[euphotix]

so i downloaded winzix. yah im dumb i know now. but i removed it and did a few virus scans. used AVG and then Mcafee. but i got 2 iexplorers open in my windows task manager. and when i close them or do the end process tree, MATHA~1.exe or RECTBO~1.exe opens up just for a second and reopens the iexplorers. and then they close. soo yah i dont know what to do. but i see alot of ppl say to use hijack this. soo heres my hijack this log. any help would be soo appreciated

Logfile of HijackThis v1.99.1
Scan saved at 1:04:01 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\four tick.exe
O4 - HKCU\..\Run: [trustlive] C:\DOCUME~1\DANIEL~1\APPLIC~1\RECTLO~1\Math Mags.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

[evilfantasy]

Welcome to TCF.

Lets see if we can cure this.

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and save it to your desktop. Don't use it yet.

---------------

Open HijackThis and select Do a system scan only then place a check mark next to:

O4 - HKLM\..\Run: [bend logo clock film] C:\Documents and Settings\All Users\Application Data\Frag great bend logo\four tick.exe
O4 - HKCU\..\Run: [trustlive] C:\DOCUME~1\DANIEL~1\APPLIC~1\RECTLO~1\Math Mags.exe

Close all windows except for HijackThis and click Fix checked

Exit Hijackthis.

---------------

Double click OTMoveIt2.exe to launch it.

Be sure there is a check mark next to Unregister Dll's and OCX's

• Copy the two file paths below to the clipboard by highlighting ALL of them.
• Then right-click and choose copy.

C:\Documents and Settings\All Users\Application Data\Frag great bend logo\four tick.exe
C:\DOCUME~1\DANIEL~1\APPLIC~1\RECTLO~1\Math Mags.exe

• Return to OTMoveIt, right click in the Paste List of Files/Folders to be moved window and choose Paste.
• Click the red MoveIt! button.
• The list will be processed and the results will appear in the right hand pane.
• Copy everything on the Results window to the clipboard by highlighting ALL of them.
• Then right-click and choose copy, and paste it on your next reply.
• When finished click Exit to exit the program.
• Please add the log in your next reply.

• If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.

• If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at : C:\_OTMoveIt\MovedFiles\********_******.log
• (where "********_******" is the "date_time")

Click Exit to close OTMoveIt.

---------------

Next post please add the OTMoveIt log

[Axegrinder]

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

Is your windows geniune??

Edit: Evilfantasy beat me too it

[euphotix]

YAY!!!! im pretty sure it worked. thanks alot but i am a bit unsettled by the failed moved file.

File move failed. C:\Documents and Settings\All Users\Application Data\Frag great bend logo\four tick.exe scheduled to be moved on reboot.
C:\DOCUME~1\DANIEL~1\APPLIC~1\RECTLO~1\Math Mags.exe moved successfully.

OTMoveIt2 v1.0.7 log created on 01162008_145132

EDIT: im pretty sure my windows is genuine, i got my comp custom made a few years back

[evilfantasy]

Did you reboot?


We still need to do some more. Usually the infected areas that show are just the tip of the problem. Lets make sure everything is gone.

Download SUPERAntispyware Free Edition (SAS)

• Double-click the icon on your desktop to run the installer.
• When asked to Update the program definitions, click Yes
• Next click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure only the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
• Click the Close button to leave the control center screen.
• On the main screen click Scan your computer
• On the left check C:\Fixed Drive
• On the right choose Perform Complete Scan
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK
• Make sure everything in the white box has a check next to it, then click Next
• It will quarantine what it found and if it asks if you want to reboot, click Yes
• To retrieve the removal information please do the following:
  • After reboot, double-click the SUPERAntiSpyware icon on your desktop.
  • Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Save the notepad file to your desktop by clicking (in notepad) "File" "Save As"
• Save the log somewhere you can easily find it. (normally the desktop)
• Click close and close again to exit the program.
• Please copy and then paste the log in your post.

---------------

Run a new Hijackthis scan and post that log also.

---------------

Next post
SuperAntispyware log
New Hijackthis log

[euphotix]

hey hey, sorry i took so long. i had to work right after my last post.

but heres the logs!!!!

Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 3:26:25 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe /SYS
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

and heres my SUPERspyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/17/2008 at 03:11 AM

Application Version : 3.9.1008

Core Rules Database Version : 3381
Trace Rules Database Version: 1375

Scan type : Complete Scan
Total Scan Time : 04:41:27

Memory items scanned : 544
Memory threats detected : 0
Registry items scanned : 5928
Registry threats detected : 0
File items scanned : 173662
File threats detected : 71

Adware.Tracking Cookie
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@www.findagrave[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@clicksor[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@ontarget.122.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@eyewonder[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@partypoker[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@toplist[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@highbeam.122.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@msnportal.112.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@counter.inkfrog[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@community.finditquick[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@eas.apm.emediate[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@atwola[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ads.adengage[3].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@ads.vlaze[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ads.str8up[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@adopt.euroclick[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@overture[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@tacoda[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@pitchforkmedia[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@azjmp[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@try.starware[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@adinterax[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@nhl.112.2o7[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ylwbook.findlinks[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@www.epilot[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@adultfriendfinder[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@mcclatchy.112.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@servedby.adorigin[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@cgi-bin[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@roi.admarketplace[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@adcentriconline[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ads.tnt[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@2o7[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@clicktorrent[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@richmedia.yahoo[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@html[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@findagrave[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@adorigin[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel_knight@partygaming.122.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@windowsmedia[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@2.go.globaladsales[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ad1.clickhype[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@adinterax[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ads.adengage[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@ads.realtechnetwork[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@bridge.admarketplace[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@buzznet.112.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@cpvfeed[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@dealtime[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@enhance[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@h.starware[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@interclick[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@localhelpfinder[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@nhl.112.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@optimost[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@partypoker[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@publishers.clickbooth[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@smileycentral[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@tacoda[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@tremor.adbureau[2].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@waterfrontmedia.112.2o7[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@www.dealtime[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@www.geeksfind[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@www.popundersupply[1].txt
C:\Documents and Settings\Daniel Knight\Cookies\daniel knight@xiti[1].txt

Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9ABC731F-C847-4CA4-821A-E6D2ED1D4D39}\RP565\A0305240.EXE

Trojan.Downloader-ConHook
C:\WINDOWS\SYSTEM32\DDAYA.EXE

Trojan.Downloader-Gen/BigTkt
C:\WINDOWS\SYSTEM32\DRVSIPR.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\TSTWA.BAK1

Adware.Lop
C:\_OTMOVEIT\MOVEDFILES\01162008_145132\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\FRAG GREAT BEND LOGO\FOUR TICK.EXE

[evilfantasy]

The logs look fine now. How is the computer?


Time to do some cleanup and secure the work you have done.

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

Let's clear out the programs we've been using to clean up your computer, they are not suitable for
general malware removal and could cause damage if launched accidentally.

Please download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

• When finished exit out of OTMoveIt2

Check out Keeping Yourself safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.


Let me know how everything is now.

[euphotix]

ok i did it all, but I couldnt do the Combixfix thingy. it says windows cant find it.

and i did the OTMoveIt2, and again it said failed, will do it on startup but it doesnt launch on start up

i would show u the log. but i deleted it cuz i got kinda scared when u said someone could accidently delete something on my comp with it. lol


EDIT: oh ya my computer is back to normal now, but im goin to check threw the slow computer may not be malware thread
BTW THANKS ALOT YOU AWESOME PERSON OF AWESOMENESS

[evilfantasy]

No problem I am sure everything is fine.

Is the computer running OK still?