Jump to content


Photo

IE hijacking and popups


  • This topic is locked This topic is locked
15 replies to this topic

#1 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 June 2007 - 01:55 PM

Hey guys, I am a first time user of HijackThis and this forum. I have this problem where whenever I use google.com and search for something, and click the first link that comes up it will go somewhere totally different then the link. Also, at random intervals, popups will come up while I use IE. I've tried all the good anti virus and anti spyware programs (AVG antispyware, adaware se, spybot S&D, vundfix, trend micro, etc). So, with that, I need the help of this forum! Below is my hijackthis log, can anyone help?

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:43:49 PM, on 6/1/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINNT\system32\Wnex7DO.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\MDM.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mmcgrath\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eportal.cardinal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eportal.cardinal.com
O1 - Hosts: 148.168.142.24 betsy.pfizer.com # Betsy QC CV server at Pfizer "Production Home Page"
O1 - Hosts: 148.168.74.33 cagall2.pfizer.com # Betsy QC CV server at Pfizer
O1 - Hosts: 148.168.141.228 mopppgbetsyrpt.pfizer.com # Betsy Production Crystalreport server at Pfizer
O1 - Hosts: 148.168.136.69 whistler2.pfizer.com # Betsy Production CV server at Pfizer
O1 - Hosts: 148.168.136.33 mopppgbetsy.pfizer.com # Betsy Ad Hoc Report Server
O1 - Hosts: 148.168.129.47 Imsprod.pfizer.com # Power2Learn
O1 - Hosts: 148.168.129.48 GROAMRAPP288.amer.pfizer.com # P2L Training
O1 - Hosts: 148.168.136.168 Preweb.pfizer.com # P2I Training
O1 - Hosts: 148.168.143.91 Grogrdweb01.pfizer.com # P2I Training
O1 - Hosts: 148.168.139.165 livelinkpgrd1.pfizer.com # Insight
O1 - Hosts: 148.168.142.194 eSOP.pfizer.com # eSOP
O1 - Hosts: 148.168.131.63 gdms.pfizer.com # GDMS
O1 - Hosts: 148.168.128.131 amtracker.pfizer.com #AMtracker
O1 - Hosts: 148.168.131.168 nlsun924.pfizer.com # Betsy Production CV server at Pfizer
O1 - Hosts: 148.168.133.143 groamrapp692.amer.pfizer.com # Betsy Production Crystal Report server at Pfizer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINNT\system32\cbxxyxx.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\nrpraedi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6E955359-AF05-4430-AED5-D33F0D3C5C66} - C:\WINNT\system32\ddrhnsam.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B5CB64DD-BA99-4D18-8778-EBF04CDBFF0F} - C:\WINNT\system32\awvuu.dll (file missing)
O2 - BHO: (no name) - {B80C4316-818E-D957-D978-FDADAC972095} - C:\WINNT\system32\ptxoag.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [Watcher-WatchDog] C:\WINNT\system32\Wnex7DO.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [A00F1FAA62.exe] C:\Temp\_A00F1FAA62.exe
O4 - HKCU\..\Run: [A00F1FA682.exe] C:\Temp\_A00F1FA682.exe
O4 - HKCU\..\Run: [A00F1463E3.exe] C:\Temp\_A00F1463E3.exe
O4 - HKCU\..\Run: [A00F1463D9.exe] C:\Temp\_A00F1463D9.exe
O4 - HKCU\..\Run: [A00F146696.exe] C:\Temp\_A00F146696.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\Avaya IP Agent\Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eportal.cardinal.com
O15 - Trusted Zone: http://bmslamps.blpnet.com
O15 - Trusted Zone: http://BRC.blpnet.com
O15 - Trusted Zone: http://changepoint.blpnet.com
O15 - Trusted Zone: http://cpsysman.blpnet.com
O15 - Trusted Zone: http://cptest.blpnet.com
O15 - Trusted Zone: http://cptrain.blpnet.com
O15 - Trusted Zone: http://lamps.blpnet.com
O15 - Trusted Zone: http://mars.blpnet.com
O15 - Trusted Zone: http://newbrc.blpnet.com
O15 - Trusted Zone: http://projectcenter.blpnet.com
O15 - Trusted Zone: http://prophet.cardinal.com
O15 - Trusted Zone: http://stage.prophet.cardinal.com
O15 - Trusted Zone: http://*.ffl
O15 - Trusted Zone: http://amex.iers.ihost.com
O15 - Trusted Zone: http://*.mccsql
O15 - Trusted Zone: http://bmslamps.blpnet.com (HKLM)
O15 - Trusted Zone: http://BRC.blpnet.com (HKLM)
O15 - Trusted Zone: http://changepoint.blpnet.com (HKLM)
O15 - Trusted Zone: http://cpsysman.blpnet.com (HKLM)
O15 - Trusted Zone: http://cptest.blpnet.com (HKLM)
O15 - Trusted Zone: http://cptrain.blpnet.com (HKLM)
O15 - Trusted Zone: http://lamps.blpnet.com (HKLM)
O15 - Trusted Zone: http://mars.blpnet.com (HKLM)
O15 - Trusted Zone: http://newbrc.blpnet.com (HKLM)
O15 - Trusted Zone: http://projectcenter.blpnet.com (HKLM)
O15 - Trusted Zone: http://prophet.cardinal.com (HKLM)
O15 - Trusted Zone: http://stage.prophet.cardinal.com (HKLM)
O15 - Trusted Zone: http://*.ffl (HKLM)
O15 - Trusted Zone: http://amex.iers.ihost.com (HKLM)
O15 - Trusted Zone: http://*.mccsql (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://webworkshop.f...aDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivi...d181ac6f9ea3a7c
O16 - DPF: {B6845ABC-880B-11D1-A249-00805F21D5F8} (ActiveCalendar 2.0) - http://bmslamps.blpn...abs/TSGACAL.CAB
O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) - http://stage.prophet...lOptionPack.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{F242061F-C0EF-49BA-B187-E8D0938AFA8F}: NameServer = 68.28.122.11 68.28.114.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O20 - Winlogon Notify: __c001B3B7 - C:\WINNT\system32\__c001B3B7.dat
O20 - Winlogon Notify: __c0099E21 - C:\WINNT\system32\__c0099E21.dat
O20 - Winlogon Notify: __c00A1E11 - C:\WINNT\system32\__c00A1E11.dat
O20 - Winlogon Notify: __c00AE269 - C:\WINNT\system32\__c00AE269.dat
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINNT\system32\\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

--
End of file - 12723 bytes

#2 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 June 2007 - 04:33 PM

Anyone? :techsupport:

#3 Korina

Korina

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 01 June 2007 - 05:00 PM

Anyone? :techsupport:



I have a very similar problem and these are the wierd ( wrong looking) lines we have in common


O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINNT\system32\cbxxyxx.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\nrpraedi.dll

--------------------------------------------------

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
not sure about this line have seen rumors of a virus running from this file but it is also the search and destroy file... but is not essential for your computers running


---------------------------------------------------
O2 - BHO: (no name) - {6E955359-AF05-4430-AED5-D33F0D3C5C66} - C:\WINNT\system32\ddrhnsam.dll



O2 - BHO: (no name) - {B5CB64DD-BA99-4D18-8778-EBF04CDBFF0F} - C:\WINNT\system32\awvuu.dll (file missing)
O2 - BHO: (no name) - {B80C4316-818E-D957-D978-FDADAC972095} - C:\WINNT\system32\ptxoag.dll (file missing)


O4 - HKCU\..\Run: [A00F1FAA62.exe] C:\Temp\_A00F1FAA62.exe
O4 - HKCU\..\Run: [A00F1FA682.exe] C:\Temp\_A00F1FA682.exe
O4 - HKCU\..\Run: [A00F1463E3.exe] C:\Temp\_A00F1463E3.exe
O4 - HKCU\..\Run: [A00F1463D9.exe] C:\Temp\_A00F1463D9.exe
O4 - HKCU\..\Run: [A00F146696.exe] C:\Temp\_A00F146696.exe

I'am no expert but I will be useing Hijackthis to removing these lines and see if it helps me.

Edited by Korina, 01 June 2007 - 09:09 PM.


