Lavasoft Support Forums > Something Keeping Ad-aware 2007 Free From Running (possible Vundo?)

Full Version: Something Keeping Ad-aware 2007 Free From Running (possible Vundo?)

Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs

RumikoX3

Oct 20 2007, 01:03 AM

This is all really bad for me because I'm in college and I need to be able to use my computer for classwork, but it's all but useless in the state it is now. Help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:55:57 PM, on 10/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SYSTEM32\lqdsrngl.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...n7hqowvo5ENw0UX
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\swinrmds.exe CHD003
O4 - HKLM\..\Run: [{46-6A-AB-B3-ZN}] C:\WINDOWS\SYSTEM32\lqdsrngl.exe CHD003
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\qcejguml.dll",sitypnow
O4 - HKCU\..\Run: [WinAntiVirusPro2007] C:\Program Files\WinAntiVirus Pro 2007\winav.exe /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\lqdsrngl.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\swinrmds.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hollie Zimmerman\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\pkdkwusk.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8211 bytes

LS CalamityJane

Oct 20 2007, 03:44 PM

Hello RumikoX3,

Thanks for posting your log. You definitely have Vundo showing and the newest variants are blocking security programs from running properly causing lots of problems for users. It's a difficult to remove parasite using normal scanners but I think we can help.

We'll need to start with some special (free) tools. Please follow these steps next:

Please download
VundoFix.exe
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click YES
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click OK.
Please post the contents of C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
...................
Next, please run this free tool and post the log it generates as well:
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

Do NOT click on the window while the fix is running, because that will cause your system to hang and the fix to stall.

3. When finished, it shall produce a log for you, Combofix.txt. Post that log in your next reply

..................
Finally, when done with those, please scan once more with HijackThis and post a fresh scan log from it also.

Logs needed in your next reply are:

C:\vundofix.txt

C:\ComboFix.txt

A fresh HiJackThis log

RumikoX3

Oct 21 2007, 10:18 PM

Alright, here they are.

QUOTE

VundoFix V6.5.10

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:13:14 PM 10/21/2007

Listing files found while scanning....

C:\windows\system32\amllwdli.dll
C:\windows\system32\arvnludc.dll
C:\windows\system32\awejoupq.dll
C:\windows\system32\bfhtckay.ini
C:\windows\system32\cbupckri.dll
C:\WINDOWS\system32\cbxvwxy.dll
C:\windows\system32\ciegskit.dll
C:\windows\system32\dbxxobxs.dll
C:\windows\system32\dgsoutni.ini
C:\windows\system32\dhxsgwci.dll
C:\windows\system32\dpfmyygb.dll
C:\windows\system32\dpycfqkr.dll
C:\windows\system32\eqfuynbo.dll
C:\windows\system32\fcrfaaju.dll
C:\windows\system32\fgrswlcx.dll
C:\windows\system32\finwqmbi.dll
C:\windows\system32\ghdjvoef.dll
C:\windows\system32\gqltpewg.dll
C:\windows\system32\gweptlqg.ini
C:\windows\system32\hbpkmgsx.dll
C:\windows\system32\heolgvin.ini
C:\windows\system32\hgjjl.bak1
C:\windows\system32\hgjjl.bak2
C:\windows\system32\hgjjl.ini
C:\windows\system32\hgjjl.ini2
C:\windows\system32\hgjjl.tmp
C:\windows\system32\hmggsgmc.exe
C:\windows\system32\hminlpma.dll
C:\windows\system32\hmlgqddt.dll
C:\windows\system32\ibmqwnif.ini
C:\windows\system32\inebaxaq.ini
C:\windows\system32\intuosgd.dll
C:\windows\system32\kgtlaexl.dll
C:\windows\system32\kulvdymc.dll
C:\windows\system32\lcmlgxvk.dll
C:\windows\system32\lfbiyteq.ini
C:\windows\system32\ljjgefe.dll
C:\windows\system32\ljjgh.dll
C:\windows\system32\ljrekose.dll
C:\windows\system32\lndspmha.dll
C:\windows\system32\lqukaauj.dll
C:\windows\system32\lyiwlpaw.dll
C:\windows\system32\mchtqifm.dll
C:\windows\system32\mxhdvapy.ini
C:\windows\system32\namquqlc.dll
C:\windows\system32\nhhvileo.dll
C:\windows\system32\nivgloeh.dll
C:\windows\system32\ocsgkkay.ini
C:\windows\system32\oelivhhn.ini
C:\windows\system32\oeoauhry.dll
C:\windows\system32\ogrgxopq.ini
C:\windows\system32\olyawlsm.dll
C:\windows\system32\oseqyhpn.dll
C:\windows\system32\oyqimahq.ini
C:\windows\system32\pfpfnlks.dll
C:\windows\system32\phamwmfq.dll
C:\windows\system32\pihqetuv.dll
C:\windows\system32\pjmijdsg.dll
C:\windows\system32\qaxabeni.dll
C:\windows\system32\qeaooqyh.dll
C:\windows\system32\qetyibfl.dll
C:\windows\system32\qhamiqyo.dll
C:\windows\system32\qpoxgrgo.dll
C:\windows\system32\rqxbvvas.dll
C:\windows\system32\sovcaiic.dll
C:\windows\system32\ssqroml.dll
C:\windows\system32\svaixanm.dll
C:\windows\system32\tavtaubs.dll
C:\windows\system32\tiksgeic.ini
C:\windows\system32\tnyumrqf.dll
C:\windows\system32\trigcvds.dll
C:\windows\system32\ubxsnqwa.dll
C:\windows\system32\uewytnyo.dll
C:\windows\system32\ujaafrcf.ini
C:\windows\system32\upvwudmu.dll
C:\windows\system32\vvpcafby.dll
C:\WINDOWS\System32\vwvtropp.dll
C:\windows\system32\vxryryej.dll
C:\windows\system32\waplwiyl.ini
C:\windows\system32\wguiupip.dll
C:\windows\system32\xjefvolu.dll
C:\windows\system32\xjtjcpnu.dll
C:\windows\system32\xkmorfis.dll
C:\windows\system32\xoyjrxsu.dll
C:\windows\system32\xrlqnrux.dll
C:\windows\system32\xurnqlrx.ini
C:\windows\system32\xutukefd.dll
C:\windows\system32\xxyabcb.dll
C:\windows\system32\yakcthfb.dll
C:\windows\system32\yakkgsco.dll
C:\windows\system32\yaywxyx.dll
C:\windows\system32\yjbtksoy.dll
C:\windows\system32\ypavdhxm.dll
C:\windows\system32\ytvglxis.dll

Beginning removal...

Beginning removal...

VundoFix V6.5.10

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 4:26:23 PM 10/21/2007

Listing files found while scanning....

