Help - Search - Members - Calendar
Full Version: My browser keeps getting redirected and pop-ups won't stop!
Lavasoft Support Forums > Archived Topics > Archives: Resolved/Inactive Topics > Resolved/Inactive HijackThis Logs
dotjim40
Feb 18 2007, 02:14 PM
My computer is soo slow and I can't get the pop-ups to stop! Also, wondering if some files are missing cause when I open stuff, the flashlight searches for a long time before opening and am getting a lot of 'page cannot be found'... am using Ad-Aware SE, Windows Defender, and Spywareblaster... It seems the problems really got worse when I downloaded Spybot so I took it out. Ad-aware found a Trojan 32 virus and quarantined it. Help, please?
dotjim40
Feb 18 2007, 02:42 PM
I just ran this if anybody can look at it.
I ran one yesterday and may have deleted something I shouldn't have... not sure....but my Yahoo toolbar has been gone for awhile now.


Logfile of HijackThis v1.99.1
Scan saved at 7:32:25 AM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ajdhlsfr.dll",setvm
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662F76-4BFA-4EB7-A76C-55F124C5BBC4}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
HJThis
Feb 18 2007, 02:54 PM
Hello,dotjim40 & Welcome

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

Please do not run any other options until you are asked to do so.


Gogo wink.gif
dotjim40
Feb 19 2007, 05:06 AM
SmitFraudFix v2.142

Scan done at 21:55:15.68, Sun 02/18/2007
Run from C:\Documents and Settings\Diana\Local Settings\Temporary Internet Files\Content.IE5\SHMFGPEB\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Diana


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Diana\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\DIANA\STARTM~1\PROGRAMS\STARTUP\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\.protected FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DIANA\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
HJThis
Feb 19 2007, 06:24 AM
Hello,dotjim40 & Welcome

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

Reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

When back in Normal Mode, click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Please post the newrapport.txt log along with a new HijackThis Log in your next reply.


Gogo wink.gif
dotjim40
Feb 20 2007, 01:41 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:36:14 AM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\My Documents\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

SmitFraudFix v2.142

Scan done at 6:08:09.93, Tue 02/20/2007
Run from C:\Documents and Settings\Diana\Local Settings\Temporary Internet Files\Content.IE5\SHMFGPEB\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\.protected Deleted
C:\DOCUME~1\DIANA\STARTM~1\PROGRAMS\STARTUP\.protected Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\.protected Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
HJThis
Feb 20 2007, 09:46 PM
Hi,dotjim40

Feedback please is the PC doing any better now or is it the same

Gogo wink.gif
dotjim40
Feb 21 2007, 12:10 AM
Yes, I have actually noticed a difference, thx... my pages are loading faster and that's cool, but I am still getting those aggravating pop-ups every time I do to a different site or change my screen.

And this is weird.... when I connect to the internet, and my homepage is up and loaded, and click to go to another page I get a box telling me I'm working offline and I have to click on the 'connect' button to go on... plus there's a little red thing in my status bar and when I point to it it says, "You are currently working offline"... wonder why it doesn't know that I'm already online?

Is there a good program that will stop the pop-ups? My Yahoo toolbar got deleted (I guess cause it's gone) should I download it again... would that pop-up blocker help or is there a better one?

And should I set my computer to delete temp. internet files each time I get off my computer? Is it the cookies causing the problem?

So after looking at my reports, curious what my problem was and wondering if I've got any files missing. Thanks, Dot
HJThis
Feb 21 2007, 03:02 AM
Hi,dotjim40

Please show me a new HijackThis logfile and also run this tool and show me the log


Please download ComboScan by Deckard and save it to your desktop:

*Close all applications and windows (including this one).
*Double-click on comboscan.exe to run it, and follow the prompts.
*When the scan is complete, a text file will open – ComboScan.txt.
*Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) the contents of ComboScan.txt in your next reply.
*A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
*Please attach Supplementary.txt to your post.

Note: Some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.


Gogo wink.gif
dotjim40
Feb 21 2007, 05:39 AM
ComboScan v20070212.14 run by Diana on 2007-02-20 at 21:42:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as Diana.com) --------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:51:39 PM, on 2/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Documents and Settings\Diana\Desktop\comboscan.exe
C:\DOCUME~1\Diana\LOCALS~1\Temp\~zkozdqi.tmp\Diana.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\wvuvvvt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {F3749006-A528-4D79-A31C-EC3EBF82469A} - C:\WINDOWS\system32\ursrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662F76-4BFA-4EB7-A76C-55F124C5BBC4}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: ursrs - C:\WINDOWS\system32\ursrs.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winujy32 - C:\WINDOWS\SYSTEM32\winujy32.dll
O20 - Winlogon Notify: wvuvvvt - C:\WINDOWS\SYSTEM32\wvuvvvt.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe


-- HijackThis Fixed Entries (C:\My Documents\HiJackThis\backups\) ---------------