#4 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 01 June 2007 - 09:32 PM

I have a very similar problem and these are the wierd ( wrong looking) lines we have in common


O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINNT\system32\cbxxyxx.dll (file missing)
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINNT\system32\nrpraedi.dll

--------------------------------------------------

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
not sure about this line have seen rumors of a virus running from this file but it is also the search and destroy file... but is not essential for your computers running


---------------------------------------------------
O2 - BHO: (no name) - {6E955359-AF05-4430-AED5-D33F0D3C5C66} - C:\WINNT\system32\ddrhnsam.dll



O2 - BHO: (no name) - {B5CB64DD-BA99-4D18-8778-EBF04CDBFF0F} - C:\WINNT\system32\awvuu.dll (file missing)
O2 - BHO: (no name) - {B80C4316-818E-D957-D978-FDADAC972095} - C:\WINNT\system32\ptxoag.dll (file missing)


O4 - HKCU\..\Run: [A00F1FAA62.exe] C:\Temp\_A00F1FAA62.exe
O4 - HKCU\..\Run: [A00F1FA682.exe] C:\Temp\_A00F1FA682.exe
O4 - HKCU\..\Run: [A00F1463E3.exe] C:\Temp\_A00F1463E3.exe
O4 - HKCU\..\Run: [A00F1463D9.exe] C:\Temp\_A00F1463D9.exe
O4 - HKCU\..\Run: [A00F146696.exe] C:\Temp\_A00F146696.exe

I'am no expert but I will be useing Hijackthis to removing these lines and see if it helps me.



Well all this happened before I even had spybot installed, so I would guess it isn't that file. As for the rest, I really don't know what to do. Thanks for the reply Korina. Can anyone give us both some help here and get this problem solved?

Edited by jj82, 01 June 2007 - 09:33 PM.


#5 Korina

Korina

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 02 June 2007 - 09:56 AM

i downloaded the "google pack" and used Spyware Doctor Starter Edition from it (this edition of it. the Trial version from spyware-doctor web site does NOT actuall allow you to fix the probems only scan.).- this found and cleaned alot of nasties, seems seems to have cured it..

Edited by Korina, 02 June 2007 - 10:00 AM.


#6 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 03 June 2007 - 04:04 AM

Ok I got rid of the google hijacking and random popups, but now I seem to have Trojan.Java.ClassLoader.ao. Anyone know what this is and how I can get rid of it? Thanks.

#7 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 04 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 06 June 2007 - 08:39 AM

jj82

Post a fresh HijackThis log for my review.



Korina

Please do not post in open topics, start your own.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#9 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 June 2007 - 02:21 PM