C:\windows\system32\amllwdli.dll
C:\windows\system32\arvnludc.dll
C:\windows\system32\awejoupq.dll
C:\windows\system32\bfhtckay.ini
C:\windows\system32\cbupckri.dll
C:\WINDOWS\system32\cbxvwxy.dll
C:\windows\system32\ciegskit.dll
C:\windows\system32\dbxxobxs.dll
C:\windows\system32\dgsoutni.ini
C:\windows\system32\dhxsgwci.dll
C:\windows\system32\dpfmyygb.dll
C:\windows\system32\dpycfqkr.dll
C:\windows\system32\eqfuynbo.dll
C:\windows\system32\fcrfaaju.dll
C:\windows\system32\fgrswlcx.dll
C:\windows\system32\finwqmbi.dll
C:\windows\system32\ghdjvoef.dll
C:\windows\system32\gqltpewg.dll
C:\windows\system32\gweptlqg.ini
C:\windows\system32\hbpkmgsx.dll
C:\windows\system32\heolgvin.ini
C:\windows\system32\hgjjl.bak1
C:\windows\system32\hgjjl.bak2
C:\windows\system32\hgjjl.ini
C:\windows\system32\hgjjl.ini2
C:\windows\system32\hgjjl.tmp
C:\windows\system32\hmggsgmc.exe
C:\windows\system32\hminlpma.dll
C:\windows\system32\hmlgqddt.dll
C:\windows\system32\ibmqwnif.ini
C:\windows\system32\inebaxaq.ini
C:\windows\system32\intuosgd.dll
C:\windows\system32\kgtlaexl.dll
C:\windows\system32\kulvdymc.dll
C:\windows\system32\lcmlgxvk.dll
C:\windows\system32\lfbiyteq.ini
C:\windows\system32\ljjgefe.dll
C:\windows\system32\ljjgh.dll
C:\windows\system32\ljrekose.dll
C:\windows\system32\lndspmha.dll
C:\windows\system32\lqukaauj.dll
C:\windows\system32\lyiwlpaw.dll
C:\windows\system32\mchtqifm.dll
C:\windows\system32\mxhdvapy.ini
C:\windows\system32\namquqlc.dll
C:\windows\system32\nhhvileo.dll
C:\windows\system32\nivgloeh.dll
C:\WINDOWS\System32\nsprqocs.dll
C:\windows\system32\ocsgkkay.ini
C:\windows\system32\oelivhhn.ini
C:\windows\system32\oeoauhry.dll
C:\windows\system32\ogrgxopq.ini
C:\windows\system32\olyawlsm.dll
C:\windows\system32\oseqyhpn.dll
C:\windows\system32\oyqimahq.ini
C:\windows\system32\pfpfnlks.dll
C:\windows\system32\phamwmfq.dll
C:\windows\system32\pihqetuv.dll