backup-20070117-180646-986 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070117-180646-903 O4 - HKLM\..\Run: [MyRegistryCleaner] C:\Program Files\PCSecurityShield\MyRegistryCleaner\MyRegistryCleaner.exe
backup-20070117-180646-683 O4 - HKLM\..\Run: [{1D131807-01C0-1033-0801-019809220001}] "C:\Program Files\Common Files\{1D131807-01C0-1033-0801-019809220001}\Update.exe" mc-110-12-0000272
backup-20070117-180646-892 O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvsej.dll,startup
backup-20070117-180646-715 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\jyaiwcdq.dll",setvm
backup-20070117-180646-654 O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
backup-20070117-180646-853 O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcsdr.exe"
backup-20070117-180646-522 O4 - HKLM\..\Run: [PAS_Check] C:\Program Files\SystemDoctor 2006 Free\pasmon.exe
backup-20070117-180646-515 O4 - HKCU\..\Run: [fkii] C:\Program Files\Common Files\fkii\fkiim.exe
backup-20070117-180646-269 O4 - HKCU\..\Run: [SysProtect Free] "C:\Program Files\SysProtect Free\USYP.exe" /scan
backup-20070118-110715-323 O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
backup-20070119-072505-412 O2 - BHO: (no name) - {07C58251-16B2-461D-BF2E-70FE4408984B} - C:\WINDOWS\system32\tuvuv.dll (file missing)
backup-20070119-072505-419 O2 - BHO: (no name) - {636FDD5F-733F-4298-A040-D00DE298A73E} - C:\WINDOWS\system32\urqpp.dll (file missing)
backup-20070119-072505-233 O2 - BHO: (no name) - {664A7BBA-92C4-4086-8B63-D029A149629E} - C:\WINDOWS\system32\hggdeee.dll (file missing)
backup-20070119-072505-323 O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\spoybkxy.dll (file missing)
backup-20070119-072505-522 O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
backup-20070119-072505-191 O2 - BHO: (no name) - {BF4A0D33-E0B2-47F3-82E8-EECC65CE9161} - C:\WINDOWS\system32\xxwxu.dll (file missing)
backup-20070119-072505-512 O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll (file missing)
backup-20070119-072505-266 O20 - Winlogon Notify: winujy32 - C:\WINDOWS\SYSTEM32\winujy32.dll
backup-20070119-080716-826 O20 - Winlogon Notify: winujy32 - C:\WINDOWS\SYSTEM32\winujy32.dll
backup-20070203-012411-380 O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
backup-20070217-020304-192 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
backup-20070217-020304-129 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20070217-020304-800 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
backup-20070217-020304-729 R3 - URLSearchHook: (no name) - {824D5E9D-E925-9AA0-5522-EC1BC602419F} - (no file)
backup-20070217-020304-544 O4 - HKLM\..\Run: [gzobbsd.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Diana\Local Settings\Application Data\gzobbsd.dll",rmslxdg
backup-20070217-020304-195 O4 - HKLM\..\Run: [{1D131807-01C0-1033-0801-019809220001}] "C:\Program Files\Common Files\{1D131807-01C0-1033-0801-019809220001}\Update.exe" mc-110-12-0000272
backup-20070217-020304-746 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\fefxpvif.dll",setvm
backup-20070217-020304-945 O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
backup-20070217-020304-807 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
backup-20070217-020304-186 O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
backup-20070217-020304-149 O4 - HKCU\..\Run: [Cbhm] "C:\WINDOWS\system32\SSEMBL~1\wuauclt.exe" -vt ndrv
backup-20070217-020304-579 O4 - HKCU\..\Run: [Hzbytbds] "\mmc.exe" 99001162
backup-20070217-020307-525 O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
backup-20070217-020304-282 O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
backup-20070217-020310-558 O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
backup-20070217-020314-379 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20070217-020320-391 O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...wlscbase969.cab
backup-20070217-020326-506 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1160742980006
backup-20070217-020330-879 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1155845409120
backup-20070217-020333-908 O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662F76-4BFA-4EB7-A76C-55F124C5BBC4}: NameServer = 209.244.0.3 209.244.0.4
backup-20070217-020333-182 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 AgereSoftModem (Agere Systems Soft Modem) - System32\DRIVERS\AGRSM.sys
3 atirage3 - System32\DRIVERS\atimpae.sys
3 CA561 (EZCam III) - System32\Drivers\SPCA561.SYS
3 CCDECODE (Closed Caption Decoder) - System32\DRIVERS\CCDECODE.sys
3 cwbmidi_device (Crystal WDM MPU-401 UART Driver) - system32\drivers\cwbmidi.sys
3 cwbwdm_device (Crystal WDM Audio Codec Driver) - system32\drivers\cwbwdm.sys
3 DCamUSBSQTECH (Dual-Mode DSC(2770)) - System32\Drivers\SQcaptur.sys
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - System32\DRIVERS\el90xbc5.sys
0 FOPN - System32\Drivers\FOPN.sys

3 HSFHWBS2 - System32\DRIVERS\HSFHWBS2.sys
3 HSF_DP - System32\DRIVERS\HSF_DP.sys
2 mdmxsdk - System32\DRIVERS\mdmxsdk.sys
3 MODEMCSA (Unimodem Streaming Filter Device) - system32\drivers\MODEMCSA.sys
3 MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - system32\drivers\MSTEE.sys
3 NABTSFEC (NABTS/FEC VBI Codec) - System32\DRIVERS\NABTSFEC.sys
3 NdisIP (Microsoft TV/Video Connection) - System32\DRIVERS\NdisIP.sys
1 OMCI - \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS
3 ROOTMODEM (Microsoft Legacy Modem Driver) - System32\Drivers\RootMdm.sys
3 SLIP (BDA Slip De-Framer) - System32\DRIVERS\SLIP.sys
3 StillCam (Still Serial Digital Camera Driver) - System32\DRIVERS\serscan.sys
3 streamip (BDA IPSink) - System32\DRIVERS\StreamIP.sys
3 usbprint (Microsoft USB PRINTER Class) - system32\DRIVERS\usbprint.sys
3 usbscan (USB Scanner Driver) - System32\DRIVERS\usbscan.sys
3 VRcore - System32\DRIVERS\VRcore.sys
3 VRFIL - \??\C:\WINDOWS\system32\drivers\VRFIL.SYS
1 vspf - \??\C:\WINDOWS\system32\drivers\vspf5.sys

1 vspf_hk - \??\C:\WINDOWS\system32\drivers\vspf_hk5.sys

3 winachsf - System32\DRIVERS\HSF_CNXT.sys
4 WS2IFSL (Windows Socket 2.0 Non-IFS Service Provider Support Environment) - \SystemRoot\System32\drivers\ws2ifsl.sys
3 WSTCODEC (World Standard Teletext Codec) - System32\DRIVERS\WSTCODEC.SYS


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2 Bonjour Service - "C:\Program Files\Bonjour\mDNSResponder.exe"
4 COM+ Messages - "C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272
2 LexBceS (LexBce Server) - C:\WINDOWS\system32\LEXBCES.EXE
2 vrmonsvc (ViRobot Expert Monitoring) - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
2 WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe"


-- Scheduled Tasks --------------------------------------------------------------

2007-02-20 21:12:30 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>


-- Files created between 2007-01-20 and 2007-02-20 ------------------------------

