TheTechGuide Forum

General Category => Tech Clinic => Topic started by: NuCK on November 14, 2006, 11:52:13 PM

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 14, 2006, 11:52:13 PM

Here is the HJT for thesecond PC that's infected

Logfile of HijackThis v1.99.1
Scan saved at 12:49:09 PM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program (http://\"http://file:///C:\Program\") Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: tbkrnl32.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 14, 2006, 11:59:41 PM

here is the combofix log

user - 06-11-15 12:51:21.03    Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((   Files Created from 2006-10-15 to 2006-11-15  ))))))))))))))))))))))))))))))))))
 
 
2006-11-14 10:35 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-13 19:05 57,407 --a------ C:\WINDOWS\system32\ANICtl.dll
2006-11-13 19:05 49,152 --a------ C:\WINDOWS\system32\AQCKGen.dll
2006-11-13 19:05 368,640 --a------ C:\WINDOWS\system32\ANIWZCS2.dll
2006-11-13 19:05 36,864 --a------ C:\WINDOWS\system32\ANIOApi.dll
2006-11-13 19:05 28,205 --a------ C:\WINDOWS\system32\ANIO.sys
2006-11-13 19:05 221,184 --a------ C:\WINDOWS\system32\wlanapi.dll
2006-11-13 19:05 212,992 --a------ C:\WINDOWS\system32\aIPH.dll
2006-11-13 19:05 143,360 --a------ C:\WINDOWS\system32\WlanApp.dll
2006-11-13 19:05 11,904 --a------ C:\WINDOWS\system32\anio4.sys
2006-11-13 19:05 1,323,095 --a------ C:\WINDOWS\system32\odSupp_M.dll


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-15 12:48 -------- d-------- C:\Program Files\HijackThis
2006-11-14 10:35 -------- d-------- C:\Program Files\Grisoft
2006-11-13 19:05 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-13 19:05 -------- d-------- C:\Program Files\ANI
2006-11-01 21:05 -------- d-------- C:\Program Files\SpywareBlaster
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Antiwpa

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-15 12:52:37.28
C:\ComboFix.txt ... 06-11-15 12:52

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 15, 2006, 12:40:45 AM

Here is the AVG Scan Report


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:   1:31:53 PM 11/15/2006

 + Scan result:   



C:\WINDOWS\system32\lslldr14.dll -> Downloader.Agent.bbc : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drivers\lslldr14.sys -> Hijacker.StartPage.amg : Cleaned with backup (quarantined).


::Report end

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 15, 2006, 10:05:45 PM

Sorry for the delay NuCK

Can I have you try the following please
I just want to check on something

Can you delete your version of Combfix.exe you have saved

Download this version of Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/zh/BetaD/combofix.exe\")
Don't run it yet

Reboot your computer into safe mode
Sign in with your usual user account

In safe mode, Double click on the new Combofix.exe
Follow the prompts
Save the log it produces

Reboot back to Normal windows and post the new log please from Combofix

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 17, 2006, 10:19:39 PM

Here is the new log you requested.


user - 06-11-18 11:04:49.00    Service Pack 2
ComboFix 06.11.17W - Running from: "C:\Documents and Settings\user\Desktop"

(((((((((((((((((((((((((((((((   Files Created from 2006-10-18 to 2006-11-18  ))))))))))))))))))))))))))))))))))
 
 
2006-11-15   12:40   <DIR>   d--------   C:\Program Files\HijackThis
2006-11-15   12:34   <DIR>   d--------   C:\WINDOWS\system32\wsword
2006-11-15   11:33   <DIR>   d--------   C:\WINDOWS\system32\mspalnt
2006-11-14   12:54   <DIR>   d--------   C:\WINDOWS\CSC
2006-11-14   10:35   3,968   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-14   10:35   <DIR>   d--------   C:\Program Files\Grisoft
2006-11-13   19:05   57,407   --a------   C:\WINDOWS\system32\ANICtl.dll
2006-11-13   19:05   49,152   --a------   C:\WINDOWS\system32\AQCKGen.dll
2006-11-13   19:05   368,640   --a------   C:\WINDOWS\system32\ANIWZCS2.dll
2006-11-13   19:05   36,864   --a------   C:\WINDOWS\system32\ANIOApi.dll
2006-11-13   19:05   28,205   --a------   C:\WINDOWS\system32\ANIO.sys
2006-11-13   19:05   221,184   --a------   C:\WINDOWS\system32\wlanapi.dll
2006-11-13   19:05   212,992   --a------   C:\WINDOWS\system32\aIPH.dll
2006-11-13   19:05   143,360   --a------   C:\WINDOWS\system32\WlanApp.dll
2006-11-13   19:05   11,904   --a------   C:\WINDOWS\system32\anio4.sys
2006-11-13   19:05   1,323,095   --a------   C:\WINDOWS\system32\odSupp_M.dll
2006-11-13   19:05   <DIR>   d--------   C:\Program Files\ANI


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-18 11:07   --------   d--------   C:\Program Files\Common Files
2006-11-13 19:05   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-11-01 21:05   --------   d--------   C:\Program Files\SpywareBlaster
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"cwcjpnpv"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\cwcjpnpv.dll,DllUnregisterServer"
"lslldr14"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
  32,5c,52,75,6e,64,6c,6c,33,32,2e,65,78,65,20,25,73,79,73,74,65,6d,72,6f,6f,\
  74,25,5c,73,79,73,74,65,6d,33,32,5c,6c,73,6c,6c,64,72,31,34,2e,64,6c,6c,2c,\
  44,6c,6c,55,6e,72,65,67,69,73,74,65,72,53,65,72,76,65,72,00
"dxdkqoqw"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,33,\
  32,5c,52,75,6e,64,6c,6c,33,32,2e,65,78,65,20,25,73,79,73,74,65,6d,72,6f,6f,\
  74,25,5c,73,79,73,74,65,6d,33,32,5c,63,77,63,6a,70,6e,70,76,2e,64,6c,6c,2c,\
  44,6c,6c,55,6e,72,65,67,69,73,74,65,72,53,65,72,76,65,72,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter   REG_MULTI_SZ      HTTPFilter
LocalService   REG_MULTI_SZ      AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService   REG_MULTI_SZ      DnsCache
DcomLaunch   REG_MULTI_SZ      DcomLaunchTermService
rpcss   REG_MULTI_SZ      RpcSs
imgsvc   REG_MULTI_SZ      StiSvc
termsvcs   REG_MULTI_SZ      TermService

Completion time: 06-11-18 11:07:49.98
C:\ComboFix.txt ... 06-11-18 11:07
C:\ComboFix2.txt ... 06-11-15 12:52

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 18, 2006, 04:55:11 PM

Can you do the following for me please
Print these instructions or save them too a text file on your desktop

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- lslldr14

Let me know later if you found this service name and able to stop and disable it please
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Download The Avenger.zip (http://\"http://swandog46.geekstogo.com/avenger.zip\") by Swandog46 to your Desktop.

    * Click on Avenger.zip to open the file
    * Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
Drivers to unload:
lslldr14

Registry values to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | cwcjpnpv
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | dxdkqoqw
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce | lslldr14

files to delete:
C:\WINDOWS\system32\lslldr14.dll
C:\WINDOWS\system32\drivers\lslldr14.sys
C:\WINDOWS\\system32\cwcjpnpv.dll
C:\WINDOWS\\system32\tbkrnl32.dll

Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
In your case where "Drivers to unload" are in the script
Your computer will actually reboot twice

Back in Windows
Can you do the following
DON'T open a browser window yet
Instead
* Clean your Cache and Cookies in IE:

• Go to Control Panel > Internet Options > General tab
• Click the "Delete Cookies" button
• Next to it, Click the "Delete Files" button
• When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu on the left side of the Options window.
• Click the Clear button located to the right of each option (History, Cookies, Cache).
• Click OK to close the Options window

Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
[/list]* Clean other Temporary files + Recycle bin

• Go to start > run and type:

cleanmgr and click ok.

• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Afterwards
1. Post a fresh hijackthis log
2. Post the report from Avenger, located here>>C:\Avenger.txt

With the above 2 logs, could you also

RIGHT CLICK an empty spot on your desktop and select
NEW>>Text Document
A new text document will be placed on desktop
Name it find.txt

Open find.txt
Copy>>Paste all the text below in the code box to it
Don't include the word 'code'
Close find.txt after you paste the info below and save the changes

Code: [Select]

RegSearch Options File

[Search]
lslldr14

[Options]
Filter=KVDLUI
Download Registry Search (http://\"http://www.bleepingcomputer.com/files/steelwerx/regsearch.zip\") to your desktop.

    * Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
    * Open the new folder, and double click on regsearch.exe
    * Click "Import" in the lower left corner and browse to the find.txt file that you just saved on your desktop.
    * Double click on find.txt
    * Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
    * Please reply here with the entire contents of the Notepad file from RegSearch.

ALSO
Can you run a Search on your computer for the following>>START>SEARCH>>All Files and Folders
For the following
dxdkqoqw

Ensure under Advanced Options the top 3 selections are checked
Post back if any files are found, include the folder and extension please
Eg... dxdkqoqw.dll in System32 folder

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 20, 2006, 03:41:10 AM

Thank you so so much again guestolo.

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 4:35:53 PM, on 11/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe





Avenger Log


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hksjnkow

*******************

Script file located at: \??\C:\Program Files\pbpcdruo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver lslldr14 unloaded successfully.
File C:\WINDOWS\system32\lslldr14.dll deleted successfully.
File C:\WINDOWS\system32\drivers\lslldr14.sys deleted successfully.
File C:\WINDOWS\\system32\cwcjpnpv.dll deleted successfully.
File C:\WINDOWS\\system32\tbkrnl32.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce|cwcjpnpv deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce|dxdkqoqw deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce|lslldr14 deleted successfully.
Registry value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

Completed script processing.

*******************

Finished!  Terminate.



Regsearch Log


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.1.0

; Results at 11/20/2006 4:32:05 PM for strings:
;  'lslldr14'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000]
"Service"="lslldr14"
"DeviceDesc"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000\Control]
"ActiveService"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lslldr14]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lslldr14]
; Contents of value:
;   system32\drivers\lslldr14.sys
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6c,73,6c,\
  6c,64,72,31,34,2e,73,79,73,00
"DisplayName"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000]
"Service"="lslldr14"
"DeviceDesc"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lslldr14]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lslldr14]
; Contents of value:
;   system32\drivers\lslldr14.sys
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6c,73,6c,\
  6c,64,72,31,34,2e,73,79,73,00
"DisplayName"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000]
"Service"="lslldr14"
"DeviceDesc"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000\Control]
"ActiveService"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lslldr14]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lslldr14]
; Contents of value:
;   system32\drivers\lslldr14.sys
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,6c,73,6c,\
  6c,64,72,31,34,2e,73,79,73,00
"DisplayName"="lslldr14"

; End Of The Log...




And finally


dxdkqoqw was found in C:\WINDOWS\system32\drivers\

The file type is "System File"

I don't think it has an extension cos it doesn't show anything even after i changed my explorer to view extension for known file types.

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 21, 2006, 07:52:25 PM

Sorry for the delay, I was having a hard time accessing the forum yesterday
Can we do this again please

Download SREng
http://www.kztechs.com/sreng/sreng2.zip (http://\"http://www.kztechs.com/sreng/sreng2.zip\")

Extract it to Desktop and double click SREng.exe to run it
Select: Smart Scan and click on the [Scan] button.

The progress bar may stop at times, be patient, it is still scanning.

When finished, click on the Save Reports button and save the log to Desktop

Please post the SREng log in your reply.

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 21, 2006, 09:56:15 PM

Here is the srENG log.


2006-11-22,10:49:24

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
 - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background>  [Microsoft Corporation]
    <Yahoo! Pager><"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet>  [Yahoo! Inc.]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <VTTrayp><VTtrayp.exe>  [(Verified)S3 Graphics Co., Ltd.]
    <VTTimer><VTTimer.exe>  [(Verified)S3 Graphics, Inc.]
    <AudioDeck><C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 >  [N/A]
    <VSOCheckTask><"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask>  [McAfee, Inc.]
    <VirusScan Online><C:\Program Files\McAfee.com\VSO\mcvsshld.exe>  [McAfee, Inc.]
    <OASClnt><C:\Program Files\McAfee.com\VSO\oasclnt.exe>  [McAfee, Inc.]
    <MCAgentExe><c:\PROGRA~1\mcafee.com\agent\mcagent.exe>  [McAfee, Inc]
    <MCUpdateExe><C:\PROGRA~1\mcafee.com\agent\McUpdate.exe>  [McAfee, Inc]
    <D-Link AirPlus G><C:\Program Files\D-Link\AirPlus G\AirGCFG.exe>  [D-Link]
    <ANIWZCS2Service><C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe>  [Alpha Networks Inc.]
    <!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]
    <WinlogonNotify: Antiwpa><antiwpa.dll>  [N/A]

==================================
Startup Folders
N/A

==================================
Services
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ANIWZCSd Service / ANIWZCSdService]
  <C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe><Alpha Networks Inc.>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard]
  <C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[McAfee WSC Integration / McDetect.exe]
  <c:\program files\mcafee.com\agent\mcdetect.exe><McAfee, Inc>
[McAfee.com McShield / McShield]
  <c:\PROGRA~1\mcafee.com\vso\mcshield.exe><McAfee Inc.>
[McAfee Task Scheduler / McTskshd.exe]
  <c:\PROGRA~1\mcafee.com\agent\mctskshd.exe><McAfee, Inc>
[McAfee SecurityCenter Update Manager / mcupdmgr.exe]
  <C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe><McAfee, Inc>

==================================
Drivers
[D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) / A3AB]
  <system32\DRIVERS\A3AB.sys><D-Link Corporation>
[AMD Processor Driver / AmdK8]
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[ANIO Service / ANIO]
  <\??\C:\WINDOWS\system32\ANIO.SYS><Alpha Networks Inc.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver]
  <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[John's Windows 2000 Driver / csctl50]
  <System32\drivers\csctl50.sys><N/A>
[dxdkqoq / dxdkqoqw]
  <\SystemRoot\System32\DRIVERS\dxdkqoqw.sys><Microsoft Corporation>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS]
  <system32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[VIA Rhine Family Fast Ethernet Adapter Driver Service / FETNDISB]
  <system32\DRIVERS\fetnd5b.sys><VIA Technologies, Inc.>
[GMSIPCI / GMSIPCI]
  <\??\D:\INSTALL\GMSIPCI.SYS><N/A>
[lslldr1 / lslldr14]
  <\SystemRoot\System32\DRIVERS\lslldr14.sys><N/A>
[MSICPL / MSICPL]
  <\??\D:\install4\MSICPL.sys><N/A>
[NaiAvFilter1 / NaiAvFilter1]
  <system32\drivers\naiavf5x.sys><McAfee Inc.>
[NTACCESS / NTACCESS]
  <\??\D:\NTACCESS.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv]
  <system32\DRIVERS\secdrv.sys><N/A>
[SetupNTGLM7X / SetupNTGLM7X]
  <\??\D:\NTGLM7X.sys><N/A>