Hey nasdaq, thanks for replying to my topic, and sorry for the delay. Here is an updated hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 15:20, on 2007-06-08
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\MDM.EXE
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSCM.exe
C:\Documents and Settings\mmcgrath\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eportal.cardinal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eportal.cardinal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {B5CB64DD-BA99-4D18-8778-EBF04CDBFF0F} - C:\WINNT\system32\awvuu.dll (file missing)
O2 - BHO: (no name) - {B80C4316-818E-D957-D978-FDADAC972095} - C:\WINNT\system32\ptxoag.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\Avaya IP Agent\Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eportal.cardinal.com
O15 - Trusted Zone: http://bmslamps.blpnet.com
O15 - Trusted Zone: http://BRC.blpnet.com
O15 - Trusted Zone: http://changepoint.blpnet.com
O15 - Trusted Zone: http://cpsysman.blpnet.com
O15 - Trusted Zone: http://cptest.blpnet.com
O15 - Trusted Zone: http://cptrain.blpnet.com
O15 - Trusted Zone: http://lamps.blpnet.com
O15 - Trusted Zone: http://mars.blpnet.com
O15 - Trusted Zone: http://newbrc.blpnet.com
O15 - Trusted Zone: http://projectcenter.blpnet.com
O15 - Trusted Zone: http://prophet.cardinal.com
O15 - Trusted Zone: http://stage.prophet.cardinal.com
O15 - Trusted Zone: http://*.ffl
O15 - Trusted Zone: http://amex.iers.ihost.com
O15 - Trusted Zone: http://*.mccsql
O15 - Trusted Zone: http://bmslamps.blpnet.com (HKLM)
O15 - Trusted Zone: http://BRC.blpnet.com (HKLM)
O15 - Trusted Zone: http://changepoint.blpnet.com (HKLM)
O15 - Trusted Zone: http://cpsysman.blpnet.com (HKLM)
O15 - Trusted Zone: http://cptest.blpnet.com (HKLM)
O15 - Trusted Zone: http://cptrain.blpnet.com (HKLM)
O15 - Trusted Zone: http://lamps.blpnet.com (HKLM)
O15 - Trusted Zone: http://mars.blpnet.com (HKLM)
O15 - Trusted Zone: http://newbrc.blpnet.com (HKLM)
O15 - Trusted Zone: http://projectcenter.blpnet.com (HKLM)
O15 - Trusted Zone: http://prophet.cardinal.com (HKLM)
O15 - Trusted Zone: http://stage.prophet.cardinal.com (HKLM)
O15 - Trusted Zone: http://*.ffl (HKLM)
O15 - Trusted Zone: http://amex.iers.ihost.com (HKLM)
O15 - Trusted Zone: http://*.mccsql (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://webworkshop.f...aDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivi...d181ac6f9ea3a7c
O16 - DPF: {B6845ABC-880B-11D1-A249-00805F21D5F8} (ActiveCalendar 2.0) - http://bmslamps.blpn...abs/TSGACAL.CAB
O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) - http://stage.prophet...lOptionPack.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O17 - HKLM\System\CCS\Services\Tcpip\..\{F242061F-C0EF-49BA-B187-E8D0938AFA8F}: NameServer = 68.28.122.11 68.28.114.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: __c001B3B7 - C:\WINNT\system32\__c001B3B7.dat (file missing)
O20 - Winlogon Notify: __c0099E21 - C:\WINNT\system32\__c0099E21.dat (file missing)
O20 - Winlogon Notify: __c00A1E11 - C:\WINNT\system32\__c00A1E11.dat (file missing)
O20 - Winlogon Notify: __c00AE269 - C:\WINNT\system32\__c00AE269.dat (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINNT\system32\\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

#10 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 08 June 2007 - 02:55 PM

I just found out that you also have posted in this forum.
http://www.geekstogo...al-t159886.html

This community is served by volunteers. Duplicate posting only increases the workload.

Close your account at GeeksTogo and then I will see what I can suggest to fix your situation.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#11 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 June 2007 - 04:32 PM

Ok I closed the topic at geekstogo but i don't know how to close my account. Sorry about that. Thanks for sticking with me nasdaq.

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 09 June 2007 - 07:06 AM

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Go to: Start -> Control Panel -> Add/Remove Programs list. Remove this WinAntiVirus Pro 2007 if found.
A Rogue program not reliable.

Please download FixWareout from this site:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch, if not launch it. Please click Scan, and check the following items:

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {B5CB64DD-BA99-4D18-8778-EBF04CDBFF0F} - C:\WINNT\system32\awvuu.dll (file missing)
O2 - BHO: (no name) - {B80C4316-818E-D957-D978-FDADAC972095} - C:\WINNT\system32\ptxoag.dll (file missing)
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivi...d181ac6f9ea3a7c
O20 - Winlogon Notify: __c001B3B7 - C:\WINNT\system32\__c001B3B7.dat (file missing)
O20 - Winlogon Notify: __c0099E21 - C:\WINNT\system32\__c0099E21.dat (file missing)
O20 - Winlogon Notify: __c00A1E11 - C:\WINNT\system32\__c00A1E11.dat (file missing)
O20 - Winlogon Notify: __c00AE269 - C:\WINNT\system32\__c00AE269.dat (file missing)


Click on Fix Checked when finished and exit HijackThis.

Delete this folder in bold if found.