QUOTE

ComboFix 07-10-20.6 - Hollie Zimmerman 2007-10-21 16:52:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.71 [GMT -4:00]
Running from: C:\Documents and Settings\Hollie Zimmerman\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Application Data\Starware349
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaykeyword.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ebaysearch.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Highlight.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\HighlightHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlighthotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\highlightxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\starware_toolbar_icon.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\starware_toolbar_icon.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\related.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware349\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\errorsafefreeinstallw[1].exe
C:\Documents and Settings\Hollie Zimmerman\Application Data\install.dat
C:\Documents and Settings\Hollie Zimmerman\Application Data\install.dat
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Configurator\Configurator.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Configurator\Configurator.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Configurator\Configurator.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Configurator\Configurator.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbayKeyword\EbayKeywordOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\EbaySearch\EbaySearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Games\GamesOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Games\GamesOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Games\GamesOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Games\GamesOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Games\images\active\Games0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Games\images\active\Games0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\HoroscopesMarketingSitePager\HoroscopesMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\HoroscopesMarketingSitePager\images\active\HoroscopesMarketingSitePager0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\HoroscopesMarketingSitePager\images\active\HoroscopesMarketingSitePager0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Manager\ManagerOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Manager\ManagerOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Movies\images\active\Movies0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Movies\MoviesOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Movies\MoviesOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Movies\MoviesOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Reference\ReferenceOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Reference\ReferenceOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Weather\AlertArchive.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Weather\AlertArchive.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Weather\WeatherOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Weather\WeatherOptions.xml
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\Application Data\Starware349\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Hollie Zimmerman\err.log
C:\Documents and Settings\Hollie Zimmerman\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Hollie Zimmerman\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Hollie Zimmerman\Start Menu\Programs\Startup\think-adz.lnk
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\WA7P
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abgmhttx.exe
C:\WINDOWS\system32\acacfkpq.dll
C:\WINDOWS\system32\ahtqacbi.exe
C:\WINDOWS\system32\ajdhwrsn.dll
C:\WINDOWS\system32\ajsoxear.exe
C:\WINDOWS\system32\amhjsfvr.exe
C:\WINDOWS\system32\anodiudk.dll
C:\WINDOWS\system32\bauxpbem.dll
C:\WINDOWS\system32\bbdopncc.exe
C:\WINDOWS\SYSTEM32\bdenrqjj.ini
C:\WINDOWS\system32\bgvuurnq.dll
C:\WINDOWS\system32\bhjnxhih.dll
C:\WINDOWS\system32\bhorlbjl.dll
C:\WINDOWS\system32\bmebmbea.exe
C:\WINDOWS\system32\bmrmduxy.dll
C:\WINDOWS\system32\bnkpismm.exe
C:\WINDOWS\system32\bqfnnvbp.dll
C:\WINDOWS\system32\btbcacom.exe
C:\WINDOWS\system32\bugvlpnk.exe
C:\WINDOWS\system32\bwtriale.dll
C:\WINDOWS\SYSTEM32\bxuixgvk.ini
C:\WINDOWS\system32\cathmmca.exe
C:\WINDOWS\system32\cbwxrdfr.dll
C:\WINDOWS\SYSTEM32\cgaknwwg.ini
C:\WINDOWS\system32\cgbagssj.exe
C:\WINDOWS\system32\cgscsnxf.dll
C:\WINDOWS\system32\chgrlvjc.exe
C:\WINDOWS\system32\ciiomrdk.dll
C:\WINDOWS\system32\cksuyxxv.exe
C:\WINDOWS\system32\cmmtcoyh.exe
C:\WINDOWS\system32\coyhpfvo.exe
C:\WINDOWS\system32\cpjgsphl.dll
C:\WINDOWS\system32\csiohbih.exe
C:\WINDOWS\system32\cuikgmxt.exe
C:\WINDOWS\SYSTEM32\cyxrwrvg.ini
C:\WINDOWS\system32\demjuufe.exe
C:\WINDOWS\system32\djimxynm.dll
C:\WINDOWS\system32\djkufuci.dll
C:\WINDOWS\system32\dlsvmvnw.exe
C:\WINDOWS\system32\dnqcypmp.exe
C:\WINDOWS\system32\dpuqmupd.exe
C:\WINDOWS\system32\dvssqsuo.dll
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\dyrrgwtj.exe
C:\WINDOWS\system32\efiwnvqk.dll
C:\WINDOWS\system32\ehpnnkms.dll
C:\WINDOWS\system32\ehxhtxws.exe
C:\WINDOWS\SYSTEM32\eprspibi.ini
C:\WINDOWS\system32\ettewsyl.dll
C:\WINDOWS\system32\eufqsmvi.dll
C:\WINDOWS\system32\ewadbjgd.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\SYSTEM32\ffyagfsf.ini
C:\WINDOWS\system32\fgipkbjp.exe
C:\WINDOWS\system32\fsfgayff.dll
C:\WINDOWS\system32\ftsgrrki.dll
C:\WINDOWS\system32\fulbsatc.exe
C:\WINDOWS\SYSTEM32\fxnscsgc.ini
C:\WINDOWS\system32\gebimley.exe
C:\WINDOWS\system32\gebmalhv.exe
C:\WINDOWS\system32\gfclustr.exe
C:\WINDOWS\system32\ghusqsbc.dll
C:\WINDOWS\SYSTEM32\glggajvm.ini
C:\WINDOWS\SYSTEM32\goymdkyu.ini
C:\WINDOWS\system32\gpgldrkt.exe
C:\WINDOWS\system32\gqdmwxpv.exe
C:\WINDOWS\system32\graienxs.dll
C:\WINDOWS\SYSTEM32\gshaquxt.ini
C:\WINDOWS\system32\gteeewmd.exe
C:\WINDOWS\system32\gtrptyba.exe
C:\WINDOWS\system32\gvrwrxyc.dll
C:\WINDOWS\system32\gwwnkagc.dll
C:\WINDOWS\system32\heejfson.dll
C:\WINDOWS\SYSTEM32\hfpjwjlx.ini
C:\WINDOWS\system32\hgepatbq.exe
C:\WINDOWS\system32\hidgnnex.exe
C:\WINDOWS\system32\hmarvgkp.exe
C:\WINDOWS\system32\hmiiwswm.exe
C:\WINDOWS\SYSTEM32\holgbxti.ini
C:\WINDOWS\system32\hskomifi.exe
C:\WINDOWS\system32\ibipsrpe.dll
C:\WINDOWS\SYSTEM32\icufukjd.ini
C:\WINDOWS\system32\idkudhvp.exe
C:\WINDOWS\system32\idyeuxgc.exe
C:\WINDOWS\system32\ifcbjany.exe
C:\WINDOWS\system32\igbetjee.dll
C:\WINDOWS\system32\iguxweum.exe
C:\WINDOWS\system32\ikkrcwsq.dll
C:\WINDOWS\SYSTEM32\ikrrgstf.ini
C:\WINDOWS\system32\imisqwht.dll
C:\WINDOWS\system32\ioovhkfr.dll
C:\WINDOWS\SYSTEM32\itvbusjj.ini
C:\WINDOWS\system32\itxbgloh.dll
C:\WINDOWS\system32\jabqewku.dll
C:\WINDOWS\system32\jacmupsw.dll
C:\WINDOWS\system32\jbplkaue.exe
C:\WINDOWS\system32\jeaxjpjm.dll
C:\WINDOWS\system32\jebdgdjc.exe
C:\WINDOWS\system32\jihhrfgn.dll
C:\WINDOWS\system32\jjqrnedb.dll
C:\WINDOWS\system32\jjsubvti.dll
C:\WINDOWS\system32\jnkdjxee.exe
C:\WINDOWS\system32\joloxiwj.dll
C:\WINDOWS\system32\jprogvag.dll
C:\WINDOWS\system32\jvqgqadf.exe
C:\WINDOWS\SYSTEM32\jwixoloj.ini
C:\WINDOWS\system32\jwplijft.dll
C:\WINDOWS\system32\jypcvqig.exe
C:\WINDOWS\system32\kgvoeyxn.dll
C:\WINDOWS\system32\kmwnutun.dll
C:\WINDOWS\system32\kqvlqnhx.exe
C:\WINDOWS\SYSTEM32\kqvnwife.ini
C:\WINDOWS\system32\kvgxiuxb.dll
C:\WINDOWS\SYSTEM32\kyjdvpmn.ini
C:\WINDOWS\SYSTEM32\kyoiommx.ini
C:\WINDOWS\system32\ldhtmxnx.dll
C:\WINDOWS\system32\leoglvbi.exe
C:\WINDOWS\system32\lgpecqie.dll
C:\WINDOWS\SYSTEM32\lmugjecq.ini
C:\WINDOWS\system32\lnntbacd.exe
C:\WINDOWS\system32\lnrecmpn.dll
C:\WINDOWS\system32\lowpwrkt.dll
C:\WINDOWS\system32\lpkeisat.exe
C:\WINDOWS\system32\lrvuakjr.dll
C:\WINDOWS\system32\lttsptcv.exe
C:\WINDOWS\SYSTEM32\lwevaifr.ini
C:\WINDOWS\SYSTEM32\mebpxuab.ini
C:\WINDOWS\system32\mirsmuvo.dll
C:\WINDOWS\system32\mjnbovnu.exe
C:\WINDOWS\SYSTEM32\mjpjxaej.ini
C:\WINDOWS\SYSTEM32\mnyxmijd.ini
C:\WINDOWS\system32\mpgxcels.dll
C:\WINDOWS\system32\mpobqfrr.exe
C:\WINDOWS\SYSTEM32\mrcoaylu.ini
C:\WINDOWS\SYSTEM32\mrfkmjpo.ini
C:\WINDOWS\system32\mrwnagyq.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\mvjagglg.dll
C:\WINDOWS\system32\mygwyauv.exe
C:\WINDOWS\system32\naixcobx.exe
C:\WINDOWS\system32\nbmrhpwo.dll
C:\WINDOWS\system32\ncvlnmjl.dll
C:\WINDOWS\SYSTEM32\ngfrhhij.ini
C:\WINDOWS\system32\nmpvdjyk.dll
C:\WINDOWS\SYSTEM32\npmcernl.ini
C:\WINDOWS\system32\nqesontc.exe
C:\WINDOWS\system32\nscceinl.exe
C:\WINDOWS\system32\nvijinrw.exe
C:\WINDOWS\system32\nvsdrjbp.exe
C:\WINDOWS\system32\oeydeepe.exe
C:\WINDOWS\system32\ojowfylf.exe
C:\WINDOWS\SYSTEM32\onltmlix.ini
C:\WINDOWS\system32\opjmkfrm.dll
C:\WINDOWS\system32\orjnuums.dll
C:\WINDOWS\system32\otakoslc.exe
C:\WINDOWS\system32\otkytmfc.dll
C:\WINDOWS\system32\ovmftraq.exe
C:\WINDOWS\SYSTEM32\owphrmbn.ini
C:\WINDOWS\SYSTEM32\pbvnnfqb.ini
C:\WINDOWS\SYSTEM32\pdakgwhs.ini
C:\WINDOWS\system32\pmkhbbvf.exe
C:\WINDOWS\system32\porlvgsr.exe
C:\WINDOWS\system32\psumdqur.dll
C:\WINDOWS\system32\psymevrw.exe
C:\WINDOWS\system32\pwdwtotx.dll
C:\WINDOWS\system32\pyiwehrn.exe
C:\WINDOWS\system32\pylrdjtq.exe
C:\WINDOWS\system32\qcejguml.dll
C:\WINDOWS\SYSTEM32\qnruuvgb.ini
C:\WINDOWS\system32\qsldpysv.exe
C:\WINDOWS\system32\quauqwcu.dll
C:\WINDOWS\system32\rclvjscs.exe
C:\WINDOWS\system32\regonyrr.dll
C:\WINDOWS\SYSTEM32\rfdrxwbc.ini
C:\WINDOWS\system32\rfiavewl.dll
C:\WINDOWS\system32\rhlibdod.exe
C:\WINDOWS\system32\rhpwhahu.exe
C:\WINDOWS\system32\rkjsdgsv.exe
C:\WINDOWS\SYSTEM32\rrynoger.ini
C:\WINDOWS\system32\rsecbiyh.dll
C:\WINDOWS\SYSTEM32\ruqdmusp.ini
C:\WINDOWS\system32\rvfrlfmc.dll
C:\WINDOWS\system32\ryyadsmw.exe
C:\WINDOWS\system32\sasdgqeq.exe
C:\WINDOWS\system32\shlvxsae.dll
C:\WINDOWS\system32\shwgkadp.dll
C:\WINDOWS\system32\sjvqhqsb.exe
C:\WINDOWS\system32\skeeskng.exe
C:\WINDOWS\system32\slbcecmb.dll
C:\WINDOWS\system32\slxjyvxx.dll
C:\WINDOWS\system32\srkkswxr.exe
C:\WINDOWS\system32\stera.job
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\swinrmds.exe
C:\WINDOWS\system32\sxlcobhh.exe
C:\WINDOWS\system32\tdbhhppu.exe
C:\WINDOWS\system32\techjlkt.exe
C:\WINDOWS\system32\tgceptsq.exe
C:\WINDOWS\system32\tjujatvx.exe
C:\WINDOWS\system32\tlvexnoa.exe
C:\WINDOWS\system32\tosfdimc.dll
C:\WINDOWS\system32\tpmvjrov.dll
C:\WINDOWS\system32\tsgxwsyp.dll
C:\WINDOWS\system32\tuuxvsir.exe
C:\WINDOWS\system32\txsxquce.dll
C:\WINDOWS\system32\txuqahsg.dll
C:\WINDOWS\SYSTEM32\tyjwumiy.ini
C:\WINDOWS\system32\tyyikrpf.dll
C:\WINDOWS\system32\ucagmrky.dll
C:\WINDOWS\system32\uiykgwwm.exe
C:\WINDOWS\system32\ukhmjmya.exe
C:\WINDOWS\system32\uklqqbrg.exe
C:\WINDOWS\SYSTEM32\ukweqbaj.ini
C:\WINDOWS\system32\ulcnrpbd.exe
C:\WINDOWS\system32\ulyaocrm.dll
C:\WINDOWS\system32\umjxrnrr.exe
C:\WINDOWS\system32\unycqhtl.exe
C:\WINDOWS\system32\uowksuyx.exe
C:\WINDOWS\system32\uptvcqmt.exe
C:\WINDOWS\system32\uqemxlfc.exe
C:\WINDOWS\system32\uspxapse.exe
C:\WINDOWS\system32\uykdmyog.dll
C:\WINDOWS\system32\V1
C:\WINDOWS\system32\vbgyhsah.exe
C:\WINDOWS\system32\vebncgsq.exe
C:\WINDOWS\system32\vjbjeiyt.exe
C:\WINDOWS\system32\vnyuyofm.dll
C:\WINDOWS\SYSTEM32\vorjvmpt.ini
C:\WINDOWS\system32\vpgfkoao.exe
C:\WINDOWS\system32\vsrooqog.exe
C:\WINDOWS\system32\vwpcydqx.exe
C:\WINDOWS\system32\vxtdrucy.exe
C:\WINDOWS\system32\wcclobqx.dll
C:\WINDOWS\system32\wcstpgux.exe
C:\WINDOWS\system32\whawlhma.dll
C:\WINDOWS\system32\wiinbltn.exe
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wjujrfki.exe
C:\WINDOWS\system32\wjyhrwbv.exe
C:\WINDOWS\system32\wpeppivd.dll
C:\WINDOWS\system32\wpiuguds.exe
C:\WINDOWS\system32\wqdulufu.dll
C:\WINDOWS\system32\wqtyeyeu.dll
C:\WINDOWS\SYSTEM32\wspumcaj.ini
C:\WINDOWS\system32\wuqgxaju.dll
C:\WINDOWS\system32\wxfmyanx.dll
C:\WINDOWS\system32\xbjdfuqe.dll
C:\WINDOWS\system32\xidyrvru.exe
C:\WINDOWS\system32\xilmtlno.dll
C:\WINDOWS\SYSTEM32\xjvhhqoy.ini
C:\WINDOWS\system32\xljwjpfh.dll
C:\WINDOWS\system32\xmmoioyk.dll
C:\WINDOWS\system32\xouvukkf.exe
C:\WINDOWS\system32\xoxnypwn.dll
C:\WINDOWS\system32\xwjnepff.exe
C:\WINDOWS\system32\ygqdttay.dll
C:\WINDOWS\system32\yimuwjyt.dll
C:\WINDOWS\system32\yioflcjl.exe
C:\WINDOWS\system32\ynjjiqjb.dll
C:\WINDOWS\system32\yoqhhvjx.dll
C:\WINDOWS\system32\ypsxuqvs.dll
C:\WINDOWS\system32\yqtrknyg.dll
C:\WINDOWS\system32\yruhmsjk.dll
C:\WINDOWS\system32\yxbnhubr.exe
C:\WINDOWS\SYSTEM32\yxudmrmb.ini
C:\WINDOWS\system32\yycjbivs.exe
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-21 17:02 52,763 --a------ C:\WINDOWS\SYSTEM32\dwdsrngt.exe
2007-10-21 16:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 16:13 <DIR> d-------- C:\VundoFix Backups
2007-10-21 15:40 <DIR> d-------- C:\FONTS
2007-10-18 23:51 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-18 23:50 <DIR> d-------- C:\Program Files\PlayFirst
2007-10-15 14:39 <DIR> d-------- C:\Program Files\Fish Tycoon
2007-10-12 22:57 141,612 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dump_wmimmc.sys
2007-10-12 22:56 4,682 --a------ C:\WINDOWS\SYSTEM32\npptNT2.sys
2007-10-07 23:21 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\Magic Academy
2007-10-03 16:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 12:25 <DIR> d-------- C:\Program Files\Plant Tycoon
2007-09-30 15:09 28,172 --a------ C:\WINDOWS\SYSTEM32\swinrmdt.exe
2007-09-23 20:58 <DIR> d-------- C:\Program Files\Ancient Mosaic
2007-09-23 16:57 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\Jane s Hotel
2007-09-22 20:28 <DIR> d-------- C:\Program Files\The Magicians Handbook - Cursed Valley
2007-09-22 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-21 21:24 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\Move Networks
2007-09-21 18:24 <DIR> d-------- C:\Program Files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 03:50 --------- d-----w C:\Documents and Settings\Hollie Zimmerman\Application Data\PlayFirst
2007-10-19 03:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-19 01:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 00:25 5,864 ----a-w C:\Program Files\install.log
2007-10-08 03:18 --------- d-----w C:\Program Files\Shockwave.com
2007-10-06 18:40 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-03 22:58 --------- d-----w C:\Program Files\QuickTime
2007-10-03 22:58 --------- d-----w C:\Program Files\Apoint
2007-10-03 20:32 --------- d-----w C:\Program Files\America Online 9.0
2007-10-03 20:25 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-03 20:17 --------- d-----w C:\Program Files\The Adventure Company
2007-09-22 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-09-21 02:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-20 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-09-18 03:50 --------- d-----w C:\Documents and Settings\Hollie Zimmerman\Application Data\ForgottenRiddles
2007-09-14 13:25 --------- d--h--w C:\Program Files\Zero G Registry
2007-09-07 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Aveyond I
2007-08-28 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-08-28 19:30 --------- d-----w C:\Program Files\bfgclient
2007-02-24 01:50 21,822,168 ----a-w C:\Program Files\AdbeRdr80_en_US.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 07:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