==================================
Browser Add-ons
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[&Research]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[Run IMVU]
  {d9288080-1baa-4bc4-9cf8-a92d743db949} <C:\Documents and Settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[McAfee VirusScan]
  {BA52B914-B692-46c4-B683-905236F6F655} <c:\progra~1\mcafee.com\vso\mcvsshl.dll, McAfee, Inc.>
[McAfee.com Operating System Class]
  {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, Microsoft Corporation>
[McAfee.com Download+Installer Class]
  {36C417C6-13C6-448B-9784-DD73A93B0582} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[IETag Factory]
  {38481807-CA0E-42D2-BF39-B33AF135CC4D} <C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\IETAG.DLL, Microsoft Corporation>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, N/A>
[McAfee.com Registry Class]
  {4C29D864-C55A-46DD-865C-17A1B7CC1A1A} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[McAfee.com Operating System Class]
  {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Microsoft Licensed Class Manager 1.0]
  {5220CB21-C88D-11CF-B347-00AA00A28331} <C:\WINDOWS\system32\licmgr10.dll, Microsoft Corporation>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[McAfee.com File System Class]
  {5940894F-4BA9-4FAC-ACFD-2F56F7CE0E3B} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[YMailAttach Class]
  {AA218328-0EA8-4D70-8972-E987A9190FF4} <C:\PROGRA~1\Yahoo!\Common\ymmapi.dll, Yahoo! Inc.>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[McAfee VirusScan]
  {BA52B914-B692-46C4-B683-905236F6F655} <c:\progra~1\mcafee.com\vso\mcvsshl.dll, McAfee, Inc.>
[DwnldGroupMgr Class]
  {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} <C:\WINDOWS\system32\mcgdmgr.dll, McAfee, Inc>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[McAfee.com Shell Helper Class]
  {CA145D71-4BCB-461D-BCBE-C01C42867380} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Adobe Acrobat Control for ActiveX]
  {CA8A9780-280D-11CF-A24D-444553540000} <C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\pdf.ocx, Adobe Systems Incorporated>
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__WAV Moniker Class]
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__AVI Moniker Class]
  {CD3AFA88-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__MPEG Moniker Class]
  {CD3AFA89-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[McAfee.com Application Helper Class]
  {D2D8D3C0-C750-4703-A6AD-75D6B578FFE6} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[GetInfo Class]
  {D5184A39-CBDF-4A4F-AC1A-7A45A852C883} <C:\Program Files\Yahoo!\Common\YVerInfo.dll, Yahoo! Inc.>
[MessengerChecker Class]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, TODO: <Company name>>
[Messenger Class]
  {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} <, N/A>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[]
  {F06608C7-1874-4EEA-B3B2-DF99EBB144B8} <"C:\PROGRA~1\MSNMES~1\msgsc.dll", N/A>
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[&Yahoo! Search]
  <file:///C:\Program Files\Yahoo!\Common/ycsrch.htm, N/A>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[Yahoo! &Dictionary]
  <file:///C:\Program Files\Yahoo!\Common/ycdict.htm, N/A>
[Yahoo! &Maps]
  <file:///C:\Program Files\Yahoo!\Common/ycmap.htm, N/A>
[Yahoo! &SMS]
  <file:///C:\Program Files\Yahoo!\Common/ycsms.htm, N/A>

==================================
Running Processes
[PID: 608][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 680][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 704][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\antiwpa.dll]  [N/A, 3.4.2]
[PID: 748][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 760][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 908][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 988][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1024][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1076][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1140][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1412][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\xrxb1ui.DLL]  [SEC, 0,3,5,0]
[PID: 1760][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [Anti-Malware Development a.s., 7, 5, 0, 47]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 6.0.1.2003110300]
    [C:\PROGRA~1\SPYBOT~1\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
[PID: 1980][c:\program files\mcafee.com\agent\mcdetect.exe]  [McAfee, Inc, 6, 0, 0, 19]
[PID: 1996][c:\PROGRA~1\mcafee.com\vso\mcshield.exe]  [McAfee Inc., 11.0.0.151]
    [c:\PROGRA~1\mcafee.com\vso\RES00\McShield.DLL]  [McAfee Inc., 11.0.0.141]
    [c:\PROGRA~1\mcafee.com\vso\FTL.Dll]  [McAfee Inc., 11.0.0.151]
    [c:\PROGRA~1\mcafee.com\vso\naiann.dll]  [McAfee, Inc., 10, 0, 0, 21]
    [c:\PROGRA~1\mcafee.com\vso\mytilus.dll]  [McAfee Inc., 11.0.0.151]
    [C:\Program Files\McAfee.com\VSO\MCSCAN32.DLL]  [McAfee, Inc., 4.4.00]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\naiannps.dll]  [McAfee, Inc, 10, 0, 0, 0]
[PID: 2024][c:\PROGRA~1\mcafee.com\agent\mctskshd.exe]  [McAfee, Inc, 6, 0, 0, 13]
[PID: 444][c:\PROGRA~1\mcafee.com\vso\OasClnt.exe]  [McAfee, Inc., 10, 0, 0, 24]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\naiannps.dll]  [McAfee, Inc, 10, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\mcvsps.dll]  [McAfee, Inc, 10, 0, 0, 17]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 560][C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe]  [McAfee, Inc., 10, 0, 0, 22]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\PROGRA~1\mcafee.com\vso\ashldres.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\submgr\6,0,0,13\mcsubmgr.dll]  [McAfee, Inc, 6, 0, 0, 13]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\mcvsps.dll]  [McAfee, Inc, 10, 0, 0, 17]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 588][c:\progra~1\mcafee.com\vso\mcvsescn.exe]  [McAfee, Inc., 10, 0, 0, 20]
    [c:\progra~1\mcafee.com\vso\ashldres.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\EmScnRes.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\PROGRA~1\mcafee.com\vso\vsoupd.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\McVsWorm.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\WormRes.dll]  [McAfee, Inc., 10, 0, 0, 19]
[PID: 1832][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 404][C:\WINDOWS\system32\wscntfy.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2084][C:\WINDOWS\system32\VTtrayp.exe]  [S3 Graphics Co., Ltd., 2.00.24-0621]
    [C:\WINDOWS\system32\VTDisply.dll]  [S3 Graphics Co., Ltd., 2.00.40-0923B]
    [C:\WINDOWS\system32\VTGamma2.dll]  [S3 Graphics Co., Ltd., 2.00.14-0706]
    [C:\WINDOWS\system32\VTInfo2.dll]  [S3 Graphics Co., Ltd., 2.00.16-0729B]
    [C:\WINDOWS\system32\VTOvrlay.dll]  [S3 Graphics Co., Ltd., 2.00.14-0706]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2092][C:\WINDOWS\system32\VTTimer.exe]  [S3 Graphics, Inc., 1.04.05-0929]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2136][C:\Program Files\VIAudioi\SBADeck\ADeck.exe]  [VIA Technologies, Inc., 6, 1, 5, 0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2220][c:\program files\mcafee.com\agent\mcagent.exe]  [McAfee, Inc, 6, 0, 0, 16]
    [c:\program files\mcafee.com\agent\SCRes.dll]  [McAfee, Inc, 6, 0, 0, 7]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
[PID: 2396][C:\Program Files\D-Link\AirPlus G\AirGCFG.exe]  [D-Link, 3, 3, 1, 50329]
    [C:\WINDOWS\system32\wlanapi.dll]  [Alpha Networks Inc., 1, 3, 19, 50222]
    [C:\WINDOWS\system32\ANIOApi.dll]  [Alpha Networks Inc., 2, 0, 0, 40127]
    [C:\WINDOWS\system32\AQCKGen.dll]  [Alpha Networks Inc., 1, 0, 0, 30603]
    [C:\WINDOWS\system32\WlanApp.dll]  [Alpha Networks Inc., 1, 0, 10, 50316]
    [C:\Program Files\D-Link\AirPlus G\WlanMon.dll]  [D-Link, 3, 3, 1, 50324]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2404][C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe]  [Alpha Networks Inc., 1, 0, 6, 41216]
    [C:\WINDOWS\system32\ANIWZCS2.DLL]  [Alpha Networks Inc., 2, 4, 10, 50318]
    [C:\WINDOWS\system32\AQCKGen.dll]  [Alpha Networks Inc., 1, 0, 0, 30603]
    [C:\WINDOWS\system32\ANIOApi.dll]  [Alpha Networks Inc., 2, 0, 0, 40127]
    [C:\WINDOWS\system32\WlanApp.dll]  [Alpha Networks Inc., 1, 0, 10, 50316]
    [C:\WINDOWS\system32\wlanapi.dll]  [Alpha Networks Inc., 1, 3, 19, 50222]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2768][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe]  [Anti-Malware Development a.s., 7, 5, 0, 50]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [Anti-Malware Development a.s., 4, 2, 0, 15]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 3576][C:\Program Files\MSN Messenger\MsnMsgr.Exe]  [Microsoft Corporation, 7.5.0324]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\WINDOWS\system32\devenum.dll]  [N/A, N/A]
    [C:\WINDOWS\system32\msdmo.dll]  [N/A, N/A]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx]  [Macromedia, Inc., 8,0,24,0]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
[PID: 3940][C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe]  [Yahoo! Inc., 7,5,0,814]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\Program Files\Yahoo!\Messenger\pcre.dll]  [Pcre, 3.9]
    [C:\Program Files\Yahoo!\Messenger\YML.dll]  [N/A, 3, 0, 0, 2]
    [C:\Program Files\Yahoo!\Messenger\YImage.dll]  [Yahoo! Inc., 1, 0, 0, 1]
    [C:\Program Files\Yahoo!\Messenger\xmlparse.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Messenger\xmltok.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Messenger\yvoiceui.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Messenger\yaudiomgr.dll]  [N/A, 1, 0, 200, 1]
    [C:\Program Files\Yahoo!\Messenger\GIPSVoiceEngineDLL.dll]  [Global IP Sound, 2, 0, 4, 0]
    [C:\Program Files\Yahoo!\Messenger\ft60.dll]  [Yahoo! Inc., 1.0.0.4]
    [C:\Program Files\Yahoo!\Messenger\res_msgr.dll]  [Yahoo! Inc., 6, 0, 0, 1610]
    [C:\Program Files\Yahoo!\Shared\YbSkin2.dll]  [Yahoo! Inc., 2005, 11, 11, 1]
    [C:\Program Files\Yahoo!\Messenger\MyYahoo.dll]  [Yahoo! Inc., 6, 0, 0, 601]
    [C:\Program Files\Yahoo!\Messenger\D32-FW.DLL]  [Distinct Corporation, 3.4.6]
    [C:\WINDOWS\system32\icm32.dll]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx]  [Macromedia, Inc., 8,0,24,0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Messenger\stock.dll]  [N/A, 2, 0, 0, 1]
    [C:\Program Files\Yahoo!\Messenger\yvoicesm.dll]  [N/A, 1, 0, 201, 1]
    [C:\Program Files\Yahoo!\Messenger\rvsip.dll]  [RADVISION, 3.1.1.30]
    [C:\Program Files\Yahoo!\Messenger\rvcommon.dll]  [RADVISION, 1.0.18]
    [C:\Program Files\Yahoo!\Messenger\rvads.dll]  [RADVISION, 3.1.1.30]
    [C:\Program Files\Yahoo!\Messenger\rvsdp.dll]  [RADVISION, ]
    [C:\Program Files\Yahoo!\Messenger\nspr4.dll]  [Netscape Communications Corporation, 4.6.1]
    [C:\Program Files\Yahoo!\Messenger\yv_res.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Shared\YAlertCenter.dll]  [Yahoo! Inc., 2005, 11, 14, 1]
    [C:\Program Files\Yahoo!\Messenger\ypagerps.dll]  [N/A, 1, 0, 0, 1]
[PID: 2356][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 3816][c:\progra~1\mcafee.com\vso\mcvsftsn.exe]  [McAfee, Inc., 10, 0, 0, 19]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\submgr\6,0,0,13\mcsubmgr.dll]  [McAfee, Inc, 6, 0, 0, 13]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
[PID: 2708][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.7.3000]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2916][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll]  [Yahoo! Inc., 2006, 4, 17, 1]
    [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 6.0.1.2003110300]
    [C:\PROGRA~1\SPYBOT~1\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
    [C:\Program Files\Yahoo!\Common\yiesrvc.dll]  [Yahoo! Inc., 2006, 1, 5, 1]
    [C:\Program Files\Yahoo!\Common\YIeTagBm.dll]  [Yahoo! Inc., 2005, 8, 17, 1]
    [C:\Program Files\Yahoo!\Messenger\ypagerps.dll]  [N/A, 1, 0, 0, 1]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\pubmod.dll]  [Yahoo! Inc., 2005, 12, 16, 1]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\ypubc.dll]  [Yahoo! Inc., 2006.1.25.01]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\YMERemote.dll]  [Yahoo! Inc., 2006, 3, 21, 1]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx]  [Macromedia, Inc., 8,0,24,0]
[PID: 3356][C:\Program Files\Internet Explorer\iexplore.exe]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll]  [Yahoo! Inc., 2006, 4, 17, 1]
    [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 6.0.1.2003110300]
    [C:\PROGRA~1\SPYBOT~1\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
    [C:\Program Files\Yahoo!\Common\yiesrvc.dll]  [Yahoo! Inc., 2006, 1, 5, 1]
    [C:\Program Files\Yahoo!\Common\YIeTagBm.dll]  [Yahoo! Inc., 2005, 8, 17, 1]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\pubmod.dll]  [Yahoo! Inc., 2005, 12, 16, 1]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\ypubc.dll]  [Yahoo! Inc., 2006.1.25.01]
    [C:\Program Files\Yahoo!\Companion\Installs\cpn\YMERemote.dll]  [Yahoo! Inc., 2006, 3, 21, 1]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx]  [Macromedia, Inc., 8,0,24,0]
    [C:\WINDOWS\system32\msdmo.dll]  [N/A, N/A]
    [C:\WINDOWS\system32\quartz.dll]  [N/A, N/A]
    [C:\WINDOWS\system32\devenum.dll]  [N/A, N/A]
[PID: 1016][C:\Documents and Settings\user\Desktop\sreng2\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 21, 2006, 10:17:21 PM

