documents and settings\Tom\mqdmbus.sys
2008-11-25 21:02 6,208 ------w c:\documents and settings\Tom\mqdmcmnt.sys
2008-11-25 21:02 5,936 ------w c:\documents and settings\Tom\mqdmwhnt.sys
2008-11-25 21:02 4,048 ------w c:\documents and settings\Tom\mqdmcr.sys
2008-11-25 21:02 25,600 ------w c:\documents and settings\Tom\usbsermptxp.sys
2008-11-25 21:02 22,768 ------w c:\documents and settings\Tom\usbsermpt.sys
2004-02-12 00:25 560 ------w c:\documents and settings\Tom\PCDOC.BAT
2004-02-07 02:00 26,296 ------w c:\documents and settings\Tom\Application Data\GDIPFONTCACHEV1.DAT
2008-05-07 02:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\1avgtemp1 ----

2008-12-27 03:08 159 --a------ c:\1avgtemp1\remove.bat
2008-12-26 19:33 36805 --a------ c:\1avgtemp1\btcln.zip
2008-04-17 21:13 811008 --a------ c:\1avgtemp1\gmer.exe
2007-12-21 10:47 68096 --a------ c:\1avgtemp1\btcln.exe

---- Directory of c:\windows\system32\TAQAUEZOZJR ----

c:\windows\system32\TAQAUEZOZJR\


((((((((((((((((((((((((((((( snapshot@2009-01-08_23.57.09.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-09 12:37:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_614.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0536321F-23FA-464F-8B53-12F03CFF164E}]
c:\windows\system32\kfrls.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-16 590848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"Spamihilator"="c:\program files\Spamihilator\spamihilator.exe" [2008-12-23 1321984]
"MXO Auto Loader"="c:\windows\MXOaldr.exe" [2002-08-09 118784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-31 136600]
"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-03-02 219136]

c:\documents and settings\Tom\Start Menu\Programs\Startup\
No-IP DUC.lnk - c:\program files\No-IP\DUC20.exe [2006-11-16 1172992]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp officejet g series) - 3.lnk - c:\program files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe [2002-11-20 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2008-03-02 16:20 9216 c:\windows\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete\0pgdfgsvc C 1

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 1.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 2.lnk]
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk.disabled]
backup=c:\windows\pss\Microsoft Office.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk.disabled]
backup=c:\windows\pss\WinZip Quick Pick.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tom^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
--a------ 2002-08-29 06:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-03 23:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---h----- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2002-08-29 06:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--------- 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--------- 2008-09-17 23:55 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDRealtime]
--------- 2003-03-15 22:46 168448 c:\windows\realtime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2002-08-29 06:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--------- 2003-09-20 19:12 77824 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--------- 2008-09-16 11:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--------- 2008-10-30 08:40 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--------- 2008-09-17 23:55 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"winvnc"=2 (0x2)
"TapiSrv"=2 (0x2)
"SCardSvr"=3 (0x3)
"RDSessMgr"=2 (0x2)
"RasMan"=3 (0x3)
"mnmsrvc"=3 (0x3)
"ERSvc"=2 (0x2)
"Browser"=3 (0x3)
"TermService"=2 (0x2)
"Backup Server"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SoundMan"=SOUNDMAN.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"TPP Auto Loader"=c:\windows\tppaldr.exe
"ATIPTA"=c:\mea\WINDOWS\SYSTEM32\atiptaxx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Spamihilator\\cdcc.exe"=
"c:\\Program Files\\Spamihilator\\dccproc.exe"=
"c:\\Program Files\\Spamihilator\\spamihilator.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-01-05 28544]
R0 pkwwjrdy;pkwwjrdy;c:\windows\system32\drivers\pkwwjrdy.sys [2002-08-29 23424]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-12-06 47640]
R4 Yahoo! Zimbra Desktop Service;Yahoo! Zimbra Desktop Service;c:\zimbra\zdesktop\zdesktop.exe [2008-12-05 139264]
S3 ATICDSDr;ATICDSDr; [x]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\5.tmp --> c:\windows\system32\5.tmp [?]
S3 radpms;Driver for RADPMS Device;c:\windows\system32\DRIVERS\radpms.sys --> c:\windows\system32\DRIVERS\radpms.sys [?]
S3 SetupNTGLM7X;SetupNTGLM7X; [x]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\windows\system32\drivers\TPP300.SYS [2003-09-29 33669]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [2005-10-07 24447]
S4 Backup Server;Backup Server;c:\progra~1\NOVANE~1\BACKUP~2.EXE [2004-01-05 576512]
S4 gupdate1c9202de24f0e3e;Google Update Service (gupdate1c9202de24f0e3e);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 133104]
S4 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\LogMeIn\x86\RaInfo.sys --> c:\program files\LogMeIn\x86\RaInfo.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 RLOOCCUE;RLOOCCUE;c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe --> c:\docume~1\Tom\LOCALS~1\Temp\RLOOCCUE.exe [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\defrag.job
- c:\windows\system32\defrag.exe [2008-04-13 18:12]

2009-01-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-26 17:54]

2009-01-09 c:\windows\Tasks\mnyzdial.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
mLocal Page = c:\windows\PCHealth\HelpCtr\System\panels\blank.htm
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add To CheckIt &86 Trust List - c:\progra~1\CheckIt\86\AddToTrustList.js
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.msi.com.tw

O16 -: DirectAnimation Java Classes - file://c:\i386\DAJAVA.CAB
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\i386\XMLDSO.CAB
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {8167C273-DF59-4416-B647-C8BB2C7EE83E} - hxxp://tw.msi.com.tw/autobios/LOnline/install.cab
c:\windows\Downloaded Program Files\MSIWDev.inf
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\
FF - prefs.js: browser.startup.homepage - hxxp://www.okhistory.org
FF - plugin: c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\default.vt9\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-09 07:05:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\5.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\avgwlntf.dll
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Grisoft\AVG7\avgamsvr.exe
c:\program files\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgrssvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\windows\system32\hpoipm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-01-09 7:11:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-09 13:10:58
ComboFix2.txt 2009-01-09 05:58:50

Pre-Run: 50,446,417,920 bytes free
Post-Run: 50,432,856,064 bytes free

281 --- E O F --- 2008-12-12 09:03:41
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm

Re: KFRLS.DLL REmoval

Unread postby Bob4 » January 9th, 2009, 9:19 pm

__________________________________
Search for and remove
I want you to search for and delete the following file if present.
Please just remove the files/folders I listed in BOLD
c:\windows\Tasks\mnyzdial.job





_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these file paths in there one at a time.


c:\windows\system32\drivers\pkwwjrdy.sys

c:\documents and settings\Tom\LOCAL SETTINGS\Temp\RLOOCCUE.exe


The second one may not be present.


Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the result and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html



_________________________
In your next reply I would like to see:

  • The reports (2) from jottis/virus total
  • Were you able to delete mnyzdial.job ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: KFRLS.DLL REmoval

Unread postby duffer » January 9th, 2009, 9:50 pm

Yes mnyzdial.job was deleted
Second file was not found

Scan taken on 10 Jan 2009 01:41:45 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
duffer
Regular Member
 
Posts: 27
Joined: December 29th, 2005, 7:43 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware