HijackThis logfile

Tammy · 01.03.2007 16:49

I have to leave now,
will be back later and take a look.

Cheers,
Tammy

**calvin_hobbes** · 01.03.2007 17:00

Attached are results from virustotal scans of the following files

Files

C:\WINDOWS\system32\awtur.dll
C:\WINDOWS\system32\yothpyge.dll
C:\WINDOWS\system32\jkhif.dll
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\lqygbjli.dll
C:\WINDOWS\system32\drvcix.dll
C:\WINDOWS\system32\rutwa.ini
C:\WINDOWS\system32\rutwa.bak1
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\xxyywtt.dll
C:\WINDOWS\system32\nvModes.001
C:\DOCUME~1\dilbert\LOCALS~1\Temp\MAR2.tmp
C:\DOCUME~1\dilbert\LOCALS~1\Temp\STS7.tmp

Log Results (including MD5 and SHA1 hashes)

Code:

C:\WINDOWS\system32\awtur.dll
-----------------------------
AntiVir	7.3.1.38	03.01.2007	TR/Spy.Vundo.AF
AVG	7.5.0.447	02.28.2007	Downloader.Zlob.FC
BitDefender	7.2	03.01.2007	Adware.Virtumonde.EB
DrWeb	4.33	03.01.2007	Trojan.Virtumod
Fortinet	2.85.0.0	03.01.2007	suspicious
Ikarus	T3.1.1.3	03.01.2007	MemScanTrojan.Vundo.AF
NOD32v2	2085	02.28.2007	probably a variant of Win32/Adware.Virtumonde.O
Panda	9.0.0.4	02.28.2007	Suspicious file
Sophos	4.14.0	03.01.2007	Virtumundo
Symantec	10	03.01.2007	Trojan.Vundo
VirusBuster	4.3.19:9	03.01.2007	Trojan.DL.Vundo.Gen!Pac.6

Aditional Information
File size: 281652 bytes
MD5: 13314d0ae4e9941e9ca0a43f0fa6f47e
SHA1: 8381dc1ede3b9f79f5ad92139329e225264399f6

C:\WINDOWS\system32\yothpyge.dll
--------------------------------
AntiVir	7.3.1.38	03.01.2007	TR/BHO.G.27
Avast	4.7.936.0	03.01.2007	Win32:BHO-BG
AVG	7.5.0.447	02.28.2007	Generic3.AWS
BitDefender	7.2	03.01.2007	Trojan.Juan.F
CAT-QuickHeal	9.00	03.01.2007	Trojan.BHO.g
ClamAV	devel-20060426	03.01.2007	Trojan.BHO-19
DrWeb	4.33	03.01.2007	Trojan.Virtumod
eTrust-Vet	30.6.3444	03.01.2007	Win32/Darksma.W
Fortinet	2.85.0.0	03.01.2007	suspicious
F-Secure	6.70.13030.0	03.01.2007	Trojan.Win32.BHO.g
Ikarus	T3.1.1.3	03.01.2007	Trojan.Win32.BHO.g
Kaspersky	4.0.2.24	03.01.2007	Trojan.Win32.BHO.g
Microsoft	1.2204	03.01.2007	Trojan:Win32/Darksma.A
NOD32v2	2085	02.28.2007	Win32/BHO.NAH
Norman	5.80.02	03.01.2007	W32/BHO.JB
Panda	9.0.0.4	02.28.2007	Application/VSToolbar
Sophos	4.14.0	03.01.2007	Mal/BHO-A
Sunbelt	2.2.907.0	03.01.2007	VIPRE.Suspicious
Symantec	10	03.01.2007	Trojan.Vundo
TheHacker	6.1.6.067	03.01.2007	Trojan/BHO.g
UNA	1.83	02.28.2007	Trojan.Win32.BHO.B0D9
VirusBuster	4.3.19:9	03.01.2007	Trojan.BHO.AM

Aditional Information
File size: 44177 bytes
MD5: c09035d4f2e99d0b4c7a2ed3d834bb6b
SHA1: 6858299d45c02f0983651dd6153242f84111b372
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


C:\WINDOWS\system32\jkhif.dll
------------------------------
AntiVir	7.3.1.38	03.01.2007	TR/Spy.Vundo.AF
AVG	7.5.0.447	03.01.2007	Downloader.Zlob.FC
BitDefender	7.2	03.01.2007	Adware.Virtumonde.EB
DrWeb	4.33	03.01.2007	Trojan.Virtumod
Fortinet	2.85.0.0	03.01.2007	suspicious
Ikarus	T3.1.1.3	03.01.2007	MemScanTrojan.Vundo.AF
NOD32v2	2085	02.28.2007	probably a variant of Win32/Adware.Virtumonde.O
Panda	9.0.0.4	02.28.2007	Suspicious file
Prevx1	V2	03.01.2007	no virus found
Sunbelt	2.2.907.0	03.01.2007	no virus found
Symantec	10	03.01.2007	Trojan.Vundo
VirusBuster	4.3.19:9	03.01.2007	Trojan.DL.Vundo.Gen!Pac.6

Aditional Information
File size: 281652 bytes
MD5: 5c2425f4072660fa696ba8350baaadd5
SHA1: 3eec84f4f3487d1f17711cb73616f7543d581bba

C:\WINDOWS\system32\unsvchosts.lzma
-----------------------------------
NO VIRUS FOUND IN ANY SCANNERS

File size: 911 bytes
MD5: dc1ee861a643259032cdc03a924a5ad0
SHA1: 7d9d7d37fcc17fdb71646aee5bb7ff532174716b

C:\WINDOWS\system32\lqygbjli.dll
---------------------------------
FILE NOT FOUND!


C:\WINDOWS\system32\drvcix.dll
------------------------------
AntiVir	7.3.1.38	03.01.2007	TR/Agent.QT.76
AVG	7.5.0.447	03.01.2007	Generic3.SQ
BitDefender	7.2	03.01.2007	Trojan.Agent.QT
CAT-QuickHeal	9.00	03.01.2007	Trojan.Agent.qt
DrWeb	4.33	03.01.2007	Trojan.Fakealert.249
eSafe	7.0.14.0	02.28.2007	Win32.Agent.qt
eTrust-Vet	30.6.3444	03.01.2007	Win32/Aflac.D
Ewido	4.0	03.01.2007	Trojan.Agent.qt
Fortinet	2.85.0.0	03.01.2007	W32/Agent.QT!tr
F-Secure	6.70.13030.0	03.01.2007	Trojan.Win32.Agent.qt
Ikarus	T3.1.1.3	03.01.2007	Trojan.Win32.Agent.qt
Kaspersky	4.0.2.24	03.01.2007	Trojan.Win32.Agent.qt
Norman	5.80.02	03.01.2007	W32/Agent.BAPF
Panda	9.0.0.4	02.28.2007	Adware/WinAntivirus2006
Prevx1	V2	03.01.2007	Malicious
Sunbelt	2.2.907.0	03.01.2007	Trojan.Win32.Agent.qt
Symantec	10	03.01.2007	Trojan Horse
TheHacker	6.1.6.067	03.01.2007	Trojan/Agent.qt
UNA	1.83	02.28.2007	Trojan.Win32.Agent.8BE4
VBA32	3.11.2	02.28.2007	Trojan.Win32.Agent.qt
VirusBuster	4.3.19:9	03.01.2007	Trojan.Agent.SCS

Aditional Information
File size: 93696 bytes
MD5: 73bb2cee8a6d4cae30c79d9a63861e33
SHA1: 99daeb65cea310d9dd9f3dd114f610a57874fd67
packers: PecBundle, PECompact
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=8fa476621688
Sunbelt info: Trojan.Win32.Agent.qt is a trojan that steals information from the infected machine and sends the data to a remote website.