Thanks for the log
Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
Drivers to unload:
lslldr14
dxdkqoqw

files to delete:
C:\WINDOWS\system32\lslldr14.dll
C:\WINDOWS\system32\drivers\lslldr14.sys
C:\WINDOWS\system32\drivers\dxdkqoqw.sys
[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

    * Under "Script file to execute" choose "Input Script Manually".
    * Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    * Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    * Click Done
    * Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
    * Answer "Yes" twice when prompted.

Avenger should now Reboot your computer
In your case where "Drivers to unload" are in the script
Your computer will actually reboot twice

Back in Windows
Can you post back the following please

You may need more than one reply to post them all

1. Post a fresh Hijackthis log
2. Post the log from anvenger>>C:\Avenger.txt

+Also,
Can you edit find.txt on your desktop to look like the following in code box below

Code: [Select]

RegSearch Options File

[Search]
lslldr14
dxdkqoqw

[Options]
Filter=KVDLUI
Double click on regsearch.exe
* Click "Import" in the lower left corner and browse to the find.txt file that you just saved on your desktop.
* Double click on find.txt
* Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
* Please reply here with the entire contents of the Notepad file from RegSearch.
Keep me informed how things are running please

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 21, 2006, 11:14:12 PM

I tried to change the startup page to blank after completing the steps, but it still gets switched back... Here are the logs

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\^wjpojyo

*******************

Script file located at: \??\C:\Program Files\bohonxae.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver lslldr14 unloaded successfully.
Driver dxdkqoqw unloaded successfully.


File C:\WINDOWS\system32\lslldr14.dll not found!
Deletion of file C:\WINDOWS\system32\lslldr14.dll failed!

Could not process line:
C:\WINDOWS\system32\lslldr14.dll
Status: 0xc0000034



File C:\WINDOWS\system32\drivers\lslldr14.sys not found!
Deletion of file C:\WINDOWS\system32\drivers\lslldr14.sys failed!

Could not process line:
C:\WINDOWS\system32\drivers\lslldr14.sys
Status: 0xc0000034

File C:\WINDOWS\system32\drivers\dxdkqoqw.sys deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Here\'s the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:08:00 PM, on 11/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra \'Tools\' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab (http://\"http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 21, 2006, 11:20:22 PM

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.1.0

; Results at 11/22/2006 12:08:15 PM for strings:
;  'lslldr14'
;  'dxdkqoqw'
; Strings excluded from search:
;  (None)
; Search in:
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DXDKQOQW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DXDKQOQW000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DXDKQOQW000]
"Service"="dxdkqoqw"
"DeviceDesc"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DXDKQOQW000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DXDKQOQW000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DXDKQOQW000\Control]
"ActiveService"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000]
"Service"="lslldr14"
"DeviceDesc"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dxdkqoqw]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dxdkqoqw]
; Contents of value:
;   system32\drivers\dxdkqoqw.sys
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,64,78,64,\
  6b,71,6f,71,77,2e,73,79,73,00
"DisplayName"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DXDKQOQW]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DXDKQOQW000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DXDKQOQW000]
"Service"="dxdkqoqw"
"DeviceDesc"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_DXDKQOQW000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000]
"Service"="lslldr14"
"DeviceDesc"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dxdkqoqw]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\dxdkqoqw]
; Contents of value:
;   system32\drivers\dxdkqoqw.sys
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,64,78,64,\
  6b,71,6f,71,77,2e,73,79,73,00
"DisplayName"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DXDKQOQW]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DXDKQOQW000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DXDKQOQW000]
"Service"="dxdkqoqw"
"DeviceDesc"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DXDKQOQW000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DXDKQOQW000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DXDKQOQW000\Control]
"ActiveService"="dxdkqoqw"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000]
"Service"="lslldr14"
"DeviceDesc"="lslldr14"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dxdkqoqw]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dxdkqoqw]
; Contents of value:
;   system32\drivers\dxdkqoqw.sys
"ImagePath"=hex(2):53,79,73,74,65,6d,33,32,5c,44,52,49,56,45,52,53,5c,64,78,64,\
  6b,71,6f,71,77,2e,73,79,73,00
"DisplayName"="dxdkqoqw"

[HKEY_USERS\S-1-5-21-1202660629-602609370-682003330-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="dxdkqoqw"

; End Of The Log...