2007-02-19 22:17:46 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-02-18 21:57:05 1250 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-18 17:27:24 0 d--hs---- C:\FOUND.004
2007-02-18 16:26:16 2416 --a------ C:\Documents and Settings\Diana\GetPaths.vbs
2007-02-18 16:07:03 118804 --a------ C:\WINDOWS\system32\yqyfftro.dll<Unsigned: n/a>
2007-02-17 05:41:55 1003486 ---hs---- C:\WINDOWS\system32\srsru.ini2<SRSRU~1.INI>
2007-02-17 05:28:18 0 d--hs---- C:\FOUND.003
2007-02-16 21:17:37 76412 --a------ C:\WINDOWS\system32\tdiehxid.dll<Unsigned: n/a>
2007-02-16 18:09:19 0 d-------- C:\Documents and Settings\Diana\Application Data\Sun
2007-02-16 17:25:22 44177 --a------ C:\WINDOWS\system32\rhwoyvsj.dll<Unsigned: n/a>
2007-02-16 17:24:59 76412 --a------ C:\WINDOWS\system32\rlerpaas.dll<Unsigned: n/a>
2007-02-16 14:00:38 88340 --a------ C:\WINDOWS\system32\fnhlggxx.exe<Unsigned: n/a>
2007-02-16 14:00:23 44177 --a------ C:\WINDOWS\system32\dykehopi.dll<Unsigned: n/a>
2007-02-16 13:59:58 76412 --a------ C:\WINDOWS\system32\jmgyckfc.dll<Unsigned: n/a>
2007-02-16 13:23:21 0 d-------- C:\Documents and Settings\Diana\Shared
2007-02-16 13:23:20 0 d-------- C:\Documents and Settings\Diana\Incomplete<INCOMP~1>
2007-02-16 12:25:12 0 d-------- C:\Program Files\Java
2007-02-16 11:40:55 0 d-------- C:\Program Files\Common Files\Java
2007-02-16 08:56:11 0 d-------- C:\Program Files\Google
2007-02-15 07:13:54 0 d-------- C:\Documents and Settings\Diana\Application Data\InterTrust<INTERT~1>
2007-02-15 05:47:52 0 d--hs---- C:\FOUND.002
2007-02-15 03:09:20 0 d--hs---- C:\FOUND.001
2007-02-15 02:23:01 44165 --a------ C:\WINDOWS\system32\smojcqkc.dll<Unsigned: n/a>
2007-02-14 22:49:15 0 d-------- C:\Program Files\Common Files\{1D131807-01C0-1033-0801-019809220001}<{1D131~1>
2007-02-14 22:05:46 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiVirus Pro 2006<WINANT~1>
2007-02-14 22:05:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-02-14 20:44:57 44544 --a------ C:\WINDOWS\system32\hticons.dll<Signed: Hilgraeve, Inc.>
2007-02-14 20:43:26 347136 --a------ C:\WINDOWS\system32\hypertrm.dll<Signed: Hilgraeve, Inc.>
2007-02-11 09:07:20 0 d--hs---- C:\FOUND.000
2007-02-10 12:05:46 1636 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-02-09 08:06:51 118804 --a------ C:\WINDOWS\system32\fefxpvif.dll<Unsigned: n/a>
2007-02-09 08:06:28 76412 --a------ C:\WINDOWS\system32\fkqvfrhe.dll<Unsigned: n/a>
2007-02-08 08:06:52 88340 --a------ C:\WINDOWS\system32\vjbtpjun.exe<Unsigned: n/a>
2007-02-08 08:06:04 118804 --a------ C:\WINDOWS\system32\vbfpxqaf.dll<Unsigned: n/a>
2007-02-08 08:06:02 997156 ---hs---- C:\WINDOWS\system32\srsru.bak2<SRSRU~3.BAK>
2007-02-07 00:24:44 0 d-------- C:\Program Files\Windows Media Connect 2<WI4DF6~1>
2007-02-07 00:16:24 0 d-------- C:\52142d32b697646f6bf624<52142D~1>
2007-02-06 23:28:21 0 d-------- C:\WINDOWS\system32\LogFiles
2007-02-06 23:28:21 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-02-06 20:42:20 155648 ---h----- C:\Program Files\Common Files\svchost.exe<Unsigned: n/a>
2007-02-06 19:34:37 94720 --a------ C:\WINDOWS\system32\nzfmsbh.dll<Unsigned: n/a>
2007-02-06 19:34:18 22645 ---hs---- C:\WINDOWS\system32\vtuvutt.dll<Unsigned: n/a>
2007-02-06 11:07:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy<SPYBOT~1>
2007-02-06 09:57:37 118804 --a------ C:\WINDOWS\system32\uoffiiac.dll<Unsigned: n/a>
2007-02-06 09:57:09 974781 ---hs---- C:\WINDOWS\system32\srsru.bak1<SRSRU~2.BAK>
2007-02-06 09:54:12 277193 ---hs---- C:\WINDOWS\system32\ursrs.dll<Unsigned: n/a>
2007-02-06 09:48:56 22645 ---hs---- C:\WINDOWS\system32\wvuvvvt.dll<Unsigned: n/a>
2007-02-05 19:17:12 262144 --ah----- C:\Documents and Settings\jimbeaux\ntuser.dat
2007-02-05 19:14:38 0 d--hs---- C:\wa6p
2007-02-05 19:13:00 0 dr-h----- C:\Documents and Settings\jimbeaux\Application Data\yahoo!
2007-02-05 19:12:59 0 d--h----- C:\Documents and Settings\jimbeaux\Application Data\GTek
2007-02-05 19:12:59 0 d-------- C:\Documents and Settings\jimbeaux\Application Data\AdobeUM
2007-02-05 19:12:59 0 d-------- C:\Documents and Settings\jimbeaux\Application Data\Adobe
2007-02-05 19:12:58 0 d---s---- C:\Documents and Settings\jimbeaux\UserData
2007-02-05 19:11:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2007-02-05 11:51:11 0 d-------- C:\Ontrack
2007-02-05 11:34:47 0 d-------- C:\Documents and Settings\Diana\Application Data\Ontrack
2007-02-05 11:28:10 0 d-------- C:\Program Files\Ontrack
2007-02-04 23:51:12 974660 ---hs---- C:\WINDOWS\system32\kklnn.bak1<KKLNN~2.BAK>
2007-02-04 23:48:25 277232 ---hs---- C:\WINDOWS\system32\nnlkk.dll<Unsigned: n/a>
2007-02-04 23:43:14 22555 ---hs---- C:\WINDOWS\system32\fccbyaa.dll<Unsigned: n/a>
2007-02-04 21:54:08 433 ---hs---- C:\WINDOWS\system32\knqss.ini2<KNQSS~1.INI>
2007-02-04 19:14:30 974620 ---hs---- C:\WINDOWS\system32\knqss.bak1<KNQSS~2.BAK>
2007-02-03 09:02:09 6029312 --a------ C:\Documents and Settings\Diana\ntuser.dat
2007-02-03 01:40:44 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-01-30 06:27:12 0 d-------- C:\Documents and Settings\Diana\Application Data\ICQ Toolbar<ICQTOO~1>
2007-01-29 09:14:44 71168 --a------ C:\WINDOWS\system32\cvrlzyd.dll<Unsigned: n/a>
2007-01-29 09:14:43 94208 --a------ C:\WINDOWS\system32\gzobbsd.dll<Unsigned: n/a>
2007-01-26 14:39:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe(2)


-- Find3M Report ----------------------------------------------------------------