C:\WINDOWS\system32\rutwa.ini
------------------------------
NO VIRUS FOUND!

Aditional Information
File size: 1242167 bytes
MD5: 0212547b71b821989ae67abf0611cac6
SHA1: 6bb004d190a9483d2bdcafcf5a28bbb289d956d1

C:\WINDOWS\system32\rutwa.bak1
-------------------------------
NO VIRUS FOUND!

Aditional Information
File size: 1187870 bytes
MD5: c597682aeb2809dff7a6929a87fec8ce
SHA1: b15185b331b14d82fe8702c3ca30078c36f3daec

C:\WINDOWS\system32\tmp.reg
----------------------------
NO VIRUS FOUND!

Aditional Information
File size: 1187870 bytes
MD5: c597682aeb2809dff7a6929a87fec8ce
SHA1: b15185b331b14d82fe8702c3ca30078c36f3daec

C:\WINDOWS\system32\xxyywtt.dll
--------------------------------
AntiVir	7.3.1.38	03.01.2007	TR/Crypt.ULPM.Gen
AVG	7.5.0.447	03.01.2007	Adware Generic.VMW
BitDefender	7.2	03.01.2007	MemScan:Adware.VirtuMonde.DY
CAT-QuickHeal	9.00	03.01.2007	AdWare.Virtumonde.ha (Not a Virus)
DrWeb	4.33	03.01.2007	Trojan.Virtumod
Fortinet	2.85.0.0	03.01.2007	Adware/VirtuMonde
Ikarus	T3.1.1.3	03.01.2007	not-a-virus:AdWare.Win32.Virtumonde.ha
Kaspersky	4.0.2.24	03.01.2007	not-a-virus:AdWare.Win32.Virtumonde.ha
NOD32v2	2086	03.01.2007	probably a variant of Win32/Genetik
Norman	5.80.02	03.01.2007	W32/Virtumonde.ERB
Panda	9.0.0.4	03.01.2007	Spyware/Virtumonde
Prevx1	V2	03.01.2007	SpywareQuake
Sophos	4.14.0	03.01.2007	Virtumundo
Symantec	10	03.01.2007	Trojan.Vundo
TheHacker	6.1.6.067	03.01.2007	Adware/Virtumonde.ha
UNA	1.83	02.28.2007	Adware.Virtumonde.D179

Aditional Information
File size: 26637 bytes
MD5: b1fdad13f1520d26c53d4729ef58c3dd
SHA1: 0acb80d9f1839b2d2b6077a9150699b4d432449f
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=48f579625186

C:\WINDOWS\system32\nvModes.001
--------------------------------
NO VIRUS FOUND!

Aditional Information
File size: 26669 bytes
MD5: d1b4578aabb628362bc07512d20dc251
SHA1: c18251065b12247d92d0678baef4586c8ee88a3f

C:\DOCUME~1\dilbert\LOCALS~1\Temp\MAR2.tmp
-------------------------------------------
NO VIRUS FOUND!

Aditional Information
File size: 1285 bytes
MD5: ef66b01be42736be717f67b21f3171cd
SHA1: 413db39afbba694ec1d9c85aaf938a1aeffff90e

C:\DOCUME~1\dilbert\LOCALS~1\Temp\STS7.tmp
-------------------------------------------
NO VIRUS FOUND!

Aditional Information
File size: 103 bytes
MD5: 1d057c28cefe291ba4f8bdfafd5e6063
SHA1: f9e269b0e1903cda1a221de57aa07d4e45fe9040

Tammy · 02.03.2007 00:40

Hi Calvin,

i want to ask you to load up these files to get the producers of removers and protection programs actualized to this new malware.

You may want to visit this URL:
http://www.thespykiller.co.uk/forum/index.php?board=1.0

You don't need to register.
Open a new thread, press the button "New Topic"

You will get a new window open.
Please enter your name, your eMail and the subject:
Trojan Vundo for Atribune
Enter your threadnumber on our board:
Code:
http://forum.hijackthis.de/newreply.php?do=postreply&t=21950
Now you need to Attach the file from your system.
Please browse it to your new Thread:

C:\WINDOWS\system32\awtur.dll
C:\WINDOWS\system32\xxyywtt.dll

and attach it to your message.
Please add this information:
Code:
C:\WINDOWS\system32\awtur.dll
-----------------------------
AntiVir	7.3.1.38	03.01.2007	TR/Spy.Vundo.AF
AVG	7.5.0.447	02.28.2007	Downloader.Zlob.FC
BitDefender	7.2	03.01.2007	Adware.Virtumonde.EB
DrWeb	4.33	03.01.2007	Trojan.Virtumod
Fortinet	2.85.0.0	03.01.2007	suspicious
Ikarus	T3.1.1.3	03.01.2007	MemScanTrojan.Vundo.AF
NOD32v2	2085	02.28.2007	probably a variant of Win32/Adware.Virtumonde.O
Panda	9.0.0.4	02.28.2007	Suspicious file
Sophos	4.14.0	03.01.2007	Virtumundo
Symantec	10	03.01.2007	Trojan.Vundo
VirusBuster	4.3.19:9	03.01.2007	Trojan.DL.Vundo.Gen!Pac.6

Aditional Information
File size: 281652 bytes
MD5: 13314d0ae4e9941e9ca0a43f0fa6f47e
SHA1: 8381dc1ede3b9f79f5ad92139329e225264399f6
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
C:\WINDOWS\system32\xxyywtt.dll
--------------------------------
AntiVir	7.3.1.38	03.01.2007	TR/Crypt.ULPM.Gen
AVG	7.5.0.447	03.01.2007	Adware Generic.VMW
BitDefender	7.2	03.01.2007	MemScan:Adware.VirtuMonde.DY
CAT-QuickHeal	9.00	03.01.2007	AdWare.Virtumonde.ha (Not a Virus)
DrWeb	4.33	03.01.2007	Trojan.Virtumod
Fortinet	2.85.0.0	03.01.2007	Adware/VirtuMonde
Ikarus	T3.1.1.3	03.01.2007	not-a-virus:AdWare.Win32.Virtumonde.ha
Kaspersky	4.0.2.24	03.01.2007	not-a-virus:AdWare.Win32.Virtumonde.ha
NOD32v2	2086	03.01.2007	probably a variant of Win32/Genetik
Norman	5.80.02	03.01.2007	W32/Virtumonde.ERB
Panda	9.0.0.4	03.01.2007	Spyware/Virtumonde
Prevx1	V2	03.01.2007	SpywareQuake
Sophos	4.14.0	03.01.2007	Virtumundo
Symantec	10	03.01.2007	Trojan.Vundo
TheHacker	6.1.6.067	03.01.2007	Adware/Virtumonde.ha
UNA	1.83	02.28.2007	Adware.Virtumonde.D179
Now press the button "post".
That's it.

Note: Only authorized users are able to see the uploaded files.
So please don't worry since you can't see if you succeded in loading up your file.

Make us also see your link on TheSpykiller.