-c--a-w 155,648 2004-02-02 20:32:16 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\Apoint\Apoint.exe

-c--a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

-c--a-w 53,248 2004-04-11 16:43:44 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

-c--a-w 290,816 2004-04-12 01:15:14 C:\Program Files\Dell\Media Experience\bak\PCMService.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\Dell\Media Experience\PCMService.exe

----a-w 49,152 2004-02-12 17:38:56 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

----a-w 241,664 2004-05-12 19:18:56 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

-c--a-w 32,881 2003-11-19 22:48:14 C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

-c--a-w 303,104 2005-09-22 23:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\McAfee.com\Agent\mcagent.exe

-c--a-w 135,168 2003-09-02 20:41:38 C:\Program Files\McAfee.com\Agent\bak\mcregwiz.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\McAfee.com\Agent\mcregwiz.exe

-c--a-w 212,992 2006-01-11 17:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\McAfee.com\Agent\mcupdate.exe

-c--a-w 122,880 2003-08-08 23:02:10 C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe

-c--a-w 53,248 2004-04-19 19:45:52 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

-c--a-w 131,072 2004-04-19 19:45:52 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

-c--a-w 77,824 2004-07-14 15:19:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\QuickTime\qttask.exe

-c--a-w 26,112 2004-07-14 15:19:25 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\Real\RealPlayer\RealPlay.exe

----a-w 380,928 2003-12-10 09:52:40 C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe
----a-w 28,172 2007-10-03 22:56:26 C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe

-c--a-w 249,856 2004-05-12 21:22:52 C:\WINDOWS\SYSTEM32\bak\keyhook.exe

----a-w 192,578 2007-09-30 19:09:59 C:\WINDOWS\SYSTEM32\bak\swinrmdt.exe
----a-w 28,172 2007-10-03 22:56:26 C:\WINDOWS\SYSTEM32\swinrmdt.exe

-c--a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe
----a-w 28,172 2007-10-03 22:56:26 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41252B78-A95E-4422-AAD2-DBD92BFDB661}]
C:\WINDOWS\System32\ljjgh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-10-03 18:56]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 16:41 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2007-10-03 18:56]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-10-03 18:56]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2007-10-03 18:56]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2007-10-03 18:56]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2007-10-03 18:56]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-10-03 18:56]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2004-07-14 11:19]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2007-10-03 18:56]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2007-10-03 18:56]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe" [2006-01-11 13:05]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2007-10-03 18:56]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2007-10-03 18:56]
"McRegWiz"="C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2007-10-03 18:56]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2007-10-03 18:56]
"SiSPower"="SiSPower.dll" [2006-03-09 03:04 C:\WINDOWS\SYSTEM32\SiSPower.dll]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-03 18:56]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2007-10-03 18:56]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-03 18:56]
"{46-6A-AB-B3-ZN}"="c:\windows\system32\dwdsrngt.exe" [2007-10-21 17:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 16:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2004-07-14 11:18:40]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 23:06:36]
SBC Self Support Tool.lnk - C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe [2007-01-29 16:37:06]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2007-07-25 13:50:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 17:02:03
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 17:07:39 - machine was rebooted
.
--- E O F ---

QUOTE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:13:49 PM, on 10/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\sistray.exe
c:\windows\system32\dwdsrngt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\SBC LightSpeed Self Support Tool\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41252B78-A95E-4422-AAD2-DBD92BFDB661} - C:\WINDOWS\System32\ljjgh.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{46-6A-AB-B3-ZN}] c:\windows\system32\dwdsrngt.exe CHD003
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hollie Zimmerman\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7879 bytes

LS CalamityJane

Oct 22 2007, 03:50 AM

Oh boy, this is a real mess -
I think that got the Vundo, but you also have a worse problem as you have a trojan downloader (AWF trojan) that has replaced many of your system files with infected copies.

It's no wonder your could not get Ad-Aware to run and it has infected your Mcafee as well. Is your Antivirus program outdated or obsolete? It should have caught the awf trojan that is running

Please keep this machine off the internet as much as possible except to check here for instructions. Let's proceed to see if we can clean up this mess and get your system back in order.

Please download the following file to your desktop:
http://noahdfear.net/downloads/FindAWF.exe

Doubleclick FindAWF.exe to start the tool.

Select option 2 by pressing 2 and then enter. A text file will open (files.txt).
In that files.txt, copy & paste next list of files to be restored:

"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Apoint\bak\Apoint.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcregwiz.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
"C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe"
"C:\WINDOWS\SYSTEM32\bak\keyhook.exe"
"C:\WINDOWS\SYSTEM32\bak\swinrmdt.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"

Close the files.txt and click Yes to save the changes.
FindAWF wil now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log. Copy and paste the contents of that log in your next reply.

RumikoX3

Oct 22 2007, 06:06 AM

Oh man...I can't believe this. I dunno how this trojan got past me. I hope it's the only thing that I need to get rid of!