2007-02-20 18:40:30 1964 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-02-07 22:59:48 2 --a------ C:\WINDOWS\system32\wapisvtr.exe<Unsigned: n/a>
2007-01-19 09:16:36 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-01-18 18:42:48 24576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe<VUNDOF~1.EXE><Unsigned: Atribune.org>
2007-01-18 18:00:54 974373 ---hs---- C:\WINDOWS\system32\uxwxx.bak1<UXWXX~2.BAK>
2007-01-18 17:39:04 76412 --a------ C:\WINDOWS\system32\qssvyrix.dll<Unsigned: n/a>
2007-01-18 16:13:06 277044 ---hs---- C:\WINDOWS\system32\wvwtt.dll<Unsigned: n/a>
2007-01-17 11:19:58 0 d-------- C:\Documents and Settings\Diana\Application Data\Lavasoft
2007-01-17 11:18:38 0 d-------- C:\Program Files\Lavasoft
2007-01-17 09:16:54 76412 --a------ C:\WINDOWS\system32\qkpnyjhk.dll<Unsigned: n/a>
2007-01-16 11:17:06 0 d-------- C:\Program Files\Common Files\fkii
2007-01-15 12:06:46 17920 --a------ C:\WINDOWS\system32\winujy32.dll<Unsigned: n/a>
2007-01-10 06:47:20 0 d-------- C:\Program Files\Common Files\KODAK
2007-01-07 18:58:28 0 d-------- C:\Program Files\WMV9_VCM
2006-12-31 00:40:56 0 d-------- C:\Program Files\HP
2006-12-03 10:11:08 370 --a------ C:\WINDOWS\ereg077.dat


-- Registry Dump ----------------------------------------------------------------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AGRSMMSG"="AGRSMMSG.exe"
"CallControl 4.5"="C:\\Program Files\\FaxTalk Communicator\\FTCtrl32.exe /autoload"
"VrProxyc"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\vrproxyc.exe"
"VrProxyd"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\vrproxyd.exe"
"VrSchedule"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\Vrres.exe"
"Vrmon"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\vrmonnt.exe Main"
"VrBootScan"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\VRBScan.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{664A7BBA-92C4-4086-8B63-D029A149629E}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{563AF8EA-5807-4FBC-A58E-ED7D9838F9C7}"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"svchost.exe"="C:\\WINDOWS\\svchost.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrs
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winujy32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuvvvt

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VRFIL


-- End of ComboScan: finished at 2007-02-20 at 22:04:33 -------------------------

ComboScan v20070212.14 run by Diana on 2007-02-20 at 21:42:37
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel Pentium II processor
Percentage of Memory in Use: 74%
Physical Memory (total/avail): 191.54 MiB / 48.3 MiB
Pagefile Memory (total/avail): 467.58 MiB / 329.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1996.17 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 5.76 GiB total, 1.11 GiB free.
D: is Fixed (FAT) - 0.22 GiB total, 0.09 GiB free.
E: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntivirusOverride is set.
FirewallOverride is set.

AV: The Shield AntiVirus 2006 vVERSION (HAURI AntiVirus ViRobot) Disabled Outdated


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Diana\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=DOTSCOMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Diana
LOGONSERVER=\\DOTSCOMPUTER
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 5 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0502
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Diana\LOCALS~1\Temp
TMP=C:\DOCUME~1\Diana\LOCALS~1\Temp
USERDOMAIN=DOTSCOMPUTER
USERNAME=Diana
USERPROFILE=C:\Documents and Settings\Diana
windir=C:\WINDOWS
__COMPAT_LAYER=DisableNXShowUI


-- User Profiles ----------------------------------------------------------------

Diana (admin)
jimbeaux
Administrator (new local, admin)


-- Add/Remove Programs ----------------------------------------------------------

-->
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems PCI Soft Modem --> agrsmdel
Bonjour --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E0A96F36-D546-4A2A-BDAA-2A2A578B2C0D} /l1033
Dell ResourceCD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D78653C3-A8FF-415F-92E6-D774E634FF2D}\setup.exe"
FaxTalk Communicator 4.5 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\FaxTalk Communicator\Uninst.isu" -c"C:\Program Files\FaxTalk Communicator\FTUnInUt.dll"
HijackThis 1.99.1 --> C:\My Documents\HiJackThis\HijackThis.exe /uninstall
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
KODAK Camera Connection Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FE117AA8-6CF3-4F2D-96C9-CAE35C309704}\setup.exe"
KODAK One Touch to Better Pictures --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{38FBBBD4-1D2A-4037-A71C-57093B4BA889}\Setup.exe"
KODAK Picture Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{51661BCF-F22A-11D4-82B4-00500494EF5C}\setup.exe"
KODAK Picture Transfer Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F90DA605-4E92-11D4-A319-00104BCAB4AB}\setup.exe"
Little Bear Rainy Day Activities --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Creative Wonders\Little Bear Rainy Day Activities\Uninst.isu"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Windows Media Video 9 VCM --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmv9vcm.inf, Uninstall
My DSC --> C:\Program Files\InstallShield Installation Information\{225af9a1-b556-88d5-94aa-0010b5426419}\setup.exe
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSETUP.EXE -U -IPSCRCTR5K.INF
PrintMaster Gold 3.00 --> c:\pmw\msrun.exe
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
The Shield 2006 Deluxe --> C:\Program Files\The Shield Antivirus\uninst.exe
The Shield AntiVirus 2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A891D097-880A-41BB-8F86-A0D09E8D295F}\setup.exe" -l0x9
WebCyberCoach 3.2 Dell --> "C:\Program Files\WebCyberCoach\b_Dell\WCC_Wipe.exe" "WebCyberCoach ext\wtrb" /inf "engine.inf,RealUninstallSection,,4" /infcfg "enginecf.inf,RealUninstallSection,,4"
WebFldrs XP -->
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Safety Scanner --> RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\YAHOO!\COMMON\unyext.exe
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\YAHOO!\COMMON\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool 1v7 --> C:\WINDOWS\system32\regsvr32 /u /s "C:\WINDOWS\cache\YDropper.dll"
Yahoo! Toolbar -->
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\YAHOO!\COMMON\unyt.exe


-- End of ComboScan: finished at 2007-02-20 at 22:04:33 -------------------------
dotjim40
Feb 21 2007, 05:49 AM
It looks like the Shield Antivirus 2006 was disabled. My sister just bought that for me in Oct. 2006 and paid for two years so I need to update it and use it (beings it's paid for, don't u think?) Let me know.
It scans every day at 3:00 a.m. but never finds anything wrong (maybe that's why, cause it needs updated... my fault)
Thanks, Dot
HJThis
Feb 21 2007, 06:37 AM
Hi,dotjim40

Yes why have it and not use it and why are you running it at 3AM???
anyways there is a lot more to do here.