Good job, Calvin!Thanks

Tammy

**calvin_hobbes** · 02.03.2007 01:15

Hi Tam,

Thanks a lot for your patience and help. I have done the needful. The link to thread on spykiller is

Code:

http://www.thespykiller.co.uk/forum/index.php?topic=3707.0

So, what is the protocol of communication moving forward. Should i wait for VundoFix author to reissue a fix incorporating the newly detected files? If so, how do i get hold of that fix (as and when it is completed)?

Sorry for asking so many questions

-ck

Tammy · 02.03.2007 01:56

No, Calvin, we don`t wait for the answer.

Now we gonna delete this nasty files.

Please empty now the quarantine-folder of your
Antivirus.

Next download and unzip "http://www.downloads.subratam.org/KillBox.zip"
to your desktop.
Start it,
-put a check next to "delete on reboot"
-Klick the button "all files"
-Klick "use dummy"
-type or copy into the blankline:

C:\WINDOWS\system32\awtur.dll

and klick the white cross in the red circle.
"Files will be Removed on Reboot, Do you want to reboot now?"
Klick "no".

-type or copy into the blankline:

C:\WINDOWS\system32\xxyywtt.dll

and klick the white cross in the red circle.
"Files will be Removed on Reboot, Do you want to reboot now?"
Klick "no".

Repeat this which each of this pathes and filenames:

C:\WINDOWS\system32\yothpyge.dll
C:\WINDOWS\system32\jkhif.dll
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\lqygbjli.dll
C:\WINDOWS\system32\drvcix.dll
C:\WINDOWS\system32\rutwa.ini
C:\WINDOWS\system32\rutwa.bak1
C:\WINDOWS\system32\tmp.reg

If the last filename is copyed/typed in, answer the question for "reboot now" with "yes"

After rebooting:
Download
>>RegSeeker<< to your desktop and open it by doubleclicking.
Click "clean the registry" and "Auto clean".
Make sure there`s a check next to "Backup before Deletion" and run it.

Next:

Please load down a Trial version of CounterSpy.

Update the program online.
Now turn off your computer and remove the network cable/phone line from your machine.
Reboot your computer into Safe Mode
Scan your system with CounterSpy in Safe Mode.
Let the program remove everything it finds:
Options > remove
- when the Scan is finished you can decide for:
Ignore
Remove
Quarantine
Please chose Remove and restart your system.
Save the logfile.
After this restart the scan again
if anything was found, chose Remove and restart your
system. Repeat this, until nothing more is found.
(The last line in the logfile will look like:
no spyware found during this scan)
After this you can stop with scanning.
-> Post all(!) CounterSpy logfiles, please.

At least create and poste a new hjt-log, also the lists from filelist.bat.
(Again in Code-Tags please, thx)

Cheers,
Tammy

**calvin_hobbes** · 02.03.2007 02:51

i am not completely done following the procedure. But could not help notice that after running killbox and rebooting, the files e.g. awtur.dll etc are not actually deleted from their locations... is that normal?

Tammy · 02.03.2007 09:28

Hi Calvin,

just follow the instructions please and make me see -if done-
all requested logfiles.

Than we will see what happens btw. whats leftover.

Kind regards,

Tammy

**calvin_hobbes** · 02.03.2007 13:26

hehehe.. i figured you'd say that

i have done two CounterSpy in Safe Mode and it has found a couple of things here and there, but there is no mechanism for me to explicitly 'save' the logs (no such option in safe mode)... so i am hoping that it will save it somewhere and upon normal boot, i would be able to see it.. am i missing something here?

If not, then i plan to do a third scan, in normal environment (no safe mode), but since i have an old laptop, i do not foresee me posting results anytime before EST (GMT-5) evening

will keep you posted.

**calvin_hobbes** · 02.03.2007 19:46

ok.. so all the procedures were followed down to the last detail.... i ran CounterSpy scans 3 times (each after a reboot in safe mode) and another scan in safe mode. Attached are logs from KillBox, CounterSpy, HJT and filelist

Net-net of this whole thing is that there seems to be no change

KillBox

Code:

Pocket Killbox version 2.0.0.648
Running on Windows XP as dilbert(Administrator)
was started @ Thursday, March 01, 2007, 9:27 PM
 
# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\awtur.dll

 
# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\xxyywtt.dll

 
# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\yothpyge.dll

 
# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\jkhif.dll

 
# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\unsvchosts.lzma

 
# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\lqygbjli.dll

 
# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\drvcix.dll

 
# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\rutwa.ini

 
# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\rutwa.bak1

# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\tmp.reg
 
I Rebooted @ 9:31:34 PM
Killbox Closed(Exit) @ 9:31:50 PM
__________________________________________________

CounterSpy Scan#1

Code:

- <SBCSThreatEngineResults version="2.2.985.0">
- <summary scanGUID="{7FBA2989-0776-4809-8F46-F636577BBFB3}" scanDescription="" threatDefinitionVersion="508">
- <scannerResults>
  <numThreats found="3" ignored="0" /> 
  <numTracesScanned cookies="0" registry="91110" files="81809" folders="6416" processes="602" total="179937" /> 
  <numTracesFound cookies="0" registry="6" files="2" folders="0" processes="0" total="8" /> 
  <dateTimeStampUTC start="2007-03-02T03:38:54" end="2007-03-02T05:09:39" /> 
  </scannerResults>
- <cleanerResults>
  <numThreats deleted="3" quarantined="0" ignored="0" reportonly="0" total="3" /> 
  <dateTimeStampUTC start="2007-03-02T12:46:03" end="2007-03-02T12:46:08" /> 
  </cleanerResults>
  </summary>
- <scannerOptions scanAllLocalDrives="true" scanCookies="true" scanProcesses="true" scanRegistry="true" scanProcessesDeep="true" suspendActiveThreats="true" scanAllUsers="true" useFileNameAndMD5="true" dontCalcMD5="false" scanCommonTactics="true" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="true" findLowRiskThreats="true" keepScanRecord="true" maxCheckFileLen="6291456" minCheckFileLen="1000" vipreOn="true" scanVipreSuspicious="false" scanDerivatives="true">
  <userIncludedPaths /> 
  <userExcludedPaths /> 
  <ignoredThreats /> 
  </scannerOptions>
  <cleanerOptions /> 
- <threats>
- <threat id="15196" name="Virtumonde" level="2" category="Adware (General)" type="Adware" quarantineId="{F34861EB-5D4C-4196-8993-1369C2CCC948}" adviseType="3" canQuarantine="true" author="Virtumonde" optionalScan="0" removalType="0" actionRequested="1" cleanerResult="1">
  <authorURL>virtumonde.com</authorURL> 
  <desc>Virtumonde is an adware program that displays pop-up advertisements on the desktop. Virtumonde also downloads other software from various remote servers.</desc> 
  <threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails> 
  <customData /> 
- <traces>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>Software\Classes\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}</key> 
  <valueType>-1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}</key> 
  <valueType>-1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
  </traces>
  </threat>
- <threat id="43843" name="EliteMediaGroup" level="3" category="Adware (General)" type="Adware" quarantineId="{1739AE57-E6FD-49B2-82EE-1C1083647A0C}" adviseType="3" canQuarantine="true" author="Elite Media Group" optionalScan="0" removalType="0" actionRequested="1" cleanerResult="1">
  <authorURL>elitemediagroup.net</authorURL> 
  <desc>EliteMedia is an adware applicaton that opens pop-up advertisements on the user's desktop.</desc> 
  <threatAdviceDetails>This is an elevated risk and should be removed or quarantined as it may compromise your privacy and security, make unwanted changes to your computer's settings, and negatively impact your computer's performance and stability.</threatAdviceDetails> 
  <customData /> 
- <traces>
- <trace type="4">
  <path>C:\WINDOWS\system32\objsafe.tlb</path> 
  <md5>C74ACEBAE0AE2E5C35428400475ADC29</md5> 
  <fileSize>1760</fileSize> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/SYSTEM32/OBJSAFE.TLB</key> 
  <valueType>-1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/SYSTEM32/OBJSAFE.TLB</key> 
  <valueType>1</valueType> 
  <valueName>.Owner</valueName> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/SYSTEM32/OBJSAFE.TLB</key> 
  <valueType>1</valueType> 
  <valueName>{297DE2B6-509A-4B36-93C5-A65276606900}</valueName> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\SHAREDDLLS</key> 
  <valueType>4</valueType> 
  <valueName>C:\WINDOWS\SYSTEM32\OBJSAFE.TLB</valueName> 
  <valueData /> 
  </trace>
  </traces>
  </threat>
- <threat id="47589" name="Yazzle Components" level="4" category="Misc (General)" type="Misc" quarantineId="{7F0902D5-5E7A-4CD1-A2F5-518A93F9C855}" adviseType="3" canQuarantine="true" author="Clickspring LLC, Outer Info Network" optionalScan="0" removalType="1" actionRequested="1" cleanerResult="1">
  <authorURL>yazzle.net</authorURL> 
  <desc>Yazzle Components includes software that is used by multiple applications from Clickspring, LLC, the authors of Yazzle applications such as Yazzle Sudoku, Cowabanga and Snowball Wars.</desc> 
  <threatAdviceDetails>This is a moderate risk and should be removed or quarantined as it may negatively impact your privacy and security or make unwanted changes to your computer's settings.</threatAdviceDetails> 
  <customData /> 
- <traces>
- <trace type="4">
  <path>C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe</path> 
  <md5>F8C648DA8CD3A526DD6C64E5A2704407</md5> 
  <fileSize>32179</fileSize> 
  </trace>
  </traces>
  </threat>
  </threats>
  </SBCSThreatEngineResults>