C:\Program Files\Common Files\WinAntiVirus Pro 2007\

At the end of the fix, you need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#13 jj82

jj82

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 June 2007 - 03:13 PM

Thanks nasaq. Here is the fixwareout report:


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"P3000x_S2P"="C:\\PROGRAM FILES\\DELL\\DELL LASER MFP 1600N\\PSU\\ScanToPc.exe"
"PaperPort PTD"="C:\\Program Files\\DELL\\Dell Laser MFP 1600n\\PaperPort\\pptd40nt.exe"
"IndexSearch"="C:\\Program Files\\DELL\\Dell Laser MFP 1600n\\PaperPort\\IndexSearch.exe"
"projselector"="\"C:\\Program Files\\Common Files\\Roxio Shared\\Project Selector\\projselector.exe\" -r"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"EOUApp"="C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Salestart"="\"C:\\Program Files\\Common Files\\WinAntiVirus Pro 2007\\mav_startupmon.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Watcher-WatchDog"="C:\\WINNT\\system32\\Wnex7DO.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


And here is a new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 16:09, on 2007-06-09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\Wnex7DO.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINNT\system32\MDM.EXE
C:\Documents and Settings\mmcgrath\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eportal.cardinal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://eportal.cardinal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Watcher-WatchDog] C:\WINNT\system32\Wnex7DO.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Cardinal Health VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: pwreset.lnk = C:\Program Files\Avaya\Avaya IP Agent\Service Provider\pwreset.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://eportal.cardinal.com
O15 - Trusted Zone: http://bmslamps.blpnet.com
O15 - Trusted Zone: http://BRC.blpnet.com
O15 - Trusted Zone: http://changepoint.blpnet.com
O15 - Trusted Zone: http://cpsysman.blpnet.com
O15 - Trusted Zone: http://cptest.blpnet.com
O15 - Trusted Zone: http://cptrain.blpnet.com
O15 - Trusted Zone: http://lamps.blpnet.com
O15 - Trusted Zone: http://mars.blpnet.com
O15 - Trusted Zone: http://newbrc.blpnet.com
O15 - Trusted Zone: http://projectcenter.blpnet.com
O15 - Trusted Zone: http://prophet.cardinal.com
O15 - Trusted Zone: http://stage.prophet.cardinal.com
O15 - Trusted Zone: http://*.ffl
O15 - Trusted Zone: http://amex.iers.ihost.com
O15 - Trusted Zone: http://*.mccsql
O15 - Trusted Zone: http://bmslamps.blpnet.com (HKLM)
O15 - Trusted Zone: http://BRC.blpnet.com (HKLM)
O15 - Trusted Zone: http://changepoint.blpnet.com (HKLM)
O15 - Trusted Zone: http://cpsysman.blpnet.com (HKLM)
O15 - Trusted Zone: http://cptest.blpnet.com (HKLM)
O15 - Trusted Zone: http://cptrain.blpnet.com (HKLM)
O15 - Trusted Zone: http://lamps.blpnet.com (HKLM)
O15 - Trusted Zone: http://mars.blpnet.com (HKLM)
O15 - Trusted Zone: http://newbrc.blpnet.com (HKLM)
O15 - Trusted Zone: http://projectcenter.blpnet.com (HKLM)
O15 - Trusted Zone: http://prophet.cardinal.com (HKLM)
O15 - Trusted Zone: http://stage.prophet.cardinal.com (HKLM)
O15 - Trusted Zone: http://*.ffl (HKLM)
O15 - Trusted Zone: http://amex.iers.ihost.com (HKLM)
O15 - Trusted Zone: http://*.mccsql (HKLM)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://webworkshop.f...aDownloader.cab
O16 - DPF: {B6845ABC-880B-11D1-A249-00805F21D5F8} (ActiveCalendar 2.0) - http://bmslamps.blpn...abs/TSGACAL.CAB
O16 - DPF: {ECB40B9A-5869-476D-9110-8E171A5929B2} (Siebel Option Pack for IE 7.5.3) - http://stage.prophet...lOptionPack.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BLPCORP.BLPGROUP.COM
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - c:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINNT\system32\\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe

#14 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 10 June 2007 - 06:31 AM

Nice work your log is clean.

; Purpose: Remove traces of WinAntiVirus Pro 2007 in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Salestart"=-



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

If you need help on "How to Make a .Reg File"
See: http://www.nellie2.co.uk/file.htm

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 10 June 2007 - 08:36 AM

bump
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 21 June 2007 - 09:04 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button