Please download VundoFix.exe to your C:\.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

----------------

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:Click to view attachment
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
Click to view attachment
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously, along with a new HijackThis log in your next reply.

------------------

Then come back here with a new HijackThis logfile the DrWeb.csv also the VundoFix report.txt


Gogo wink.gif
dotjim40
Feb 22 2007, 06:05 AM
=============================================================================
Dr.Web® Scanner for Windows v4.33.2 (4.33.2.10060)
Copyright © Igor Daniloff, 1992-2006
Log generated on: 2007-02-21, 18:29:06 [DOTSCOMPUTER][Diana]
Command-line: "C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini
Operating system:Windows XP Home Edition x86 (Build 2600), Service Pack 2
=============================================================================
Engine version: 4.33 (4.33.5.10110)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 508 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43375.cdb - 1633 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43374.cdb - 2090 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43373.cdb - 1252 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43372.cdb - 1289 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43371.cdb - 2370 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43370.cdb - 2022 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43369.cdb - 687 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43368.cdb - 1099 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43367.cdb - 1834 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43366.cdb - 4015 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43365.cdb - 1342 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43364.cdb - 1335 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43363.cdb - 1152 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43362.cdb - 1006 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43361.cdb - 878 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43360.cdb - 988 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43359.cdb - 1205 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43358.cdb - 1139 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43357.cdb - 1302 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43356.cdb - 1332 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43355.cdb - 2456 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43354.cdb - 1283 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43353.cdb - 795 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43352.cdb - 2016 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43351.cdb - 941 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43350.cdb - 1020 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43349.cdb - 1008 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43348.cdb - 1096 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43347.cdb - 707 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43346.cdb - 1428 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43345.cdb - 1358 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43344.cdb - 694 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43343.cdb - 1186 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43342.cdb - 744 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43341.cdb - 841 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43340.cdb - 822 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43339.cdb - 1071 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 421 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 840 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwn43306.cdb - 781 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwn43305.cdb - 752 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwn43304.cdb - 793 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwn43303.cdb - 766 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cwn43301.cdb - 772 virus records
[Virus base] C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 4867 virus records
Total virus records: 177832
Key file: C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cureit.key
License key number: 0010092936
Registered to: Dr.Web CureIt Project
License key activates: 2007-02-05
License key expires: 2010-02-11

-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00
-----------------------------------------------------------------------------

[Scan path] c:\documents and settings\all users\start menu\programs\startup\desktop.ini
[Scan path] c:\documents and settings\diana\desktop\drweb-cureit.exe
[Scan path] c:\documents and settings\diana\local settings\temp\rarsfx0\_start.exe
[Scan path] c:\documents and settings\diana\local settings\temp\rarsfx0\cureit.exe
[Scan path] c:\documents and settings\diana\start menu\programs\startup\desktop.ini
[Scan path] c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
[Scan path] c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll

*** I took out all of these (dll's) to make report shorter***

c:\windows\system32\winujy32.dll infected with Trojan.Mezzia - will be cured after reboot

[Scan path] c:\windows\system32\wldap32.dll
[Scan path] c:\windows\system32\wlnotify.dll
[Scan path] c:\windows\system32\wmpshell.dll
[Scan path] c:\windows\system32\wpdshext.dll
[Scan path] c:\windows\system32\wshext.dll
[Scan path] c:\windows\system32\wuaucpl.cpl
[Scan path] c:\windows\system32\zipfldr.dll
-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 276
Infected objects found: 1
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 540 Kb/s
Scan time: 00:02:26
-----------------------------------------------------------------------------

[Scan path] C:\
C:\hiberfil.sys - read error
C:\WINDOWS\SYSTEM32\wvwtt.dll infected with Trojan.Virtumod - deleted
C:\WINDOWS\SYSTEM32\qkpnyjhk.dll - read error
C:\WINDOWS\SYSTEM32\winujy32.dll infected with Trojan.Mezzia - will be cured after reboot
>C:\WINDOWS\SYSTEM32\gzobbsd.dll infected with Trojan.DownLoader.based - deleted
C:\WINDOWS\SYSTEM32\smojcqkc.dll - read error
C:\WINDOWS\SYSTEM32\cvrlzyd.dll infected with Trojan.DownLoader.based - deleted
C:\WINDOWS\SYSTEM32\qssvyrix.dll - read error
C:\WINDOWS\SYSTEM32\rlerpaas.dll - read error
C:\WINDOWS\SYSTEM32\nnlkk.dll infected with Trojan.Virtumod - deleted
>C:\WINDOWS\SYSTEM32\nzfmsbh.dll infected with Trojan.DownLoader.based - deleted
C:\WINDOWS\SYSTEM32\fkqvfrhe.dll - read error
C:\WINDOWS\SYSTEM32\tdiehxid.dll - read error
C:\WINDOWS\SYSTEM32\jmgyckfc.dll - read error
C:\WINDOWS\SYSTEM32\dykehopi.dll - read error
C:\WINDOWS\SYSTEM32\config\SYSTEM - read error
C:\WINDOWS\SYSTEM32\config\SAM - read error
C:\WINDOWS\SYSTEM32\config\DEFAULT - read error
C:\WINDOWS\SYSTEM32\config\SECURITY - read error
C:\WINDOWS\SYSTEM32\config\SOFTWARE - read error
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG - read error
C:\WINDOWS\SYSTEM32\config\SOFTWARE.LOG - read error
C:\WINDOWS\SYSTEM32\config\SYSTEM.LOG - read error
C:\WINDOWS\SYSTEM32\config\DEFAULT.LOG - read error
C:\WINDOWS\SYSTEM32\config\SAM.LOG - read error
C:\Program Files\Common Files\{1D131807-01C0-1033-0801-019809220001}\system.dll infected with Trojan.DownLoader.17039 - deleted
C:\Program Files\PrvDef4.0\PrvDef4.0.exe probably infected with BACKDOOR.Trojan
C:\FOUND.000\FILE0015.CHK infected with BAT.Generic - incurable - moved
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT - read error
C:\Documents and Settings\LocalService\NTUSER~1.LOG - read error
C:\Documents and Settings\LocalService\NTUSER.DAT - read error
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT - read error
C:\Documents and Settings\Diana\NTUSER~1.LOG - read error
C:\Documents and Settings\Diana\ntuser.dat - read error
C:\Documents and Settings\Diana\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\Diana\Local Settings\Application Data\Microsoft\Windows\USRCLASS.DAT - read error
C:\Documents and Settings\Diana\Desktop\Computer Fix Programs\Silent Runners.vbs probably infected with BATCH.Virus
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042839.dll infected with Trojan.DownLoader.based - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042840.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042841.dll infected with Trojan.Virtumod - deleted
>C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042842.dll infected with Trojan.DownLoader.based - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042843.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042807.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042808.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042810.exe is adware program Adware.TopSearch
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042812.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042813.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042814.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042815.exe is adware program Adware.TopSearch
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042816.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042817.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042844.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042824.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042825.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042837.dll infected with Trojan.Virtumod - deleted
>C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042838.dll infected with Trojan.DownLoader.based - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042845.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042846.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042847.dll infected with Trojan.DownLoader.17039 - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP40\A0032437.reg infected with Trojan.StartPage.1505 - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP41\A0032498.reg infected with Trojan.StartPage.1505 - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP42\A0034620.exe infected with Trojan.DownLoader.17040 - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP42\A0034626.dll infected with Trojan.DownLoader.17039 - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP42\A0035589.dll infected with Trojan.Juan - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP46\A0036855.ocx probably infected with DLOADER.Trojan
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP46\A0037722.ocx probably infected with DLOADER.Trojan
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP48\A0039714.dll infected with Trojan.Virtumod - deleted
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP49\A0041723.exe is hacktool program Tool.Prockill
C:\VundoFix Backups\jyaiwcdq.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\omdgqmup.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\rawqtllv.exe.bad is adware program Adware.TopSearch
C:\VundoFix Backups\ykijtclx.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\jspmulmw.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\mleahibo.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\fccbyaa.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\fefxpvif.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\fnhlggxx.exe.bad is adware program Adware.TopSearch
C:\VundoFix Backups\uoffiiac.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\ursrs.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\vbfpxqaf.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\vjbtpjun.exe.bad is adware program Adware.TopSearch
C:\VundoFix Backups\vtuvutt.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\wvuvvvt.dll.bad infected with Trojan.Virtumod - deleted
C:\VundoFix Backups\yqyfftro.dll.bad infected with Trojan.Virtumod - deleted