CounterySpy Scan#2

Code:

- <SBCSThreatEngineResults version="2.2.985.0">
- <summary scanGUID="{25614523-E52D-4E07-9F75-E4E070BBE0E2}" scanDescription="" threatDefinitionVersion="508">
- <scannerResults>
  <numThreats found="1" ignored="0" /> 
  <numTracesScanned cookies="0" registry="91110" files="81820" folders="6419" processes="598" total="179947" /> 
  <numTracesFound cookies="0" registry="0" files="2" folders="0" processes="0" total="2" /> 
  <dateTimeStampUTC start="2007-03-02T12:49:19" end="2007-03-02T14:20:05" /> 
  </scannerResults>
- <cleanerResults>
  <numThreats deleted="1" quarantined="0" ignored="0" reportonly="0" total="1" /> 
  <dateTimeStampUTC start="2007-03-02T14:43:19" end="2007-03-02T14:43:21" /> 
  </cleanerResults>
  </summary>
- <scannerOptions scanAllLocalDrives="true" scanCookies="true" scanProcesses="true" scanRegistry="true" scanProcessesDeep="true" suspendActiveThreats="true" scanAllUsers="true" useFileNameAndMD5="true" dontCalcMD5="false" scanCommonTactics="true" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="true" findLowRiskThreats="true" keepScanRecord="true" maxCheckFileLen="6291456" minCheckFileLen="1000" vipreOn="true" scanVipreSuspicious="false" scanDerivatives="true">
  <userIncludedPaths /> 
  <userExcludedPaths /> 
  <ignoredThreats /> 
  </scannerOptions>
  <cleanerOptions /> 
- <threats>
- <threat id="48124" name="VSToolbar" level="4" category="Toolbar" type="Adware" quarantineId="{96D5C3BF-4065-4218-8B56-446A6BDE1557}" adviseType="3" canQuarantine="true" author="Vsolutiions.com / EffectiveBrand Toolbar" optionalScan="0" removalType="1" actionRequested="1" cleanerResult="1">
  <authorURL>vsolutions.ourtoolbar.com / searchcolours.com</authorURL> 
  <desc>VSToolbar is an adware application that installs a browser helper object (BHO) in Internet Explorer.</desc> 
  <threatAdviceDetails>This is a moderate risk and should be removed or quarantined as it may negatively impact your privacy and security or make unwanted changes to your computer's settings.</threatAdviceDetails> 
  <customData /> 
- <traces>
- <trace type="5">
  <path>C:\DOCUMENTS AND SETTINGS\DILBERT\APPLICATION DATA\SEARCHTOOLBARCORP</path> 
  </trace>
- <trace type="5">
  <path>C:\DOCUMENTS AND SETTINGS\DILBERT\APPLICATION DATA\SEARCHTOOLBARCORP\TOOLBAR VISION</path> 
  </trace>
  </traces>
  </threat>
  </threats>
  </SBCSThreatEngineResults>

CounterSpy Scan#3

Code:

- <SBCSThreatEngineResults version="2.2.985.0">
- <summary scanGUID="{4EAA8856-3DB9-4D85-AC5F-3EBD1173FC32}" scanDescription="" threatDefinitionVersion="508">
- <scannerResults>
  <numThreats found="0" ignored="0" /> 
  <numTracesScanned cookies="0" registry="91110" files="80933" folders="6354" processes="608" total="179005" /> 
  <numTracesFound cookies="0" registry="0" files="0" folders="0" processes="0" total="0" /> 
  <dateTimeStampUTC start="2007-03-02T14:47:14" end="2007-03-02T16:06:18" /> 
  </scannerResults>
- <cleanerResults>
  <numThreats deleted="0" quarantined="0" ignored="0" reportonly="0" total="0" /> 
  <dateTimeStampUTC start="" end="" /> 
  </cleanerResults>
  </summary>
- <scannerOptions scanAllLocalDrives="true" scanCookies="true" scanProcesses="true" scanRegistry="true" scanProcessesDeep="true" suspendActiveThreats="true" scanAllUsers="true" useFileNameAndMD5="true" dontCalcMD5="false" scanCommonTactics="true" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="true" findLowRiskThreats="true" keepScanRecord="true" maxCheckFileLen="6291456" minCheckFileLen="1000" vipreOn="true" scanVipreSuspicious="false" scanDerivatives="true">
  <userIncludedPaths /> 
  <userExcludedPaths /> 
  <ignoredThreats /> 
  </scannerOptions>
  <cleanerOptions /> 
  <threats /> 
  </SBCSThreatEngineResults>

CounterSpy Scan#4

Code:

- <SBCSThreatEngineResults version="2.2.985.0">
- <summary scanGUID="{9E0EA500-F0AA-4CEF-9687-249985CE1CA5}" scanDescription="" threatDefinitionVersion="508">
- <scannerResults>
  <numThreats found="1" ignored="0" /> 
  <numTracesScanned cookies="0" registry="114295" files="80972" folders="6355" processes="2164" total="203786" /> 
  <numTracesFound cookies="0" registry="5" files="1" folders="0" processes="0" total="6" /> 
  <dateTimeStampUTC start="2007-03-02T16:25:19" end="2007-03-02T17:26:09" /> 
  </scannerResults>
- <cleanerResults>
  <numThreats deleted="1" quarantined="0" ignored="0" reportonly="0" total="1" /> 
  <dateTimeStampUTC start="2007-03-02T17:27:22" end="2007-03-02T17:27:37" /> 
  </cleanerResults>
  </summary>
- <scannerOptions scanAllLocalDrives="true" scanCookies="true" scanProcesses="true" scanRegistry="true" scanProcessesDeep="true" suspendActiveThreats="true" scanAllUsers="true" useFileNameAndMD5="true" dontCalcMD5="false" scanCommonTactics="true" scanArchives="false" scanKnownFileTypes="false" recursiveFileScan="true" findLowRiskThreats="true" keepScanRecord="true" maxCheckFileLen="6291456" minCheckFileLen="1000" vipreOn="true" scanVipreSuspicious="false" scanDerivatives="true">
  <userIncludedPaths /> 
  <userExcludedPaths /> 
  <ignoredThreats /> 
  </scannerOptions>
  <cleanerOptions /> 
- <threats>
- <threat id="15196" name="Virtumonde" level="2" category="Adware (General)" type="Adware" quarantineId="{A29CE4CB-8FAD-4754-AAAF-079A748F443D}" adviseType="3" canQuarantine="true" author="Virtumonde" optionalScan="0" removalType="0" actionRequested="1" cleanerResult="1">
  <authorURL>virtumonde.com</authorURL> 
  <desc>Virtumonde is an adware program that displays pop-up advertisements on the desktop. Virtumonde also downloads other software from various remote servers.</desc> 
  <threatAdviceDetails>This is a high risk and should be removed immediately as it may compromise your privacy and security, make dangerous changes to your computer's settings without your knowledge and consent, or severely degrade your computer's performance and stability.</threatAdviceDetails> 
  <customData /> 
- <traces>
- <trace type="4">
  <path>c:\WINDOWS\system32\qqrlfjge.dll</path> 
  <md5>C09035D4F2E99D0B4C7A2ED3D834BB6B</md5> 
  <fileSize>44177</fileSize> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>Software\Classes\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}</key> 
  <valueType>-1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>Software\Classes\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}\InprocServer32</key> 
  <valueType>-1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>Software\Classes\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}\InprocServer32</key> 
  <valueType>1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>Software\Classes\CLSID\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}\InprocServer32</key> 
  <valueType>1</valueType> 
  <valueName>ThreadingModel</valueName> 
  <valueData /> 
  </trace>
- <trace type="3">
  <hive>HKEY_LOCAL_MACHINE</hive> 
  <key>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{E03C740E-BB24-4D3C-B92A-6F84DE1DD99C}</key> 
  <valueType>-1</valueType> 
  <valueName /> 
  <valueData /> 
  </trace>
  </traces>
  </threat>
  </threats>
  </SBCSThreatEngineResults>

HJT

Code:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:20 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Picasa2\PicasaMediaDetector.exe
C:\Program Files\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111T\wlan111t.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\Downloads\Hijackthis\VundoFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Downloads\Hijackthis\HJT1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {148C143A-B9A8-4035-BB25-7E935C1FEC8F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D3D6B62-411B-4959-A379-9A467E4F1EDE} - (no file)
O2 - BHO: (no name) - {601774FD-4B3F-44F0-99E3-B0E4E0146F65} - C:\WINDOWS\system32\xxyywtt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF971BE6-D16F-4CEC-9F6A-8498117D6689} - C:\WINDOWS\system32\awtur.dll
O2 - BHO: (no name) - {C696655F-3258-4817-8211-7C11AD2CFE86} - (no file)
O2 - BHO: (no name) - {D0315787-15F7-41F6-8B61-4C0BCCC65BFA} - (no file)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\hevreupe.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Google\Picasa2\PicasaMediaDetector
O4 - HKLM\..\Run: [TViXNetShare] C:\Program Files\DVICO\TViXNetShare\TViXNetShare.exe
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/installer.v4/vet_install_popup.pl?www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com&6&&unknown&unknown&www.viewpoint.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123103279009
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: awtur - C:\WINDOWS\system32\awtur.dll
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzun32 - C:\WINDOWS\
O20 - Winlogon Notify: xxyywtt - C:\WINDOWS\SYSTEM32\xxyywtt.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\CounterSpy\SBCSSvc.exe

FileList

Code:

----- Root ----------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\

03/02/2007  02:41 PM                43 filelist.txt
03/02/2007  02:25 PM               184 VundoFix.txt
03/02/2007  02:06 PM               860 SBCSTray.log
03/02/2007  12:42 PM       805,306,368 pagefile.sys
03/01/2007  10:21 PM               211 boot.ini
              17 File(s)    805,618,873 bytes
               0 Dir(s)  26,329,587,712 bytes free
 
----- System32 ------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\WINDOWS\system32

03/02/2007  02:41 PM         1,242,280 rutwa.ini2
03/02/2007  02:08 PM                 0 SBFC.dat
03/02/2007  02:08 PM                 0 SBRC.dat
03/02/2007  01:01 PM            26,669 nvModes.001
03/02/2007  01:01 PM            44,177 hevreupe.dll
03/02/2007  01:00 PM             2,206 wpa.dbl
03/01/2007  10:36 PM           134,072 FNTCACHE.DAT
03/01/2007  09:43 PM         1,241,533 rutwa.ini
03/01/2007  07:53 PM         1,189,942 rutwa.bak2
03/01/2007  11:18 AM         1,242,167 rutwa.tmp
02/28/2007  07:53 PM         1,187,870 rutwa.bak1
02/28/2007  08:57 AM               409 fihkj.ini
02/28/2007  08:57 AM           281,652 awtur.dll
02/27/2007  11:50 PM                 0 tmp.txt
02/27/2007  11:50 PM             3,592 tmp.reg
02/26/2007  08:50 PM               353 xaccf.ini
02/26/2007  08:50 PM           281,652 fccax.dll
02/25/2007  02:30 PM            26,637 rqrrpqp.dll
02/25/2007  02:29 PM            26,637 xxyywtt.dll
02/18/2007  08:40 PM           122,436 TZLog.log
02/10/2007  10:24 AM            24,816 SBBD.exe
02/07/2007  05:01 PM        12,293,536 MRT.exe
01/29/2007  03:58 AM            60,416 tzchange.exe
01/28/2007  07:53 PM           380,918 perfh009.dat
01/28/2007  07:53 PM            53,166 perfc009.dat
01/28/2007  07:53 PM           439,552 PerfStringBackup.INI
01/26/2007  09:54 PM             8,657 jupdate-1.5.0_10-b03.log
01/23/2007  02:29 PM           546,304 hhctrl.ocx
01/19/2007  12:53 PM            51,056 sirenacm.dll
01/12/2007  09:27 AM         1,149,952 urlmon.dll
01/12/2007  09:27 AM           670,720 mstime.dll
01/12/2007  09:27 AM           822,784 wininet.dll
01/12/2007  09:27 AM           458,752 msfeeds.dll
01/12/2007  09:27 AM           477,696 mshtmled.dll
01/12/2007  09:27 AM           232,960 webcheck.dll
01/12/2007  09:27 AM         3,580,416 mshtml.dll
01/12/2007  09:27 AM           132,608 extmgr.dll
01/12/2007  09:27 AM            51,712 msfeedsbs.dll
01/12/2007  09:27 AM         6,054,400 ieframe.dll
01/12/2007  09:27 AM            27,136 jsproxy.dll
01/08/2007  07:07 PM           991,232 ieframe.dll.mui
01/08/2007  07:04 PM           105,984 url.dll
01/08/2007  07:04 PM           102,400 occache.dll
01/08/2007  07:03 PM           193,024 msrating.dll
01/08/2007  07:02 PM         1,823,744 inetcpl.cpl
01/08/2007  07:02 PM            44,544 iernonce.dll
01/08/2007  07:02 PM           266,752 iertutil.dll
01/08/2007  07:02 PM           161,792 ieakui.dll
01/08/2007  07:02 PM           230,400 ieaksie.dll
01/08/2007  07:02 PM           153,088 ieakeng.dll
01/08/2007  07:02 PM           384,000 iedkcs32.dll
01/08/2007  07:02 PM           383,488 ieapfltr.dll
01/08/2007  07:01 PM            17,408 corpol.dll
01/08/2007  07:00 PM           124,928 advpack.dll
01/08/2007  06:08 PM            56,832 ie4uinit.exe
01/08/2007  06:08 PM            13,824 ieudinit.exe
01/01/2007  12:22 AM            26,669 nvModes.dat
            2086 File(s)    419,703,630 bytes
               0 Dir(s)  26,329,460,736 bytes free
 