QUOTE

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 10/22/2007
The current time is: 1:09:46.64

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\APOINT\BAK

02/02/2004 04:32 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/14/2004 11:19 AM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

05/12/2004 05:22 PM 249,856 keyhook.exe
09/30/2007 03:09 PM 192,578 swinrmdt.exe
2 File(s) 442,434 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/11/2004 12:43 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004 09:15 PM 290,816 PCMService.exe
1 File(s) 290,816 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

05/12/2004 03:18 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/12/2004 01:38 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 07:29 PM 303,104 mcagent.exe
09/02/2003 04:41 PM 135,168 mcregwiz.exe
01/11/2006 01:05 PM 212,992 mcupdate.exe
3 File(s) 651,264 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

08/08/2003 07:02 PM 122,880 mcmnhdlr.exe
1 File(s) 122,880 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

04/19/2004 03:45 PM 131,072 mm_tray.exe
04/19/2004 03:45 PM 53,248 mmtask.exe
2 File(s) 184,320 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

07/14/2004 11:19 AM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\SBCLIG~1\SMARTB~1\BAK

12/10/2003 05:52 AM 380,928 MotiveSB.exe
1 File(s) 380,928 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 02:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 02:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 06:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Feb 2 2004 "C:\Program Files\Apoint\Apoint.exe"
155648 Feb 2 2004 "C:\DRIVERS\MOUSE\ONBOARD\APOINT.EXE"
155648 Feb 2 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
77824 Jul 14 2004 "C:\Program Files\QuickTime\qttask.exe"
77824 Jul 14 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
249856 May 12 2004 "C:\WINDOWS\SYSTEM32\keyhook.exe"
249856 May 12 2004 "C:\WINDOWS\SYSTEM32\bak\keyhook.exe"
192578 Sep 30 2007 "C:\WINDOWS\SYSTEM32\swinrmdt.exe"
192578 Sep 30 2007 "C:\WINDOWS\SYSTEM32\bak\swinrmdt.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Apr 11 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\PCMService.exe"
290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
241664 May 12 2004 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 May 12 2004 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 12 2004 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 12 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
135168 Sep 2 2003 "C:\Program Files\McAfee.com\Agent\mcregwiz.exe"
135168 Sep 2 2003 "C:\Program Files\McAfee.com\Agent\bak\mcregwiz.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
122880 Aug 8 2003 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
122880 Aug 8 2003 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
53248 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mmtask.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
110592 Mar 7 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
131072 Apr 19 2004 "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak\mm_tray.exe"
26112 Jul 14 2004 "C:\Program Files\Real\RealPlayer\RealPlay.exe"
26112 Jul 14 2004 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
380928 Dec 10 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\MotiveSB.exe"
380928 Dec 10 2003 "C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak\MotiveSB.exe"
380928 Jan 29 2007 "C:\Program Files\SBC LightSpeed Self Support Tool\vendors\SBC\wwwcache\wt\default\private\content\driven_dev\bin\MotiveSB.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 Aug 6 2007 "C:\Program Files\The Keep\jre\bin\jusched.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"

end of report

LS CalamityJane

Oct 22 2007, 04:52 PM

Good job. Give me some time to review this last log before I go on to the next step.

This trojan makes a real mess and it's been a while since I have worked on one infected with it - so I want to be sure everything is in order before proceeding.

Oh, and don't put the logs in your replies with the "quote" tag because it makes it harder to read. Just copy & paste in is fine

I'll be right back, depending on how long it take me to analyze all this. I wanted you to know that I was in here reviewing this one now and it may take me a little bit to write up the next steps.

LS CalamityJane

Oct 22 2007, 05:30 PM

OpenFindAWF, select option 3, by pressing 3 and then enter.
This will open the text file folders.txt
Copy and paste next list (shown below in bold) in it:

"C:\Program Files\Apoint\bak"
"C:\Program Files\QuickTime\bak"
"C:\WINDOWS\SYSTEM32\bak"
"C:\Program Files\CyberLink\PowerDVD\bak"
"C:\Program Files\Dell\Media Experience\bak"
"C:\Program Files\HP\hpcoretech\bak"
"C:\Program Files\HP\HP Software Update\bak"
"C:\Program Files\McAfee.com\Agent\bak"
"C:\Program Files\McAfee.com\VSO\bak"
"C:\Program Files\MUSICMATCH\Musicmatch Jukebox\bak"
"C:\Program Files\Real\RealPlayer\bak"
"C:\Program Files\SBC LightSpeed Self Support Tool\SmartBridge\bak"
"C:\WINDOWS\SYSTEM32\dla\bak"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak"
"C:\Program Files\Common Files\Sonic\Update Manager\bak"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak"

Then close folders.txt and let it save the changes.
FindAWF will now remove the bak folders and open a log aferwards.
Copy and paste the contents of that log in your next reply

RumikoX3

Oct 22 2007, 07:35 PM

Alright. Here's the next one.

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 10/22/2007
The current time is: 14:32:19.41

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

LS CalamityJane

Oct 23 2007, 05:49 PM

Last step: FindAWF, select option 4 and enter.
When done, Press E then Enter to EXIT.

That step will make some repairs to your registry that is known to be affected by the AWF trojan.

At this point, because you had multiple virus and other infections, I think it would be a good idea to get a full system scan at one of these free online AV scanners - this to get a second opinion of whether or not any infected files remain. I'm not convinced your McAfee is up to date or working properly because it should have caught that AWF infection if it was

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm

If those come up clean, great! If not, please make note of what was found and where and let me know. If you use the Panda ActiveScan, it will create a log at the end you can save and post back here for review.

You may need to uninstall/reinstall your McAfee AV since it was affected by the AWF trojan.

Once you get through that, it would be good to see a fresh HijackThis log and a fresh scan with ComboFix to see what items might remain that need attention.

RumikoX3

Oct 31 2007, 04:19 AM

Thanks for all the help, Jane.

Here's the new ComboFix and HijackThis logs. The only files that tripped the virus scans were the ones quarantined by ComboFix earlier.

ComboFix 07-10-29.1 - Hollie Zimmerman 2007-10-30 21:56:04.2 - NTFSx86
Running from: C:\Documents and Settings\Hollie Zimmerman\Local Settings\Temporary Internet Files\Content.IE5\D2BUJFAH\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\swinrmdt.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-31 )))))))))))))))))))))))))))))))
.