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 21, 2006, 11:22:00 PM

Quote

I tried to change the startup page to blank after completing the steps, but it still gets switched back

Switched back to My123.com???

Can you do the following
Download m1v25.rar from the link
http://dl.360safe.com/m1v25.rar (http://\"http://dl.360safe.com/m1v25.rar\")

Extract the contents to your desktop

Double click on m1v25.exe
Click the CLEAN button, the first button on the bottom left of the box
Follow the prompts, reboot your computer afterwards

This tool may post a log, can you post it please

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 21, 2006, 11:41:11 PM

I downloaded that program... but it says My123 can't be detected on this PC...
Weird.

edit: oh yeah...because of that...the clean button was disabled

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 22, 2006, 12:01:01 AM

Can you reboot the computer again
When you first enter Windows
Can you do the following immediately

double click SREng.exe to run it
Select: Smart Scan and click on the [Scan] button.
Also tick "Verify the Digital Signature"

The progress bar may stop at times, be patient, it is still scanning.

When finished, click on the Save Reports button and save the log to Desktop

Please post the SREng log in your reply.

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 23, 2006, 10:09:49 PM

2006-11-24,11:00:22

System Repair Engineer 2.2.6.605
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional Service Pack 2 (Build 2600)
 - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
    All Boot Items (Including Registry, Startup Folders, Services and so on)
    Browser Add-ons
    Runing Processes (Including process model information)
    File Associations
    Winsock Provider
    Autorun.Inf
    HOSTS File


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    <MsnMsgr><"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background>  [Microsoft Corporation]
    <Yahoo! Pager><"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet>  [Yahoo! Inc.]
    <ctfmon.exe><C:\WINDOWS\system32\ctfmon.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    <IMJPMIG8.1><"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32>  [(Verified)Microsoft Corporation]
    <PHIME2002ASync><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC>  [(Verified)Microsoft Corporation]
    <PHIME2002A><C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName>  [(Verified)Microsoft Corporation]
    <VTTrayp><VTtrayp.exe>  [(Verified)S3 Graphics Co., Ltd.]
    <VTTimer><VTTimer.exe>  [(Verified)S3 Graphics, Inc.]
    <AudioDeck><C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 >  [N/A]
    <VSOCheckTask><"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask>  [McAfee, Inc.]
    <VirusScan Online><C:\Program Files\McAfee.com\VSO\mcvsshld.exe>  [McAfee, Inc.]
    <OASClnt><C:\Program Files\McAfee.com\VSO\oasclnt.exe>  [McAfee, Inc.]
    <MCAgentExe><c:\PROGRA~1\mcafee.com\agent\mcagent.exe>  [McAfee, Inc]
    <MCUpdateExe><C:\PROGRA~1\mcafee.com\agent\mcupdate.exe>  [McAfee, Inc]
    <D-Link AirPlus G><C:\Program Files\D-Link\AirPlus G\AirGCFG.exe>  [D-Link]
    <ANIWZCS2Service><C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe>  [Alpha Networks Inc.]
    <!AVG Anti-Spyware><"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <shell><Explorer.exe>  [(Verified)Microsoft Corporation]
    <Userinit><C:\WINDOWS\system32\userinit.exe,>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
    <AppInit_DLLs><>  [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    <UIHost><logonui.exe>  [(Verified)Microsoft Corporation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    <{57B86673-276A-48B2-BAE7-C6DBB3020EB8}><C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll>  [Anti-Malware Development a.s.]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]
    <WinlogonNotify: Antiwpa><antiwpa.dll>  [N/A]

==================================
Startup Folders
N/A

==================================
Services
[Adobe LM Service / Adobe LM Service]
  <"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"><Adobe Systems>
[ANIWZCSd Service / ANIWZCSdService]
  <C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe><Alpha Networks Inc.>
[AVG Anti-Spyware Guard / AVG Anti-Spyware Guard]
  <C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe><Anti-Malware Development a.s.>
[Human Interface Device Access / HidServ]
  <C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[McAfee WSC Integration / McDetect.exe]
  <c:\program files\mcafee.com\agent\mcdetect.exe><McAfee, Inc>
[McAfee.com McShield / McShield]
  <c:\PROGRA~1\mcafee.com\vso\mcshield.exe><McAfee Inc.>
[McAfee Task Scheduler / McTskshd.exe]
  <c:\PROGRA~1\mcafee.com\agent\mctskshd.exe><McAfee, Inc>
[McAfee SecurityCenter Update Manager / mcupdmgr.exe]
  <C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe><McAfee, Inc>

==================================
Drivers
[D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB) / A3AB]
  <system32\DRIVERS\A3AB.sys><D-Link Corporation>
[AMD Processor Driver / AmdK8]
  <system32\DRIVERS\AmdK8.sys><Advanced Micro Devices>
[ANIO Service / ANIO]
  <\??\C:\WINDOWS\system32\ANIO.SYS><Alpha Networks Inc.>
[AVG Anti-Spyware Driver / AVG Anti-Spyware Driver]
  <\??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys><N/A>
[AVG Anti-Spyware Clean Driver / AvgAsCln]
  <System32\DRIVERS\AvgAsCln.sys><GRISOFT, s.r.o.>
[John's Windows 2000 Driver / csctl50]
  <System32\drivers\csctl50.sys><N/A>
[dxdkqoq / dxdkqoqw]
  <\SystemRoot\System32\DRIVERS\dxdkqoqw.sys><N/A>
[VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver / FETNDIS]
  <system32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[VIA Rhine Family Fast Ethernet Adapter Driver Service / FETNDISB]
  <system32\DRIVERS\fetnd5b.sys><VIA Technologies, Inc.>
[GMSIPCI / GMSIPCI]
  <\??\D:\INSTALL\GMSIPCI.SYS><N/A>
[MSICPL / MSICPL]
  <\??\D:\install4\MSICPL.sys><N/A>
[NaiAvFilter1 / NaiAvFilter1]
  <system32\drivers\naiavf5x.sys><McAfee Inc.>
[NTACCESS / NTACCESS]
  <\??\D:\NTACCESS.sys><N/A>
[Direct Parallel Link Driver / Ptilink]
  <system32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[Secdrv / Secdrv]
  <system32\DRIVERS\secdrv.sys><N/A>
[SetupNTGLM7X / SetupNTGLM7X]
  <\??\D:\NTGLM7X.sys><N/A>
[viagfx / viagfx]
  <system32\DRIVERS\vtmini.sys><Copyright © VIA/S3 Graphics Co, Ltd.>