----- Prefetch ------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\WINDOWS\Prefetch

03/02/2007  02:41 PM            14,086 FIND.EXE-0EC32F1E.pf
03/02/2007  02:41 PM            55,478 CMD.EXE-087B4001.pf
03/02/2007  02:40 PM            45,062 NOTEPAD.EXE-336351A9.pf
03/02/2007  02:40 PM            44,428 HJT1991.EXE-37D4B2E2.pf
03/02/2007  02:36 PM            75,004 IEXPLORE.EXE-27122324.pf
03/02/2007  02:33 PM            92,156 FIREFOX.EXE-28641590.pf
03/02/2007  02:25 PM            24,962 VUNDOFIX.EXE-2A0BCCCA.pf
03/02/2007  02:14 PM            38,158 WMIPRVSE.EXE-28F301A9.pf
03/02/2007  02:06 PM            15,318 SBCSTRAY.EXE-009A61D0.pf
03/02/2007  02:06 PM            44,492 COUNTERSPY.EXE-01F3C9F6.pf
03/02/2007  01:44 PM            16,810 WUAUCLT.EXE-399A8E72.pf
03/02/2007  01:36 PM           162,836 VLC.EXE-0FA700AC.pf
03/02/2007  01:36 PM           100,554 WMPLAYER.EXE-18DDEF9C.pf
03/02/2007  01:35 PM            18,018 VERCLSID.EXE-3667BD89.pf
03/02/2007  01:12 PM            25,200 YUPDATER.EXE-3946FDDF.pf
03/02/2007  01:10 PM            91,044 YAHOOMESSENGER.EXE-06E29CD9.pf
03/02/2007  01:06 PM            29,522 JUCHECK.EXE-2898019D.pf
03/02/2007  01:06 PM             9,938 JAVA.EXE-2F9298E6.pf
03/02/2007  01:04 PM            22,636 HPRBLOG.EXE-16B72A6F.pf
03/02/2007  01:04 PM            74,392 HPQSTE08.EXE-18A7280B.pf
03/02/2007  01:03 PM            84,614 HPQIMZONE.EXE-038F0838.pf
03/02/2007  01:02 PM            19,340 WLAN111T.EXE-36EDC0DA.pf
03/02/2007  01:02 PM            18,826 OSA.EXE-2CD63980.pf
03/02/2007  01:02 PM            37,312 HPQTHB08.EXE-060DCF16.pf
03/02/2007  01:02 PM            14,786 HPQTRA08.EXE-17E37E7E.pf
03/02/2007  01:02 PM            19,668 READER_SL.EXE-3614FA6E.pf
03/02/2007  01:02 PM            12,126 MSMSGS.EXE-2B6052DE.pf
03/02/2007  01:02 PM            22,240 AD-WATCH.EXE-0213DCB0.pf
03/02/2007  01:02 PM            12,602 CTFMON.EXE-0E17969B.pf
03/02/2007  01:02 PM             8,992 RUNDLL32.EXE-25C2CF42.pf
03/02/2007  01:02 PM            27,672 TVIXNETSHARE.EXE-01E9B035.pf
03/02/2007  01:01 PM            10,954 PICASAMEDIADETECTOR.EXE-26D3CA1A.pf
03/02/2007  01:01 PM            10,654 IPODSERVICE.EXE-3192DE38.pf
03/02/2007  01:01 PM            11,082 HPWUSCHD2.EXE-02F6D2DD.pf
03/02/2007  01:01 PM             9,768 TASKSWITCH.EXE-11390459.pf
03/02/2007  01:01 PM            23,596 SVCHOST.EXE-3530F672.pf
03/02/2007  01:01 PM            11,694 APNTEX.EXE-274BD5D6.pf
03/02/2007  01:01 PM            10,914 DADTRAY.EXE-2443F28E.pf
03/02/2007  01:01 PM            23,538 IMAPI.EXE-0BF740A4.pf
03/02/2007  01:00 PM            77,068 EXPLORER.EXE-082F38A9.pf
03/02/2007  12:57 PM           861,610 Layout.ini
03/02/2007  12:43 PM            16,264 ALG.EXE-0F138680.pf
03/02/2007  12:43 PM            28,438 SBCSSVC.EXE-3639D95B.pf
03/02/2007  12:43 PM            16,634 MCSHIELD.EXE-0848DB5A.pf
03/02/2007  12:43 PM            55,678 FRAMEWORKSERVICE.EXE-2CAB3CF3.pf
03/02/2007  12:43 PM            22,160 LSASS.EXE-20DB6D1B.pf
03/02/2007  12:43 PM            17,818 SERVICES.EXE-2F433351.pf
03/02/2007  12:43 PM            53,518 WINLOGON.EXE-32C57D49.pf
03/02/2007  12:43 PM            14,940 CSRSS.EXE-12B63473.pf
03/02/2007  12:43 PM         2,342,170 NTOSBOOT-B00DFAAD.pf
03/02/2007  12:27 PM            23,158 REGSVR32.EXE-25EEFE2F.pf
03/02/2007  11:24 AM            43,062 WORDPAD.EXE-24533991.pf
03/02/2007  11:15 AM            19,316 SBWSC.EXE-08EFB311.pf
03/02/2007  11:14 AM            22,110 TASKMGR.EXE-20256C55.pf
03/02/2007  11:11 AM            64,960 MSCONFIG.EXE-35E4DAE9.pf
03/01/2007  10:30 PM            30,826 PROCEXP.EXE-124F650B.pf
03/01/2007  10:22 PM            38,174 MSIEXEC.EXE-2F8A8CAE.pf
03/01/2007  10:19 PM            21,162 COUNTERSPY.EXE-08E62F32.pf
03/01/2007  10:17 PM             3,866 SBCSSVCCONTROL.EXE-27798A1A.pf
03/01/2007  09:54 PM            20,112 REGSEEKER.EXE-35862FF4.pf
03/01/2007  09:46 PM            62,844 DRWTSN32.EXE-2B4B52AC.pf
03/01/2007  09:46 PM            11,756 WSCNTFY.EXE-1B24F5EB.pf
03/01/2007  09:46 PM            85,322 DWWIN.EXE-30875ADC.pf
03/01/2007  09:38 PM            18,012 KILLBOX.EXE-18382486.pf
03/01/2007  09:21 PM            74,816 SHCFG32.EXE-329A9B16.pf
03/01/2007  09:19 PM            39,092 RBSOLNUPDATE.EXE-104A7203.pf
03/01/2007  09:19 PM            16,282 RBSOLNUPDATEENU.1.9.0.EXE-175F777B.pf
03/01/2007  09:18 PM            18,560 HPRBUPDATE.EXE-342FA7BD.pf
03/01/2007  09:16 PM            37,360 MCCONSOL.EXE-0774EF03.pf
03/01/2007  09:00 PM            87,372 MCSCRIPT.EXE-21121E66.pf
03/01/2007  09:00 PM            61,006 MCUPDATE.EXE-361E6FD8.pf
03/01/2007  08:40 PM           114,614 ACRORD32.EXE-13285B88.pf
03/01/2007  08:38 PM            46,802 AD-AWARE.EXE-18846EB7.pf