2007-10-30 21:40 53,248 --a------ C:\Documents and Settings\Hollie Zimmerman\Process.exe
2007-10-30 21:40 11,254 --a------ C:\Documents and Settings\Hollie Zimmerman\locate.com
2007-10-30 21:31 92,208 --a------ C:\WINDOWS\SYSTEM32\WING.DLL
2007-10-30 21:31 12,800 --a------ C:\WINDOWS\SYSTEM\WING32.DLL
2007-10-30 20:41 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-10-30 20:41 <DIR> d-------- C:\WINDOWS\LastGood
2007-10-30 20:37 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 13:06 52,778 --a------ C:\WINDOWS\SYSTEM32\lldsrngo.exe
2007-10-28 21:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Escape From Paradise
2007-10-28 21:09 <DIR> d-------- C:\Program Files\PopCap Games
2007-10-28 00:04 <DIR> d-------- C:\Program Files\Chocolatier
2007-10-24 15:26 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-22 00:09 249,856 --a------ C:\WINDOWS\SYSTEM32\keyhook.exe
2007-10-21 15:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-21 15:13 <DIR> d-------- C:\VundoFix Backups
2007-10-21 14:40 <DIR> d-------- C:\FONTS
2007-10-18 22:51 4,096 --a------ C:\WINDOWS\d3dx.dat
2007-10-18 22:50 <DIR> d-------- C:\Program Files\PlayFirst
2007-10-15 13:39 <DIR> d-------- C:\Program Files\Fish Tycoon
2007-10-12 21:57 141,612 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\dump_wmimmc.sys
2007-10-12 21:56 4,682 --a------ C:\WINDOWS\SYSTEM32\npptNT2.sys
2007-10-07 22:21 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\Magic Academy
2007-10-03 15:41 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-02 11:25 <DIR> d-------- C:\Program Files\Plant Tycoon
2007-09-23 19:58 <DIR> d-------- C:\Program Files\Ancient Mosaic
2007-09-23 15:57 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\Jane s Hotel
2007-09-22 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-21 20:24 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\Move Networks
2007-09-21 17:24 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-20 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-19 08:41 52,758 --a------ C:\WINDOWS\SYSTEM32\lqdsrngl.exe
2007-09-15 13:16 <DIR> d-------- C:\Documents and Settings\Hollie Zimmerman\Application Data\ForgottenRiddles
2007-09-13 13:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\dbl22
2007-09-13 13:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\cf2
2007-09-13 13:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\capcon
2007-09-11 21:48 <DIR> dr-h----- C:\MSOCache
2007-09-04 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Aveyond I

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 02:11 21,840 -c--atw C:\WINDOWS\SYSTEM32\SIntfNT.dll
2007-10-31 02:11 17,212 -c--atw C:\WINDOWS\SYSTEM32\SIntf32.dll
2007-10-31 02:11 12,067 -c--atw C:\WINDOWS\SYSTEM32\SIntf16.dll
2007-10-29 03:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-28 05:05 --------- d-----w C:\Documents and Settings\Hollie Zimmerman\Application Data\PlayFirst
2007-10-28 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\PlayFirst
2007-10-22 18:32 --------- d-----w C:\Program Files\QuickTime
2007-10-22 18:32 --------- d-----w C:\Program Files\Apoint
2007-10-19 01:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 00:25 5,864 ----a-w C:\Program Files\install.log
2007-10-08 03:18 --------- d-----w C:\Program Files\Shockwave.com
2007-10-03 20:25 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-03 20:17 --------- d-----w C:\Program Files\The Adventure Company
2007-09-22 23:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-09-20 17:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Firefly Studios
2007-09-14 13:25 --------- d--h--w C:\Program Files\Zero G Registry
2007-08-28 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-08-28 19:30 --------- d-----w C:\Program Files\bfgclient
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\SYSTEM32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\SYSTEM32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\SYSTEM32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\SYSTEM32\wucltui.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\SYSTEM32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\SYSTEM32\wups.dll
2007-07-11 23:51 98,304 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2007-02-24 01:50 21,822,168 ----a-w C:\Program Files\AdbeRdr80_en_US.exe
.

((((((((((((((((((((((((((((( snapshot@2007-10-21_17.03.39.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-26 14:51:17 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2006-08-24 13:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
- 2007-08-15 05:44:52 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-10-26 00:42:26 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-03-29 14:20:50 110,592 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\as.dll
+ 2006-10-05 21:15:26 233,472 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\ascontrol.dll
+ 2005-06-03 19:03:18 96,256 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\asmdat.dll
+ 2003-08-01 16:00:16 36,864 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\certdll.dll
+ 2005-05-20 18:42:44 86,016 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\instlsp.dll
+ 2006-02-16 23:20:20 4,608 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\memvfile.dll
+ 2005-10-25 23:08:32 348,160 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\msvcr71.dll
+ 2004-05-04 20:01:02 139,264 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavaleas.dll
+ 2006-07-14 18:04:10 45,056 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavdr.exe
+ 2006-04-10 15:50:02 159,832 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavexcom.dll
+ 2006-02-14 18:05:38 94,208 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavinas.dll
+ 2006-02-16 23:35:38 180,224 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavoe.dll
+ 2006-10-05 21:15:38 122,880 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pavpz.dll
+ 2006-06-30 19:13:38 8,704 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pfdnnt.exe
+ 2004-02-04 19:08:42 49,152 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\port32.dll
+ 2006-08-01 18:23:10 69,632 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pscpu.dll
+ 2006-08-23 18:06:08 1,388,544 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskahk.dll
+ 2006-08-17 16:38:14 10,752 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskalloc.dll
+ 2006-09-04 16:49:54 61,440 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskas.dll
+ 2006-08-18 13:46:18 779,264 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll
+ 2007-03-26 19:25:34 417,792 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskcmp.dll
+ 2006-08-09 15:42:24 90,112 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskfss.dll
+ 2006-07-19 15:55:58 208,896 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskhtml.dll
+ 2006-01-20 21:57:00 9,728 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskmas.dll
+ 2006-05-17 14:50:12 14,336 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskmdfs.dll
+ 2006-08-16 15:58:12 33,280 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskpack.dll
+ 2006-06-30 19:42:36 266,240 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskscs.dll
+ 2006-08-17 19:33:14 62,976 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskutil.dll
+ 2006-08-08 18:13:10 13,312 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskvfile.dll
+ 2006-08-18 13:53:08 69,632 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskvfs.dll
+ 2006-08-18 13:49:50 167,936 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\pskvm.dll
+ 2007-04-18 22:16:04 353,840 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\psscan.dll
+ 2007-01-22 19:42:48 35,328 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\rawvfile.dll
+ 1997-09-18 11:12:32 9,488 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\sporder.dll
+ 2006-02-28 22:23:40 69,632 ----a-w C:\WINDOWS\SYSTEM32\ActiveScan\tcpvfile.dll
+ 2006-08-02 17:39:06 73,728 ----a-w C:\WINDOWS\SYSTEM32\asuninst.exe
- 2007-10-03 22:56:26 28,172 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2004-03-15 06:04:00 122,933 ----a-w C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
+ 2007-06-11 17:34:00 2,115,816 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 17:34:00 190,696 ----a-w C:\WINDOWS\SYSTEM32\Macromed\Flash\NPSWF32_FlashUtil.exe
- 2007-07-25 03:54:46 53,838 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
+ 2007-10-28 18:33:42 53,838 ----a-w C:\WINDOWS\SYSTEM32\PERFC009.DAT
- 2007-07-25 03:54:47 382,260 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
+ 2007-10-28 18:33:42 382,260 ----a-w C:\WINDOWS\SYSTEM32\PERFH009.DAT
- 2007-10-05 14:07:31 279,552 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\SYSTEM32\swreg.exe
+ 2003-03-25 23:53:50 11,776 ----a-w C:\WINDOWS\SYSTEM32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41252B78-A95E-4422-AAD2-DBD92BFDB661}]
C:\WINDOWS\System32\ljjgh.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-02-02 15:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-11-19 15:41 C:\WINDOWS\AGRSMMSG.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 11:43]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-07-14 10:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-07-14 10:19]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" [2003-08-08 18:02]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2005-09-22 18:29]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 12:05]
"mmtask"="c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 14:45]
"MMTray"="C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-19 14:45]
"Motive SmartBridge"="C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe" [2003-12-10 04:52]
"SiSPower"="SiSPower.dll" [2006-03-09 02:04 C:\WINDOWS\SYSTEM32\SiSPower.dll]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 12:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 14:18]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"{46-6A-AB-B3-ZN}"="C:\windows\system32\lldsrngo.exe" [2007-10-30 13:06]
"McRegWiz"="c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe" [2003-09-02 15:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-11-15 15:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 21:31:38]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 22:06:36]
SBC Self Support Tool.lnk - C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe [2007-01-29 15:37:06]
Utility Tray.lnk - C:\WINDOWS\SYSTEM32\sistray.exe [2007-07-25 12:50:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