==================================
Browser Add-ons
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[&Research]
  {92780B25-18CC-41C8-B9BE-3C9C571A8263} <C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL, Microsoft Corporation>
[Run IMVU]
  {d9288080-1baa-4bc4-9cf8-a92d743db949} <C:\Documents and Settings\user\Start Menu\Programs\IMVU\Run IMVU.lnk, N/A>
[Messenger]
  {FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\msmsgs.exe, Microsoft Corporation>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[McAfee VirusScan]
  {BA52B914-B692-46c4-B683-905236F6F655} <c:\progra~1\mcafee.com\vso\mcvsshl.dll, McAfee, Inc.>
[McAfee.com Operating System Class]
  {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Yahoo! Toolbar Helper]
  {02478D38-C3F9-4EFB-9B51-7695ECA05670} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[AcroIEHlprObj Class]
  {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} <C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll, Adobe Systems Incorporated>
[Windows Media Player]
  {22D6F312-B0F6-11D0-94AB-0080C74C7E95} <C:\WINDOWS\system32\wmpdxm.dll, Microsoft Corporation>
[HTML Document]
  {25336920-03F9-11CF-8FD0-00AA00686F13} <%SystemRoot%\system32\mshtml.dll, N/A>
[DHTML Edit Control Safe for Scripting for IE5]
  {2D360201-FFF5-11D1-8D03-00A0C959BC0A} <C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx, Microsoft Corporation>
[HtmlDlgSafeHelper Class]
  {3050F819-98B5-11CF-BB82-00AA00BDCE0B} <C:\WINDOWS\system32\mshtmled.dll, Microsoft Corporation>
[McAfee.com Download+Installer Class]
  {36C417C6-13C6-448B-9784-DD73A93B0582} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[IETag Factory]
  {38481807-CA0E-42D2-BF39-B33AF135CC4D} <C:\PROGRA~1\COMMON~1\MICROS~1\SMARTT~1\IETAG.DLL, Microsoft Corporation>
[XML Document]
  {48123BC4-99D9-11D1-A6B3-00C04FD91555} <%SystemRoot%\system32\msxml3.dll, N/A>
[McAfee.com Registry Class]
  {4C29D864-C55A-46DD-865C-17A1B7CC1A1A} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[McAfee.com Operating System Class]
  {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Microsoft Licensed Class Manager 1.0]
  {5220CB21-C88D-11CF-B347-00AA00A28331} <C:\WINDOWS\system32\licmgr10.dll, Microsoft Corporation>
[]
  {53707962-6F74-2D53-2644-206D7942484F} <C:\PROGRA~1\SPYBOT~1\SDHelper.dll, Safer Networking Limited>
[Shell Name Space]
  {55136805-B2DE-11D1-B9F2-00A0C98BC547} <%SystemRoot%\system32\shdocvw.dll, N/A>
[McAfee.com File System Class]
  {5940894F-4BA9-4FAC-ACFD-2F56F7CE0E3B} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Yahoo! IE Services Button]
  {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} <C:\Program Files\Yahoo!\Common\yiesrvc.dll, Yahoo! Inc.>
[Windows Media Player]
  {6BF52A52-394A-11D3-B153-00C04F79FAA6} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Microsoft Web Browser]
  {8856F961-340A-11D0-A96B-00C04FD705A2} <C:\WINDOWS\system32\shdocvw.dll, Microsoft Corporation>
[YMailAttach Class]
  {AA218328-0EA8-4D70-8972-E987A9190FF4} <C:\PROGRA~1\Yahoo!\Common\ymmapi.dll, Yahoo! Inc.>
[Microsoft Scriptlet Component]
  {AE24FDAE-03C6-11D1-8B76-0080C744F389} <C:\WINDOWS\system32\mshtml.dll, Microsoft Corporation>
[SearchAssistantOC]
  {B45FF030-4447-11D2-85DE-00C04FA35C89} <%SystemRoot%\system32\shdocvw.dll, N/A>
[McAfee VirusScan]
  {BA52B914-B692-46C4-B683-905236F6F655} <c:\progra~1\mcafee.com\vso\mcvsshl.dll, McAfee, Inc.>
[DwnldGroupMgr Class]
  {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} <C:\WINDOWS\system32\mcgdmgr.dll, McAfee, Inc>
[RDS.DataSpace]
  {BD96C556-65A3-11D0-983A-00C04FC29E36} <C:\Program Files\Common Files\System\msadc\msadco.dll, Microsoft Corporation>
[McAfee.com Shell Helper Class]
  {CA145D71-4BCB-461D-BCBE-C01C42867380} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[Adobe Acrobat Control for ActiveX]
  {CA8A9780-280D-11CF-A24D-444553540000} <C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\ActiveX\pdf.ocx, Adobe Systems Incorporated>
[AUDIO__MID Moniker Class]
  {CD3AFA74-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[AUDIO__WAV Moniker Class]
  {CD3AFA7B-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__AVI Moniker Class]
  {CD3AFA88-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__MPEG Moniker Class]
  {CD3AFA89-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[VIDEO__X_MS_WMV Moniker Class]
  {CD3AFA94-B84F-48F0-9393-7EDC34128127} <C:\WINDOWS\system32\wmp.dll, Microsoft Corporation>
[Shockwave Flash Object]
  {D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx, Macromedia, Inc.>
[McAfee.com Application Helper Class]
  {D2D8D3C0-C750-4703-A6AD-75D6B578FFE6} <C:\WINDOWS\system32\mcinsctl.dll, McAfee, Inc>
[GetInfo Class]
  {D5184A39-CBDF-4A4F-AC1A-7A45A852C883} <C:\Program Files\Yahoo!\Common\YVerInfo.dll, Yahoo! Inc.>
[MessengerChecker Class]
  {DA4F543C-C8A9-4E88-9A79-548CBB46F18F} <C:\Program Files\Yahoo!\Messenger\YPagerChecker.dll, TODO: <Company name>>
[Messenger Class]
  {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} <, N/A>
[Yahoo! Toolbar]
  {EF99BD32-C1FB-11D2-892F-0090271D4F88} <C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll, Yahoo! Inc.>
[]
  {F06608C7-1874-4EEA-B3B2-DF99EBB144B8} <"C:\PROGRA~1\MSNMES~1\msgsc.dll", N/A>
[XML DOM Document 3.0]
  {F5078F32-C551-11D3-89B9-0000F81FE221} <%SystemRoot%\system32\msxml3.dll, N/A>
[&Yahoo! Search]
  <file:///C:\Program Files\Yahoo!\Common/ycsrch.htm, N/A>
[E&xport to Microsoft Excel]
  <res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000, N/A>
[Yahoo! &Dictionary]
  <file:///C:\Program Files\Yahoo!\Common/ycdict.htm, N/A>
[Yahoo! &Maps]
  <file:///C:\Program Files\Yahoo!\Common/ycmap.htm, N/A>
[Yahoo! &SMS]
  <file:///C:\Program Files\Yahoo!\Common/ycsms.htm, N/A>