[Scan path] D:\
-----------------------------------------------------------------------------
Scan statistics
-----------------------------------------------------------------------------
Objects scanned: 50223
Infected objects found: 47
Objects with modifications found: 0
Suspicious objects found: 4
Adware programs found: 5
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 1
Objects cured: 0
Objects deleted: 45
Objects renamed: 0
Objects moved: 1
Objects ignored: 0
Scan speed: 14 Kb/s
Scan time: 02:14:27
-----------------------------------------------------------------------------

C:\Program Files\PrvDef4.0\PrvDef4.0.exe - incurable - moved
C:\Documents and Settings\Diana\Desktop\Computer Fix Programs\Silent Runners.vbs - incurable - moved
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042810.exe - incurable - moved
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP52\A0042815.exe - incurable - moved
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP46\A0036855.ocx - incurable - moved
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP46\A0037722.ocx - incurable - moved
C:\System Volume Information\_restore{1A4470FA-8EC5-4097-8F89-B3ACB4ECB8AE}\RP49\A0041723.exe - incurable - moved
C:\VundoFix Backups\rawqtllv.exe.bad - incurable - moved
C:\VundoFix Backups\fnhlggxx.exe.bad - incurable - moved
C:\VundoFix Backups\vjbtpjun.exe.bad - incurable - moved

=============================================================================
Total session statistics
=============================================================================
Objects scanned: 50499
Infected objects found: 48
Objects with modifications found: 0
Suspicious objects found: 4
Adware programs found: 5
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 1
Objects cured: 0
Objects deleted: 45
Objects renamed: 0
Objects moved: 11
Objects ignored: 0
Scan speed: 23 Kb/s
Scan time: 02:16:53
=============================================================================
dotjim40
Feb 22 2007, 06:07 AM
Logfile of HijackThis v1.99.1
Scan saved at 11:08:24 PM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Diana\Desktop\Computer Fix Programs\drweb-cureit.exe
C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\Diana\LOCALS~1\Temp\RarSFX0\cureit.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\wvuvvvt.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {F3749006-A528-4D79-A31C-EC3EBF82469A} - C:\WINDOWS\system32\ursrs.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662F76-4BFA-4EB7-A76C-55F124C5BBC4}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winujy32 - winujy32.dll (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
dotjim40
Feb 22 2007, 06:23 AM
I tried to open the DrWeb.csv file after I saved it, but my computer won't open that extension and I don't know which application to choose. I tried to send it as an attachment but couldn't do that either. So I went to the CureIt.log and that file was too big to send so I took some stuff out (in the scan path: section cause there was no notations after any of them) and sent the virus info. cause I didn't know what you needed to see. I am sooo sorry, but I just got stuck here - need more instructions.

I don't know where to find the VundoFix report.txt.... did a search for it but nothing showed up. Feel pretty stupid right now.

I run my PCSecurityShield at 3 a.m. cause nobody is on here at that time and it just does it's thing and I see it when I get up.
HJThis
Feb 22 2007, 06:52 AM
Hey,dotjim40

Hmm Vundo is not playing nice with me let's try one more thing here
and not sure if i asked yet but how is the PC doing now.


Please download VirtumondoBegone to your desktop. This needs to be run in Safemode

Restart your computer in Safe Mode.
  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.
If you need further assistance with Safe Mode, see Symantec


Doubleclick on VirtumundoBeGone.exe and follow the instructions.

Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.

When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply.

Gogo wink.gif
dotjim40
Feb 25 2007, 02:50 PM
Sorry this is taking so long... I started a new job Monday and I've been kinda busy. The PC is doing better but still the annoying pop-ups.


[02/25/2007, 7:43:18] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Diana\Desktop\VirtumundoBeGone.exe" )
[02/25/2007, 7:43:28] - Detected System Information:
[02/25/2007, 7:43:28] - Windows Version: 5.1.2600, Service Pack 2
[02/25/2007, 7:43:28] - Current Username: Diana (Admin)
[02/25/2007, 7:43:28] - Windows is in SAFE mode with Networking.
[02/25/2007, 7:43:28] - Searching for Browser Helper Objects:
[02/25/2007, 7:43:28] - BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[02/25/2007, 7:43:28] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[02/25/2007, 7:43:29] - BHO 3: {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} ()
[02/25/2007, 7:43:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/25/2007, 7:43:29] - Checking for HKLM\...\Winlogon\Notify\wvuvvvt
[02/25/2007, 7:43:29] - Key not found: HKLM\...\Winlogon\Notify\wvuvvvt, continuing.
[02/25/2007, 7:43:29] - BHO 4: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} (Yahoo! IE Services Button)
[02/25/2007, 7:43:29] - BHO 5: {F3749006-A528-4D79-A31C-EC3EBF82469A} ()
[02/25/2007, 7:43:29] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/25/2007, 7:43:29] - Checking for HKLM\...\Winlogon\Notify\ursrs
[02/25/2007, 7:43:29] - Key not found: HKLM\...\Winlogon\Notify\ursrs, continuing.
[02/25/2007, 7:43:29] - Finished Searching Browser Helper Objects
[02/25/2007, 7:43:29] - Finishing up...
[02/25/2007, 7:43:29] - Nothing found! Exiting...
HJThis
Feb 25 2007, 03:34 PM
Hi,dotjim40

No problme ok i think this will help please goto where you downloaded
VundoFix.exe and right click on it then rename it to say Fixvundo.exe
once you do that run Fixvundo.exe it should find all the files and remove them
or show us all the files to be deleted.