S3 NaiFiltr;NaiFiltr;C:\WINDOWS\System32\DRIVERS\NaiFiltr.sys

.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 21:59:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-30 22:01:47
C:\ComboFix2.txt ... 2007-10-21 16:07
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:56 PM, on 10/30/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\windows\system32\lldsrngo.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41252B78-A95E-4422-AAD2-DBD92BFDB661} - C:\WINDOWS\System32\ljjgh.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCLIG~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{46-6A-AB-B3-ZN}] C:\windows\system32\lldsrngo.exe CHD003
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC LightSpeed Self Support Tool\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Hollie Zimmerman\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8156 bytes

Also, I've been trying to uninstall those 'free AOL trials' that come with some games, and when I removed them my computer stopped using autoplay and autorun for my CD-ROMs. The registry files are all set to allow autorun/autoplay, so I don't understand what's going on. My computer also won't let me reinstall a game I had to remove because the previously installed data got corrupted by something. I'm afraid I may have accidentally removed something when I got rid of the AOL trials. Do you know anyone who can help me?

LS CalamityJane

Oct 31 2007, 04:45 PM

Open HijackThis and do a *system scan only*

When it finishes, place a checkmark in the boxes next to these entries you see in bold below:

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {41252B78-A95E-4422-AAD2-DBD92BFDB661} - C:\WINDOWS\System32\ljjgh.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [{46-6A-AB-B3-ZN}] C:\windows\system32\lldsrngo.exe CHD003

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...p1.0.0.15-3.cab

O20 - AppInit_DLLs:

When you have those checkmark, then press the *fix checked* button

Delete this file (if found)
C:\windows\system32\lldsrngo.exe <---- delete file

...................................
You have some old vulnerable versions of Sun Java that should be removed and replace with the most current version.

Old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.
They will appear in the "J's" something similar to:

j2re1.4.2_05 or

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06

(or similar, and there may be more than one. Remove them all)

Then go get the latest up to date version here:
http://www.java.com/en/download/manual.jsp

Here's why removing old versions of Sun Java is important:
Potential Vulnerability with Sun Java auto update
http://www.dslreports.com/forum/remark,14738046

This is a vulnerability in that Sun Java new updated versions do not remove prior vulnerable versions. You will have to remember to do that manually whenever you update your Sun Java.
....................
Let's go back to the FindAWF for a moment just to see if all is cleared out there:

* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT

* Press 1 then press Enter.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

RumikoX3

Oct 31 2007, 06:27 PM

Here it is:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/31/2007
The current time is: 12:19:31.97

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

LS CalamityJane

Oct 31 2007, 06:45 PM

Alrighty then, that's clear - just wanted to verify.

As for what is wrong with your AOL programs uninstall and CD player, I really can't help with that. My area of expertise is in malware removal only.

Hopefully those steps got your Ad-Aware running again?

The AWF trojan may have caused some damage as well. If you continue to have problems it might be best to backup your important and reformat/reinstall the operating system and your software programs.

You desperately need to upgrade to XP SP2 and IE 7 - as your machine is terribly vulnerable to exploit on SP1 and it is no longer being supported by Microsoft (so no patches for vulnerabilities either)

Some final cleanup and prevention recommendations follow.

You can go ahead and delete any special tools we used (VundoFix, FindAWF, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and no need to keep them. You can delete these folders on the hard drive:

C:\Qoobox and
C:\VundoFix Backups

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr
Wait while Windows scans your system for files to delete.
Make sure these 3 are checkmarked and press *ok* to delete them.

Temporary Files
Temporary Internet Files
Recycle Bin

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405
......................
Also, I can't stress enough the importance of having your Windows critical Security Updates. Most malware today uses exploits on unpatched systems to creep onto your system without your even doing anything but visiting an infected webpage!!

Watch what you download, be careful where you surf, and don't trust attachments or even links in email and Instant messages. Even if they come from a buddy, that buddy could be the one infected and it is the virus sending that link from his account. You click on it thinking he is trusted, and *boom* you're infected.
Many "Phishing" attempts are made by cleverly crafted email to look like it is coming from an "official" source (like Microsoft, or your bank, or some other provider). Don't click on links in those. Go directly to the site instead and navigate the menus - don't trust email you think came from a "safe source" unless you are expecting it! There is more in the link I will provide below, but those are the choice avenues of infection these days.
Stay far AWAY from cracks and warez sites - you're sure to get infected files there, and the same can be said for files downloaded from p2p (more than half are usually infected and probably not detectable by your current security software - the newest nasties are always released in those venues).

A word about shared computers and networks.
Share Your PC
http://www.microsoft.com/windowsxp/using/s...hare/intro.mspx
Not all users need to have Admin Accounts. It is much safer to have most of your users on a shared system running as Limited User accounts. That way, if there is "an accident", it will only affect one user's account and not the entire system.

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help

.
How do I prevent Browser Hijacks and Spyware?
http://www.dslreports.com/faq/13620

You need to get SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
http://update.microsoft.com/microsoftupdate/

And see this link for instructions on how to configure the enhanced security features in SP2:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
http://www.microsoft.com/technet/security/...s/mbsahome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

Also visit this Free Online Scanner from Microsoft for PC Health and Safety
http://safety.live.com/site/en-US/default.htm
and Microsoft Security At Home
http://www.microsoft.com/athome/security/default.mspx
for tips to Protect your Pc, Protect yourself and Protect your Family.

LS CalamityJane

Nov 15 2007, 01:46 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.