03/01/2007  08:33 PM            15,644 VIRTUMONDE_REMOVER.EXE-23BC551B.pf
03/01/2007  08:21 PM            27,160 SETUP.EXE-0A2A83C1.pf
03/01/2007  08:21 PM            23,150 TVIX_NETSHARE_1.08.EXE-1D134258.pf
03/01/2007  08:21 PM            37,588 SETUP.EXE-04E88CA2.pf
03/01/2007  08:21 PM            39,104 THUNDERBIRD SETUP 1.5.0.8.EXE-34BC833B.pf
03/01/2007  10:18 AM            14,766 REGEDIT.EXE-1B606482.pf
02/28/2007  09:38 PM            42,546 DVDFABPLATINUM.EXE-233AA5C7.pf
02/28/2007  09:38 PM            12,180 RUNONCE.EXE-2803F297.pf
02/28/2007  09:38 PM            12,872 EZPINST.EXE-35A77E76.pf
02/28/2007  09:38 PM            19,412 PCSETUP.EXE-0D8D7EEA.pf
02/28/2007  09:38 PM            19,504 IS-PQ8EO.TMP-06D983C6.pf
02/28/2007  09:37 PM            15,634 DVDFAB PLATINUM 3.0.8.0. FULL-3A5E234A.pf
02/28/2007  09:37 PM            68,158 WINRAR.EXE-39C6DAD9.pf
02/28/2007  07:44 PM             9,962 VUNDOFIXSVC.EXE-18ADD79E.pf
02/28/2007  09:02 AM            21,552 MSPAINT.EXE-11CBB631.pf
02/28/2007  08:58 AM            41,380 HIJACKTHIS.EXE-2EBFC806.pf
02/28/2007  08:57 AM            39,518 RUNDLL32.EXE-2CD85FD3.pf
02/28/2007  08:42 AM            20,948 SCNCFG32.EXE-03F817DB.pf
02/28/2007  08:35 AM            17,868 VUNDOFIX.EXE-293F1E5F.pf
02/28/2007  08:32 AM           138,392 DUMPREP.EXE-1B46F901.pf
02/27/2007  11:56 PM            12,324 RUNDLL32.EXE-49A346FD.pf
02/27/2007  11:55 PM            40,508 HPWUCLI.EXE-2587F620.pf
02/27/2007  11:54 PM            12,110 RUNDLL32.EXE-1831A4F3.pf
02/27/2007  11:54 PM            19,054 CONTROL.EXE-013DBFB5.pf
02/27/2007  11:42 PM            15,496 NOTEPAD.EXE-189578DA.pf
02/27/2007  11:41 PM            14,810 FINDSTR.EXE-0CA6274B.pf
02/27/2007  11:41 PM             8,858 SWREG.EXE-1EB1B019.pf
02/27/2007  11:41 PM             7,372 DUMPHIVE.EXE-2B5148FE.pf
02/27/2007  11:41 PM             4,388 SRCHSTS.EXE-16BAE72B.pf
02/27/2007  11:41 PM            23,752 CSCRIPT.EXE-1C26180C.pf
02/27/2007  11:41 PM             8,376 SWREG.EXE-3688D00C.pf
02/27/2007  11:41 PM            24,984 CHKNTFS.EXE-31921D64.pf
02/27/2007  11:22 PM            35,834 CCLEANER.EXE-0BCE437C.pf
02/27/2007  11:02 PM            46,052 IKERNEL.EXE-2EFA43C7.pf
02/27/2007  10:36 PM            47,204 IKERNEL.EXE-078AA887.pf
02/27/2007  10:29 PM            34,998 PHOTOED.EXE-0F3CAA01.pf
02/27/2007  09:49 PM            14,108 VIEWPOINTSERVICE.EXE-0CA24EB3.pf
02/27/2007  09:16 PM            34,088 YUPDATER.EXE-278A4587.pf
02/27/2007  09:16 PM            74,086 YAHOOM~1.EXE-1AE97F84.pf
02/27/2007  08:20 PM            47,556 VIEWMGR.EXE-1E800BBC.pf
02/27/2007  08:20 PM            46,286 YMSGR_TRAY.EXE-256366BA.pf
02/27/2007  08:20 PM            14,428 MONITORBK.EXE-0419A841.pf
02/26/2007  10:02 PM            77,594 MSNMSGR.EXE-366A1A81.pf
02/26/2007  08:26 PM            12,032 RUNDLL32.EXE-451FC2C0.pf
02/25/2007  11:56 AM            46,702 PWSAFE.EXE-0FFF15EE.pf
02/24/2007  08:07 PM            91,918 ACRORD32INFO.EXE-013EA364.pf
02/20/2007  09:41 AM           106,394 WINWORD.EXE-29F5CB89.pf
02/20/2007  01:15 AM            14,556 NMBGMONITOR.EXE-00C38554.pf
02/20/2007  01:15 AM            36,676 NMINDEXSTORESVR.EXE-1C8EE413.pf
02/20/2007  01:15 AM            61,830 NERO.EXE-11EFF40F.pf
02/20/2007  01:07 AM            72,410 NEROSTARTSMART.EXE-34F7076D.pf
02/20/2007  01:03 AM            66,276 NEROVISION.EXE-02880481.pf
02/19/2007  10:17 PM            24,130 UTORRENT.EXE-07A2D34A.pf
02/19/2007  04:38 PM            87,800 WMPLAYER.EXE-18DDEFA2.pf
02/18/2007  08:37 PM            56,102 MRT.EXE-1B4A8D49.pf
02/18/2007  08:36 PM            81,766 FIREFOX.EXE-17EE503B.pf
02/18/2007  02:20 AM            31,692 DIVXSM.EXE-3407AB62.pf
             130 File(s)      7,949,242 bytes
               0 Dir(s)  26,329,468,928 bytes free
 
----- Windows -------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\WINDOWS

03/02/2007  01:36 PM               116 NeroDigital.ini
03/02/2007  01:02 PM               252 wiadebug.log
03/02/2007  12:49 PM         1,081,184 WindowsUpdate.log
03/02/2007  12:43 PM                48 wiaservc.log
03/02/2007  12:42 PM                 0 0.log
03/02/2007  12:42 PM             2,048 bootstat.dat
03/02/2007  12:28 PM            32,388 SchedLgU.Txt
03/02/2007  11:08 AM           769,430 ntbtlog.txt
03/01/2007  10:21 PM               675 win.ini
03/01/2007  10:21 PM               227 system.ini
03/01/2007  09:19 PM             9,449 setupapi.log
03/01/2007  09:00 PM               512 randseed.rnd
02/27/2007  11:50 PM                60 setupact.log
02/27/2007  11:50 PM                 0 setuperr.log
01/12/2007  02:09 PM            54,156 QTFont.qfn
             108 File(s)      9,624,772 bytes
               0 Dir(s)  26,329,460,736 bytes free
 