==================================
Running Processes
[PID: 600][\SystemRoot\System32\smss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 672][\??\C:\WINDOWS\system32\csrss.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 696][\??\C:\WINDOWS\system32\winlogon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\antiwpa.dll]  [N/A, 3.4.2]
[PID: 740][C:\WINDOWS\system32\services.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 752][C:\WINDOWS\system32\lsass.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 900][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 980][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1016][C:\WINDOWS\System32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1060][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1132][C:\WINDOWS\system32\svchost.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1396][C:\WINDOWS\system32\spoolsv.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1656][C:\WINDOWS\Explorer.EXE]  [Microsoft Corporation, 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\Program Files\Yahoo!\Messenger\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll]  [Adobe Systems Incorporated, 6.0.1.2003110300]
    [C:\PROGRA~1\SPYBOT~1\SDHelper.dll]  [Safer Networking Limited, 1, 4, 0, 0]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll]  [Anti-Malware Development a.s., 7, 5, 0, 47]
[PID: 1840][C:\WINDOWS\system32\VTtrayp.exe]  [S3 Graphics Co., Ltd., 2.00.24-0621]
    [C:\WINDOWS\system32\VTDisply.dll]  [S3 Graphics Co., Ltd., 2.00.40-0923B]
    [C:\WINDOWS\system32\VTGamma2.dll]  [S3 Graphics Co., Ltd., 2.00.14-0706]
    [C:\WINDOWS\system32\VTInfo2.dll]  [S3 Graphics Co., Ltd., 2.00.16-0729B]
    [C:\WINDOWS\system32\VTOvrlay.dll]  [S3 Graphics Co., Ltd., 2.00.14-0706]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1852][C:\WINDOWS\system32\VTTimer.exe]  [S3 Graphics, Inc., 1.04.05-0929]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1860][C:\Program Files\VIAudioi\SBADeck\ADeck.exe]  [VIA Technologies, Inc., 6, 1, 5, 0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1912][C:\Program Files\McAfee.com\VSO\mcvsshld.exe]  [McAfee, Inc., 10, 0, 0, 22]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\McAfee.com\VSO\ashldres.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\submgr\6,0,0,13\mcsubmgr.dll]  [McAfee, Inc, 6, 0, 0, 13]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\mcvsps.dll]  [McAfee, Inc, 10, 0, 0, 17]
[PID: 1920][C:\Program Files\McAfee.com\VSO\oasclnt.exe]  [McAfee, Inc., 10, 0, 0, 24]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\naiannps.dll]  [McAfee, Inc, 10, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\mcvsps.dll]  [McAfee, Inc, 10, 0, 0, 17]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1948][c:\program files\mcafee.com\agent\mcagent.exe]  [McAfee, Inc, 6, 0, 0, 16]
    [c:\program files\mcafee.com\agent\SCRes.dll]  [McAfee, Inc, 6, 0, 0, 7]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1944][c:\progra~1\mcafee.com\vso\mcvsescn.exe]  [McAfee, Inc., 10, 0, 0, 20]
    [c:\progra~1\mcafee.com\vso\ashldres.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\EmScnRes.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\PROGRA~1\mcafee.com\vso\vsoupd.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\McVsWorm.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\progra~1\mcafee.com\vso\WormRes.dll]  [McAfee, Inc., 10, 0, 0, 19]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
[PID: 1960][C:\Program Files\D-Link\AirPlus G\AirGCFG.exe]  [D-Link, 3, 3, 1, 50329]
    [C:\WINDOWS\system32\wlanapi.dll]  [Alpha Networks Inc., 1, 3, 19, 50222]
    [C:\WINDOWS\system32\ANIOApi.dll]  [Alpha Networks Inc., 2, 0, 0, 40127]
    [C:\WINDOWS\system32\AQCKGen.dll]  [Alpha Networks Inc., 1, 0, 0, 30603]
    [C:\WINDOWS\system32\WlanApp.dll]  [Alpha Networks Inc., 1, 0, 10, 50316]
    [C:\Program Files\D-Link\AirPlus G\WlanMon.dll]  [D-Link, 3, 3, 1, 50324]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1972][C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe]  [Alpha Networks Inc., 1, 0, 6, 41216]
    [C:\WINDOWS\system32\ANIWZCS2.DLL]  [Alpha Networks Inc., 2, 4, 10, 50318]
    [C:\WINDOWS\system32\AQCKGen.dll]  [Alpha Networks Inc., 1, 0, 0, 30603]
    [C:\WINDOWS\system32\ANIOApi.dll]  [Alpha Networks Inc., 2, 0, 0, 40127]
    [C:\WINDOWS\system32\WlanApp.dll]  [Alpha Networks Inc., 1, 0, 10, 50316]
    [C:\WINDOWS\system32\wlanapi.dll]  [Alpha Networks Inc., 1, 3, 19, 50222]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1980][C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe]  [Anti-Malware Development a.s., 7, 5, 0, 50]
    [C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\engine.dll]  [Anti-Malware Development a.s., 4, 2, 0, 15]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 1988][C:\Program Files\MSN Messenger\MsnMsgr.Exe]  [Microsoft Corporation, 7.5.0324]
    [C:\Program Files\MSN Messenger\msidcrl.dll]  [Microsoft Corp., 3.200.60.1]
    [C:\Program Files\MSN Messenger\MSGSLANG.DLL]  [Microsoft Corporation, 7.5.0324]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\WINDOWS\system32\devenum.dll]  [N/A, N/A]
    [C:\WINDOWS\system32\msdmo.dll]  [N/A, N/A]
[PID: 1996][C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe]  [Yahoo! Inc., 7,5,0,814]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\Program Files\Yahoo!\Messenger\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]
    [C:\Program Files\Yahoo!\Messenger\pcre.dll]  [Pcre, 3.9]
    [C:\Program Files\Yahoo!\Messenger\YML.dll]  [N/A, 3, 0, 0, 2]
    [C:\Program Files\Yahoo!\Messenger\YImage.dll]  [Yahoo! Inc., 1, 0, 0, 1]
    [C:\Program Files\Yahoo!\Messenger\xmlparse.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Messenger\xmltok.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Messenger\yvoiceui.dll]  [N/A, N/A]
    [C:\Program Files\Yahoo!\Messenger\yaudiomgr.dll]  [N/A, 1, 0, 200, 1]
    [C:\Program Files\Yahoo!\Messenger\GIPSVoiceEngineDLL.dll]  [Global IP Sound, 2, 0, 4, 0]
    [C:\Program Files\Yahoo!\Messenger\MSVCP71.dll]  [Microsoft Corporation, 7.10.3077.0]
    [C:\Program Files\Yahoo!\Messenger\ft60.dll]  [Yahoo! Inc., 1.0.0.4]
    [C:\Program Files\Yahoo!\Messenger\res_msgr.dll]  [Yahoo! Inc., 6, 0, 0, 1610]
    [C:\Program Files\Yahoo!\Shared\YbSkin2.dll]  [Yahoo! Inc., 2005, 11, 11, 1]
    [C:\Program Files\Yahoo!\Messenger\MyYahoo.dll]  [Yahoo! Inc., 6, 0, 0, 601]
    [C:\Program Files\Yahoo!\Messenger\D32-FW.DLL]  [Distinct Corporation, 3.4.6]
    [C:\WINDOWS\system32\icm32.dll]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [C:\WINDOWS\system32\Macromed\Flash\Flash8b.ocx]  [Macromedia, Inc., 8,0,24,0]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Messenger\stock.dll]  [N/A, 2, 0, 0, 1]
    [C:\Program Files\Yahoo!\Messenger\yvoicesm.dll]  [N/A, 1, 0, 201, 1]
    [C:\Program Files\Yahoo!\Messenger\rvsip.dll]  [RADVISION, 3.1.1.30]
    [C:\Program Files\Yahoo!\Messenger\rvcommon.dll]  [RADVISION, 1.0.18]
    [C:\Program Files\Yahoo!\Messenger\rvads.dll]  [RADVISION, 3.1.1.30]
    [C:\Program Files\Yahoo!\Messenger\rvsdp.dll]  [RADVISION, ]
    [C:\Program Files\Yahoo!\Messenger\nspr4.dll]  [Netscape Communications Corporation, 4.6.1]
    [C:\Program Files\Yahoo!\Messenger\yv_res.dll]  [N/A, N/A]
[PID: 2004][C:\WINDOWS\system32\ctfmon.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 408][c:\program files\mcafee.com\agent\mcdetect.exe]  [McAfee, Inc, 6, 0, 0, 19]
[PID: 480][c:\PROGRA~1\mcafee.com\vso\mcshield.exe]  [McAfee Inc., 11.0.0.151]
    [c:\PROGRA~1\mcafee.com\vso\RES00\McShield.DLL]  [McAfee Inc., 11.0.0.141]
    [c:\PROGRA~1\mcafee.com\vso\FTL.Dll]  [McAfee Inc., 11.0.0.151]
    [c:\PROGRA~1\mcafee.com\vso\naiann.dll]  [McAfee, Inc., 10, 0, 0, 21]
    [c:\PROGRA~1\mcafee.com\vso\mytilus.dll]  [McAfee Inc., 11.0.0.151]
    [C:\Program Files\McAfee.com\VSO\MCSCAN32.DLL]  [McAfee, Inc., 4.4.00]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
    [c:\progra~1\mcafee.com\vso\naiannps.dll]  [McAfee, Inc, 10, 0, 0, 0]
[PID: 640][c:\PROGRA~1\mcafee.com\agent\mctskshd.exe]  [McAfee, Inc, 6, 0, 0, 13]
[PID: 944][c:\progra~1\mcafee.com\vso\mcvsftsn.exe]  [McAfee, Inc., 10, 0, 0, 19]
    [C:\Program Files\McAfee.com\VSO\VsCfgW32.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\submgr\6,0,0,13\mcsubmgr.dll]  [McAfee, Inc, 6, 0, 0, 13]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [c:\program files\mcafee.com\agent\mcagntps.dll]  [McAfee, Inc, 5, 0, 0, 0]
[PID: 1304][C:\Program Files\Messenger\msmsgs.exe]  [Microsoft Corporation, 4.7.3000]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2212][C:\WINDOWS\system32\wscntfy.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
[PID: 2880][C:\WINDOWS\system32\wuauclt.exe]  [Microsoft Corporation, 5.8.0.2469 built by: lab01_n(wmbla)]
[PID: 2620][C:\WINDOWS\System32\alg.exe]  [Microsoft Corporation, 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)]
[PID: 1084][C:\Documents and Settings\user\Desktop\sreng2\SREng\SREng.exe]  [Smallfrogs Studio, 2.2.6.605]
    [c:\progra~1\mcafee.com\vso\McVSSkt.dll]  [McAfee, Inc., 10, 0, 0, 26]
    [C:\Program Files\Yahoo!\Messenger\idle.dll]  [Yahoo! Inc., 1, 0, 0, 2]
    [C:\Program Files\Yahoo!\Messenger\MSVCR71.dll]  [Microsoft Corporation, 7.10.3052.4]