Gogo wink.gif
dotjim40
Feb 25 2007, 07:51 PM
I'm running it... just hit 'Remove Vundo'? Is there no report?
dotjim40
Feb 25 2007, 08:02 PM
It said "There were no infected files". The box was empty.
HJThis
Feb 25 2007, 09:37 PM
Hey,dotjim40

No problme show me a new HijackThis, logfile so we can move on
to are last steps here.

Gogo wink.gif
dotjim40
Feb 25 2007, 10:11 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:07:23 PM, on 2/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\wvuvvvt.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {F3749006-A528-4D79-A31C-EC3EBF82469A} - C:\WINDOWS\system32\ursrs.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662F76-4BFA-4EB7-A76C-55F124C5BBC4}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winujy32 - winujy32.dll (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
HJThis
Feb 26 2007, 12:47 AM
Hey,dotjim40

• Please download and install Superantispyware
1. During the installation process, the program will prompt you to download any updates, click Yes
2. After the update process has completed, a dialog box will state: Database definitions have been updated, click OK
3. At the SUPERAntiSpyware Main Menu, click the Preferences button,
4. Click the General and Startup tab, under Start-Up Options, uncheck these two boxes: Start SUPERAntiSpyware when Windows starts and Show SUPERAntiSpyware icon in system tray
5. Click the Hi-Jack Protection tab and, under Home Page Protection, uncheck these two boxes: Display notification when home page changed and Protect home page from being changed. Changes can be made only here.
6. Click Close at the bottom of the page.
7. Exit the program.
Do NOT run SUPERAntiSpyware yet.

------------------

Please print out or copy these instructions to Notepad as the internet will not be available to you at certain points of the removal process (whilst in Safe Mode). If there's anything that you don't understand, ask your question(s) before moving on with the fix.

-----------------

View hidden files and folders:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

------------------

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O2 - BHO: (no name) - {563AF8EA-5807-4FBC-A58E-ED7D9838F9C7} - C:\WINDOWS\system32\wvuvvvt.dll (file missing)
O2 - BHO: (no name) - {F3749006-A528-4D79-A31C-EC3EBF82469A} - C:\WINDOWS\system32\ursrs.dll (file missing)

O20 - Winlogon Notify: winujy32 - winujy32.dll (file missing)

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked
Close HijackThis

-------------------

Restart your computer in Safe Mode.
  1. If the computer is running, shut down Windows, and then turn off the power.
  2. Wait 30 seconds, and then turn the computer on.
  3. Start tapping the F8 key. The Windows Advanced Options Menu will appear. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  4. Ensure that the Safe Mode option is selected.
  5. Press Enter. The computer then begins to start in Safe Mode.
  6. Login on your usual account.
If you need further assistance with Safe Mode, see Symantec

-------------------

Next, please find and delete the following files/folders (if present):
C:\WINDOWS\system32\wvuvvvt.dll<---This file
C:\WINDOWS\system32\ursrs.dll<---This file
C:\WINDOWS\system32\winujy32.dll<---This file

------------------

Clean out your Temporary Internet files.
Internet Explorer
Close Internet Explorer and close any instances of Windows Explorer.
Click Start -> Control Panel and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Firefox (In case you also have Firefox installed)
Open Firefox and go to Tools -> Options.
Click Privacy in the menu on the left side of the Options window.
Click the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to close the Options window.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

-----------------

• Open the SUPERAntiSpyware program.
1. At the SUPERAntiSpyware Main Menu, under Scan for Harmful Software, click the Scan your Computer button, and the SUPERAntiSpyware Scanner menu will appear.
2. Make sure under Scan Location that your correct hard drive letter is checked. The correct hard drive letter should automatically be checked by default.
3. Under Complete Scan, click Perform Complete Scan.
4. At the bottom, click Next, to start the scan.
NOTE: This scan is very thorough. It will take a while to complete depending on the number of files and folders on the hard drive. Please be patient.
5. Click finish and you will be taken back to the main interface.
6. Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
7. Copy and paste the log into your reply.

• Reboot into Normal Mode.

-------------------

After doing all above come back here with all new logfiles.


Gogo wink.gif
dotjim40
Feb 27 2007, 12:46 AM
SUPERAntiSpyware Scan Log
Generated 02/26/2007 at 05:34 PM

Application Version : 3.5.1016

Core Rules Database Version : 3189
Trace Rules Database Version: 1199

Scan type : Complete Scan
Total Scan Time : 01:16:20

Memory items scanned : 189
Memory threats detected : 0
Registry items scanned : 3876
Registry threats detected : 139
File items scanned : 25124
File threats detected : 59

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\SYSTEM\CurrentControlSet\Services\FOPN
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Type
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Start
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Tag
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Group
HKLM\SYSTEM\CurrentControlSet\Services\FOPN#Overflow
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\blocked
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\blocked#\DEVICE\HARDDISKVOLUME1\WA6P
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\blocked#\DEVICE\HARDDISKVOLUME2\WA6P
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\APPLICATION DATA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\COOKIES
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMP\IS-MNPJE.TMP\_ISETUP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\HISTORY\HISTORY.IE5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\TEMP
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\PCSECURITYSHIELD\SHIELDANTIVIRUS\LOG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WBEM\LOGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\O36NO30D
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\KD2RSHEZ
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QVS1MLA7
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\21QPOXA7
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\PCSECURITYSHIELD\SHIELDANTIVIRUS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DATASTORE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DATASTORE\LOGS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\LOCALSERVICE\APPLICATION DATA\NETMON
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\JIMBEAUX
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\DOCUMENTS AND SETTINGS\DIANA
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CONFIG
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE\HARDDISKVOLUME1
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\log#\DEVICE
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Security
HKLM\SYSTEM\CurrentControlSet\Services\FOPN\Security#Security
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000\Control
HKLM\SYSTEM\CurrentControlSet\Services\vspf
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnService
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnGroup
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Enum
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Enum#INITSTARTFAILED
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Enum
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Enum#INITSTARTFAILED
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security#Security
C:\WINDOWS\system32\stera.job