----- Tasks ---------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\WINDOWS\tasks

03/02/2007  12:42 PM                 6 SA.DAT
               2 File(s)             71 bytes
               0 Dir(s)  26,329,464,832 bytes free
 
----- Wintemp -------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\WINDOWS\temp

03/02/2007  01:01 PM               409 WGANotify.settings
03/02/2007  01:00 PM               255 WGAErrLog.txt
02/28/2007  08:57 AM            16,384 Perflib_Perfdata_e14.dat
02/27/2007  11:49 PM            16,384 Perflib_Perfdata_1dc.dat
               4 File(s)         33,432 bytes
               0 Dir(s)  26,329,464,832 bytes free
 
----- Temp ----------------------------- 
 Volume in drive C has no label.
 Volume Serial Number is E82F-AD42

 Directory of C:\DOCUME~1\dilbert\LOCALS~1\Temp

03/02/2007  02:39 PM            16,384 ~DF4049.tmp
03/02/2007  02:25 PM            32,768 ~DFB3CE.tmp
03/02/2007  01:13 PM            21,176 ondcp.bmp
03/02/2007  01:13 PM            21,176 snowflake.bmp
03/02/2007  01:13 PM            21,176 doritoscts.bmp
03/02/2007  01:13 PM            21,176 nordstrom6.bmp
03/02/2007  01:13 PM            21,176 freeride2.bmp
03/02/2007  01:13 PM            21,176 ghostrider.bmp
03/02/2007  01:06 PM             5,133 jusched.log
03/02/2007  01:04 PM               103 STSC.tmp
03/02/2007  01:03 PM             1,285 MAR8.tmp
03/02/2007  01:03 PM            16,384 ~DFE30C.tmp
03/02/2007  12:28 PM            12,306 hpodvd09.log
03/02/2007  11:14 AM               103 STSB.tmp
03/02/2007  11:13 AM             1,285 MAR7.tmp
03/02/2007  11:13 AM           212,992 ~DF4EE5.tmp
03/01/2007  10:18 PM               322 MSIe5e82.LOG
03/01/2007  10:18 PM               234 ~45.tmp
03/01/2007  10:18 PM               322 MSIe5e81.LOG
03/01/2007  10:17 PM               234 ~3E.tmp
03/01/2007  10:17 PM               322 MSIe5e80.LOG
03/01/2007  10:17 PM               234 ~36.tmp
03/01/2007  10:17 PM               322 MSIe5e7f.LOG
03/01/2007  10:15 PM               234 ~2F.tmp
03/01/2007  09:47 PM               103 STSA.tmp
03/01/2007  09:47 PM             1,285 MAR6.tmp
03/01/2007  09:38 PM            16,384 ~DF8847.tmp
03/01/2007  09:37 PM               103 STS8.tmp
03/01/2007  09:36 PM             1,285 MAR5.tmp
03/01/2007  09:27 PM            16,384 ~DF188D.tmp
03/01/2007  09:24 PM            70,487 qup2l8xo.zip
02/28/2007  11:56 PM               416 java_install_reg.log
02/28/2007  09:47 PM            32,768 ~DFB0E9.tmp
02/28/2007  07:53 PM               103 STS7.tmp
02/28/2007  07:52 PM             1,285 MAR4.tmp
02/28/2007  07:46 PM             7,912 16cd_appcompat.txt
02/28/2007  07:46 PM            16,384 ~DF19A2.tmp
02/28/2007  07:35 PM            32,768 ~DFC6A1.tmp
02/28/2007  07:23 PM            32,768 ~DF1B49.tmp
02/28/2007  11:52 AM               239 TMP6.tmp
02/28/2007  08:53 AM               103 STS4.tmp
02/28/2007  08:53 AM             1,285 MAR2.tmp
02/28/2007  08:52 AM            16,384 ~DF6353.tmp
02/28/2007  08:35 AM            32,768 ~DF6F32.tmp
02/27/2007  11:56 PM               103 STS5.tmp
02/27/2007  11:55 PM             1,285 MAR3.tmp
02/27/2007  11:54 PM            16,384 ~DF7BD7.tmp
              47 File(s)        727,009 bytes
               0 Dir(s)  26,329,460,736 bytes free

Tammy · 02.03.2007 23:27

Hi calvin,

one more "killbox",
same procedure as abouve:

Next download and unzip "Killbox"
to your desktop.
Start it,
-put a check next to "delete on reboot"
-Klick the button "all files"
-Klick "use dummy"
-type or copy into the blankline:

C:\WINDOWS\system32\awtur.dll

and klick the white cross in the red circle.
"Files will be Removed on Reboot, Do you want to reboot now?"
Klick "no".

-type or copy into the blankline:

C:\WINDOWS\system32\xxyywtt.dll

and klick the white cross in the red circle.
"Files will be Removed on Reboot, Do you want to reboot now?"
Klick "no".

Repeat this which each of this pathes and filenames:

C:\WINDOWS\system32\hevreupe.dll
rutwa.ini
rutwa.bak2
rutwa.tmp
rutwa.bak1
fihkj.ini
xaccf.ini
fccax.dll
rqrrpqp.dll

If the last filename is copyed/typed in, answer the question for reboot with "yes"

After this:
Close down all windows including Internet Explorer.
Run Hijackthis, click >scan< and put a checkmark next to each of these items.
Then click the >Fix Checked< -button:

O2 - BHO: (no name) - {148C143A-B9A8-4035-BB25-7E935C1FEC8F} - (no file)
O2 - BHO: (no name) - {5D3D6B62-411B-4959-A379-9A467E4F1EDE} - (no file)
O2 - BHO: (no name) - {601774FD-4B3F-44F0-99E3-B0E4E0146F65} - C:\WINDOWS\system32\xxyywtt.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {AF971BE6-D16F-4CEC-9F6A-8498117D6689} - C:\WINDOWS\system32\awtur.dll
O2 - BHO: (no name) - {C696655F-3258-4817-8211-7C11AD2CFE86} - (no file)
O2 - BHO: (no name) - {D0315787-15F7-41F6-8B61-4C0BCCC65BFA} - (no file)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\system32\hevreupe.dll
O20 - Winlogon Notify: awtur - C:\WINDOWS\system32\awtur.dll
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\
O20 - Winlogon Notify: winzun32 - C:\WINDOWS\
O20 - Winlogon Notify: xxyywtt - C:\WINDOWS\SYSTEM32\xxyywtt.dll

Restart your pc to reset the registry and create and poste please a new hjt-log.

Cheers,
Tammy

Thema: HijackThis logfile

Themen-Optionen

AW: HijackThis logfile

Re: AW: HijackThis logfile

AW: HijackThis logfile

Re: AW: HijackThis logfile

AW: HijackThis logfile

Re: AW: HijackThis logfile

AW: HijackThis logfile

Re: AW: HijackThis logfile

Re: AW: HijackThis logfile

AW: HijackThis logfile

Aktive Benutzer

Aktive Benutzer

Ähnliche Themen

logfile hijackthis

Logfile of HijackThis, ask for help

Hijackthis Logfile

Hijackthis logfile

Hijackthis Logfile

Forumregeln