==================================
File Associations
.TXT  OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE  OK. ["%1" %*]
.COM  OK. ["%1" %*]
.PIF  OK. ["%1" %*]
.REG  OK. [regedit.exe "%1"]
.BAT  OK. ["%1" %*]
.SCR  OK. ["%1" /S]
.CHM  OK. ["C:\WINDOWS\hh.exe" %1]
.HLP  OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF  OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS  OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK  OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
N/A

==================================
Autorun.Inf
N/A

==================================
HOSTS File
127.0.0.1       localhost

==================================

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 25, 2006, 11:12:29 AM

Hi again, can you do the following for me, let's see what else we can find please
Download this version of Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe\") and save it too your desktop

and save it to your desktop (Important).
Also, open up Notepad (START>>RUN>>type in notepad) Hit OK
Save the following command below in bold to the empty notepad and save this to your desktop also

"%userprofile%\desktop\combofix.exe" /wow

Boot into safe mode
go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /wow

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 27, 2006, 05:55:01 AM

Hey I tried doing what you said a few times, but everytime the same thing happens.... In safe mode, everytime combofix wouldn't finish producing the log. The starting part of it works as usual, and then it says "scanning for infected files / This may take a while" or something... and then the window closes on it's own.... usually this is when the log is produced, but it just stalls there. All windows icon wouldn't load back out. But the system is still running, ie you can still click start and run other stuffs from there. I waited for 15 mins before finally deciding that combofix has stalled.

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 27, 2006, 09:16:33 AM

Delete your copy of combofix and redownload it from HERE (http://\"http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe\")

This time ensure to save it too your Root directory,
As eg... C:\Combofix.exe

Reboot back to safe mode
This time just double click on combofix.exe and follow the prompts

Let me know if this works

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 27, 2006, 11:14:46 PM

It worked! Thank you so much. My homepage is now changed back to MSN. And i thought combofix is just a diagnose tool. But after letting it complete running, apparently we got rid of the hijacker.  Thanks again man. You rock!

Here is the log.

user - 06-11-28 11:56:13.28    Service Pack 2
ComboFix 06.11.28 - Running from: "C:\"

(((((((((((((((((((((((((((((((   Files Created from 2006-10-27 to 2006-11-27  ))))))))))))))))))))))))))))))))))
 
 
2006-11-28   11:59   <DIR>   d--------   C:\WINDOWS\erdnt
2006-11-28   11:53   921,118   --a------   C:\combofix.exe
2006-11-22   12:00   <DIR>   d--------   C:\avenger
2006-11-21   09:42   <DIR>   d---s----   C:\Documents and Settings\user\UserData
2006-11-18   11:08   <DIR>   d--------   C:\WINDOWS\temp
2006-11-15   12:40   <DIR>   d--------   C:\Program Files\HijackThis
2006-11-15   12:34   <DIR>   d--------   C:\WINDOWS\system32\wsword
2006-11-15   11:33   <DIR>   d--------   C:\WINDOWS\system32\mspalnt
2006-11-14   12:54   <DIR>   d--------   C:\WINDOWS\CSC
2006-11-14   10:35   3,968   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-14   10:35   <DIR>   d--------   C:\Program Files\Grisoft
2006-11-13   19:05   57,407   --a------   C:\WINDOWS\system32\ANICtl.dll
2006-11-13   19:05   49,152   --a------   C:\WINDOWS\system32\AQCKGen.dll
2006-11-13   19:05   368,640   --a------   C:\WINDOWS\system32\ANIWZCS2.dll
2006-11-13   19:05   36,864   --a------   C:\WINDOWS\system32\ANIOApi.dll
2006-11-13   19:05   28,205   --a------   C:\WINDOWS\system32\ANIO.sys
2006-11-13   19:05   221,184   --a------   C:\WINDOWS\system32\wlanapi.dll
2006-11-13   19:05   212,992   --a------   C:\WINDOWS\system32\aIPH.dll
2006-11-13   19:05   143,360   --a------   C:\WINDOWS\system32\WlanApp.dll
2006-11-13   19:05   11,904   --a------   C:\WINDOWS\system32\anio4.sys
2006-11-13   19:05   1,323,095   --a------   C:\WINDOWS\system32\odSupp_M.dll
2006-11-13   19:05   <DIR>   d--------   C:\Program Files\ANI


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-18 11:07   --------   d--------   C:\Program Files\Common Files
2006-11-13 19:05   --------   d--h-----   C:\Program Files\InstallShield Installation Information
2006-11-01 21:05   --------   d--------   C:\Program Files\SpywareBlaster
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"VTTrayp"="VTtrayp.exe"
"VTTimer"="VTTimer.exe"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1 "
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
  00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter   REG_MULTI_SZ      HTTPFilter
LocalService   REG_MULTI_SZ      AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV
NetworkService   REG_MULTI_SZ      DnsCache
DcomLaunch   REG_MULTI_SZ      DcomLaunchTermService
rpcss   REG_MULTI_SZ      RpcSs
imgsvc   REG_MULTI_SZ      StiSvc
termsvcs   REG_MULTI_SZ      TermService

Completion time: 06-11-28 12:01:03.53
C:\ComboFix.txt ... 06-11-28 12:01
C:\ComboFix2.txt ... 06-11-27 18:41
C:\ComboFix3.txt ... 06-11-27 18:39

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on November 29, 2006, 11:36:06 PM

Sorry again for the delay, Power outages and work have kept me off the forums lately
I'm curious as to how the other 2 logs from Combofix look
Can you post both the other logs please

C:\ComboFix2.txt
C:\ComboFix3.txt

Also, can you navigate to the following folders
C:\WINDOWS\system32\wsword
C:\WINDOWS\system32\mspalnt

NOTICE the spelling of each, are there any files in each folder?

Title: Second PC hijacked by My123.com sigh
Post by: NuCK on November 30, 2006, 06:01:13 AM

Please don't apologize... I'm already very grateful that you're taking the time to help me out /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Here are the logs.

Combofix 2
user - 06-11-27 18:41:53.54    Service Pack 2
ComboFix 06.11.26W - Running from: "C:\Documents and Settings\user\desktop"
Command switches used :: /wow



Combofix3
user - 06-11-27 18:39:12.87    Service Pack 2
ComboFix 06.11.26W - Running from: "C:\Documents and Settings\user\desktop"
Command switches used :: /wow

These are probably generated when my PC stalled while running combofix from desktop earlier.


As for the 2 folders in system32... they appear to be empty.

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on December 01, 2006, 09:32:41 AM

I've only seen those 2 folders in one other log, that coincidentally had the same infection you had
They should be safe to delete if empty

Can you do the following for cleanup
Create a .reg file
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

 

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LSLLDR14000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lslldr14]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LSLLDR14000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\lslldr14]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LSLLDR14000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lslldr14]

Double click on fix.reg and allow to add/merge to the registry at the prompt

Open SrEng.exe and click on "Boot Items" on the left hand side
Select Services tab
Select Drivers button

Highlight "dxdkqoq / dxdkqoqw"
From the list and then click the radio button to "Delete Service"
Click SET

Reboot the computer

Back in Windows

Can you run Regsearch.exe and use the find.txt again
Post back the contents

Also post one more fresh hijackthis log

Title: Second PC hijacked by My123.com sigh
Post by: Yudi Santoso on December 24, 2006, 08:23:39 PM

Hi !!!

I'm new here, I've got the same prob. of my123.com.
Anyone can help me out?
And what is it exactly? just adware or it does any malicious thing?

Thanks
Yudi

Title: Second PC hijacked by My123.com sigh
Post by: guestolo on December 25, 2006, 01:43:15 AM

The original poster has not returned, I am going to lock this topic
Yudi Santoso, can you please start your own topic in this forum, thanks