Trojan.NetMon/DNSChange
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000#DeviceDesc

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PID
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID
HKLM\SOFTWARE\Microsoft\MSSMGR#OCCUR
C:\WINDOWS\SYSTEM32\WAPISVTR.EXE

Trojan.SysProtect
HKCR\CheckProd.CheckProduct
HKCR\CheckProd.CheckProduct\CLSID
HKCR\CheckProd.CheckProduct\CurVer
HKCR\CheckProd.CheckProduct.1
HKCR\CheckProd.CheckProduct.1\CLSID
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}\1.0
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}\1.0\0
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}\1.0\0\win32
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}\1.0\FLAGS
HKCR\TypeLib\{7EACF70B-302F-4049-AC68-2D62EB43E473}\1.0\HELPDIR
HKCR\AppId\CheckProduct2_1.DLL
HKCR\AppId\CheckProduct2_1.DLL#AppID
HKCR\AppId\{4F5E5D72-C915-4f3b-908B-527D064B0FAA}

Trojan.Downloader-Gen/Win
C:\WINDOWS\SYSTEM32\UNSVCHOSTS.LZMA

Trojan.Downloader-SVCHost/Fake
C:\PROGRAM FILES\COMMON FILES\SVCHOST.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Diana\Cookies\diana@ads.monster[1].txt
C:\Documents and Settings\Diana\Cookies\diana@adprofile[1].txt
C:\Documents and Settings\Diana\Cookies\diana@webpower[1].txt
C:\Documents and Settings\Diana\Cookies\diana@adultactioncam[2].txt
C:\Documents and Settings\Diana\Cookies\diana@belnk[1].txt
C:\Documents and Settings\Diana\Cookies\diana@www.adultactioncam[1].txt
C:\Documents and Settings\Diana\Cookies\diana@dist.belnk[2].txt
C:\Documents and Settings\Diana\Cookies\diana@stats[2].txt
C:\Documents and Settings\Diana\Cookies\diana@bannerspace[1].txt
C:\Documents and Settings\Diana\Cookies\diana@www.gmbtrack[2].txt
C:\Documents and Settings\Diana\Cookies\diana@admarketplace[1].txt
C:\Documents and Settings\Diana\Cookies\diana@metareward[2].txt
C:\Documents and Settings\Diana\Cookies\diana@aff.primaryads[2].txt
C:\Documents and Settings\Diana\Cookies\diana@toplist[1].txt
C:\Documents and Settings\Diana\Cookies\diana@adultcomix[1].txt
C:\Documents and Settings\Diana\Cookies\diana@hentaicounter[2].txt
C:\Documents and Settings\Diana\Cookies\diana@tdstats[1].txt
C:\Documents and Settings\Diana\Cookies\diana@banner[1].txt
C:\Documents and Settings\Diana\Cookies\diana@adopt.specificclick[1].txt
C:\Documents and Settings\Diana\Cookies\diana@ads.cnn[1].txt
C:\Documents and Settings\Diana\Cookies\diana@data4.perf.overture[2].txt
C:\Documents and Settings\Diana\Cookies\diana@www.dealtime[1].txt
C:\Documents and Settings\Diana\Cookies\diana@adv.webmd[1].txt
C:\Documents and Settings\Diana\Cookies\diana@seoelite[1].txt
C:\Documents and Settings\Diana\Cookies\diana@ads.realtechnetwork[1].txt
C:\Documents and Settings\Diana\Cookies\diana@www.burstbeacon[2].txt
C:\Documents and Settings\Diana\Cookies\diana@vhost.oddcast[2].txt
C:\Documents and Settings\Diana\Cookies\diana@media.hotels[1].txt
C:\Documents and Settings\Diana\Cookies\diana@kanoodle[1].txt
C:\Documents and Settings\Diana\Cookies\diana@burstnet[2].txt
C:\Documents and Settings\Diana\Cookies\diana@coolsavings[2].txt
C:\Documents and Settings\Diana\Cookies\diana@www.incentaclick[1].txt
C:\Documents and Settings\Diana\Cookies\diana@lynxtrack[1].txt
C:\Documents and Settings\Diana\Cookies\diana@azoogleads[2].txt
C:\Documents and Settings\Diana\Cookies\diana@keywordmax[1].txt
C:\Documents and Settings\Diana\Cookies\diana@atwola[2].txt
C:\Documents and Settings\Diana\Cookies\diana@try.starware[1].txt
C:\Documents and Settings\Diana\Cookies\diana@ads.sternzeit[1].txt
C:\Documents and Settings\Diana\Cookies\diana@h.starware[1].txt
C:\Documents and Settings\Diana\Cookies\diana@data2.perf.overture[2].txt
C:\Documents and Settings\Diana\Cookies\diana@galleries.drawn-######[1].txt
C:\Documents and Settings\Diana\Cookies\diana@interclick[1].txt
C:\Documents and Settings\Diana\Cookies\diana@screensavers[2].txt
C:\Documents and Settings\Diana\Cookies\diana@www.screensavers[1].txt
C:\Documents and Settings\Diana\Cookies\diana@auctionmonster.securemediacenter[1].txt
C:\Documents and Settings\Diana\Cookies\diana@i.screensavers[2].txt
C:\Documents and Settings\Diana\Cookies\diana@secure.ravenmediainc[2].txt
C:\Documents and Settings\Diana\Cookies\diana@www.burstnet[1].txt
C:\Documents and Settings\Diana\Cookies\diana@www.ticketsnow[1].txt
C:\Documents and Settings\Diana\Cookies\diana@publishers.clickbooth[1].txt
C:\Documents and Settings\Diana\Cookies\diana@partner2profit[2].txt
C:\Documents and Settings\Diana\Cookies\diana@sales.liveperson[2].txt
C:\Documents and Settings\Diana\Cookies\diana@counter.surfcounters[1].txt
C:\Documents and Settings\Diana\Cookies\diana@nextag[1].txt
C:\Documents and Settings\Diana\Cookies\diana@cpvfeed[2].txt

Logfile of HijackThis v1.99.1
Scan saved at 5:49:01 PM, on 2/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4662F76-4BFA-4EB7-A76C-55F124C5BBC4}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
dotjim40
Mar 1 2007, 05:01 AM
Did you need any other log files? Let me know if you do. Thx, Dot
HJThis
Mar 1 2007, 12:53 PM
Hey,dotjim40

Well how is the PC doing now any better or do you feel there is stell some
problme. if so can I have some feedback what do you think is going on.

Gogo wink.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.