• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
XPuser57

Trojan's keep coming back

22 posts in this topic

here's my log.

 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 7:21:04 PM, on 6/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\CDProxyServ.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\ARPWRMSG.EXE

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Grisoft\AVG7\avgwb.dat

C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis_v2.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O1 - Hosts: 85.214.19.81 l2testauthd.lineage2.com

O1 - Hosts: 85.214.19.81 l2authd.lineage2.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\fccbayw.dll

O2 - BHO: (no name) - {92fecfc8-83cc-4943-854f-fbcb46c3c24e} - (no file)

O2 - BHO: (no name) - {A5EB3F8F-8A41-4684-B1A4-19F467771860} - C:\WINDOWS\system32\geeby.dll

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll

O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [{4C-C4-47-78-ZN}] c:\windows\system32\dwdsregt.exe CHD003

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\HP_Administrator\Local Settings\Temp\TICHD003.exe

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"

O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.drivecleaner.com

O15 - Trusted Zone: *.errorprotector.com

O15 - Trusted Zone: *.errorsafe.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.imagesrvr.com

O15 - Trusted Zone: *.systemdoctor.com

O15 - Trusted Zone: *.winantispyware.com

O15 - Trusted Zone: *.winantivirus.com

O15 - Trusted Zone: *.winfixer.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.drivecleaner.com (HKLM)

O15 - Trusted Zone: *.errorprotector.com (HKLM)

O15 - Trusted Zone: *.errorsafe.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.imagesrvr.com (HKLM)

O15 - Trusted Zone: *.systemdoctor.com (HKLM)

O15 - Trusted Zone: *.winantispyware.com (HKLM)

O15 - Trusted Zone: *.winantivirus.com (HKLM)

O15 - Trusted Zone: *.winfixer.com (HKLM)

O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB

O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangame.co.kr/static/cab/common/scsk4.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.com/common/HanSetup1009.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.net/com/KALogoutComponent.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab

O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)

O20 - Winlogon Notify: fccbayw - C:\WINDOWS\SYSTEM32\fccbayw.dll

O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: (no name) - http://www.square-enix.co.jp/dcff7/wallpap...8_1280x1024.jpg

 

--

End of file - 16744 bytes

Share this post


Link to post
Share on other sites

I had a few days of pop ups and got some very reputable anti spy ad software, but the pop ups would come back.

 

However, since running this program they have seemed to have stopped, though it might have been a different program, I think it this one as it is intended for basically just one bug!

 

http://www.atribune.org/content/view/24/2/

 

 

Friday, 03 February 2006

VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.

 

Please download VundoFix.exe to your desktop.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi and welcome

 

The version of HijackThis you are running is Beta, a product that is normally in its final stages of testing.

Often, a Beta version of a product may contain minor bugs and glitches, so let’s work with final version HijackThis 1.99.1 instead.

 

Use Control Panel > Add/Remove Programs to remove HijackThis v2.

Then, do a search and also delete any Folders or Files the program created.

 

Click here to download HJTsetup.exe

  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Do this now.

 

 

How to remove the Sony - XCP DRM Rootkit

 

 

After you follow through with the above procedure then next--

 

 

Open HJT and click scan only, place a check by these entries

 

O1 - Hosts: 85.214.19.81 l2testauthd.lineage2.com

O1 - Hosts: 85.214.19.81 l2authd.lineage2.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\fccbayw.dll

O2 - BHO: (no name) - {92fecfc8-83cc-4943-854f-fbcb46c3c24e} - (no file)

O2 - BHO: (no name) - {A5EB3F8F-8A41-4684-B1A4-19F467771860} - C:\WINDOWS\system32\geeby.dll

O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)

O4 - HKLM\..\Run: [{4C-C4-47-78-ZN}] c:\windows\system32\dwdsregt.exe CHD003

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\HP_Administrator\Local Settings\Temp\TICHD003.exe

O15 - Trusted Zone: *.amaena.com

O15 - Trusted Zone: *.drivecleaner.com

O15 - Trusted Zone: *.errorprotector.com

O15 - Trusted Zone: *.errorsafe.com

O15 - Trusted Zone: *.imageservr.com

O15 - Trusted Zone: *.imagesrvr.com

O15 - Trusted Zone: *.systemdoctor.com

O15 - Trusted Zone: *.winantispyware.com

O15 - Trusted Zone: *.winantivirus.com

O15 - Trusted Zone: *.winfixer.com

O15 - Trusted Zone: *.amaena.com (HKLM)

O15 - Trusted Zone: *.drivecleaner.com (HKLM)

O15 - Trusted Zone: *.errorprotector.com (HKLM)

O15 - Trusted Zone: *.errorsafe.com (HKLM)

O15 - Trusted Zone: *.imageservr.com (HKLM)

O15 - Trusted Zone: *.imagesrvr.com (HKLM)

O15 - Trusted Zone: *.systemdoctor.com (HKLM)

O15 - Trusted Zone: *.winantispyware.com (HKLM)

O15 - Trusted Zone: *.winantivirus.com (HKLM)

O15 - Trusted Zone: *.winfixer.com (HKLM)

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab

O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)

O20 - Winlogon Notify: fccbayw - C:\WINDOWS\SYSTEM32\fccbayw.dll

O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

 

Close all windows and browsers except HJT and click fix checked

 

 

Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":

http://www.mvps.org/winhelp2002/DelDomains.inf

Save the file to the desktop.

Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.

 

 

 

 

Please download VundoFix.exe

to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the Scan for Vundo button." when

VundoFix appears at reboot.

 

 

 

 

Download Combofix from http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Important.....Place it on your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

 

 

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE)6u1
  • Scroll to Java Runtime Environment (JRE) 6u1 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: javaicon.gif
    Select it and click Remove.
  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

 

 

In your next reply post:

Vundo C:\vundofix.txt log

ComboFix log

New HJT log

Comments on how the computer is running now

Share this post


Link to post
Share on other sites

Greetings XPuser57

 

Please know that the group Members have no standing here as Helpers. It would be in your best interest to accept advice only when it is given by a member of one of our trained Helper groups. See here Who is helping you?

 

I will now leave you in the capable hands of Juliet.

Share this post


Link to post
Share on other sites

NEW HJT Log

 

Logfile of HijackThis v1.99.1

Scan saved at 9:55:37 PM, on 6/15/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\CDProxyServ.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\RTHDCPL.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avant Browser\avant.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O1 - Hosts: 85.214.19.81 l2testauthd.lineage2.com

O1 - Hosts: 85.214.19.81 l2authd.lineage2.com

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"

O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB

O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangame.co.kr/static/cab/common/scsk4.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.com/common/HanSetup1009.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.net/com/KALogoutComponent.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

 

Vundo Fix Log

 

VundoFix V6.5.0

 

Checking Java version...

 

Java version is 1.5.0.5

Old versions of java are exploitable and should be removed.

 

Scan started at 10:17:59 PM 6/15/2007

 

Listing files found while scanning....

 

C:\windows\system32\fccbaxx.dll

C:\windows\system32\qomjjgd.dll

 

Beginning removal...

 

Attempting to delete C:\windows\system32\fccbaxx.dll

C:\windows\system32\fccbaxx.dll Has been deleted!

 

Attempting to delete C:\windows\system32\qomjjgd.dll

C:\windows\system32\qomjjgd.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

Combo Fix Quarantine

2006-01-27 23:43	  780	--a------	C:\Qoobox\Quarantine\C\WINDOWS\hosts.vir
2007-03-07 10:37	  264376	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\Launcher.exe.vir
2007-06-07 02:21	  1836461	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pqtwa.bak1.vir
2007-06-11 00:37	  40183	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
2007-06-11 12:33	  1836476	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.bak1.vir
2007-06-11 12:41	  124436	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\feyjbdks.dll.vir
2007-06-11 21:03	  943877	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\skdbjyef.ini.vir
2007-06-11 21:50	  1840160	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir
2007-06-15 22:26	  1004	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf


Folder PATH listing for volume HP_PAVILION
Volume serial number is 7A54-C478
C:\QOOBOX
\---Quarantine
+---C
|   +---Program Files
|   |   \---Common Files
|   |		   Yazzle1281OinUninstaller.exe.vir
|   |		   
|   \---WINDOWS
|	   |   hosts.vir
|	   |   
|	   \---system32
|			   feyjbdks.dll.vir
|			   Launcher.exe.vir
|			   pqtwa.bak1.vir
|			   skdbjyef.ini.vir
|			   ybeeg.bak1.vir
|			   ybeeg.ini.vir
|			   
\---Registry_backups
		LEGACY_CORE.reg.cf

Share this post


Link to post
Share on other sites

Welcome back

 

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application. If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.

Your call

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

 

Viewpoint

Viewpoint Manager

Viewpoint Media Player

 

Then reboot.

 

Using windows explorer search for and delete this folder

C:\Program Files\Viewpoint

 

 

To remove the sony rootkit

Click here to download and run the XCP Uninstaller

Restart your computer you uninstall.

 

 

 

Open HJT and click scan only, place a check by these entries if still present

 

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/ru...cat-no-eula.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

Close all windows and browsers except HJT and click fix checked

 

 

In your last post you copied and pasted the results of the ComboFix quarantine log, please search for the combofix.txt and post that please with a New HJT log.

 

I need comments on how your computer is running now.

Share this post


Link to post
Share on other sites

NEW HJT Log

Logfile of HijackThis v1.99.1

Scan saved at 10:45:35 AM, on 6/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Avant Browser\avant.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"

O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB

O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangame.co.kr/static/cab/common/scsk4.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.com/common/HanSetup1009.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.net/com/KALogoutComponent.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

 

ComboFix Log

ComboFix 07-06-13.7 - C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe

"HP_Administrator" - 2007-06-15 22:24:16 - Service Pack 2 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\feyjbdks.dll

C:\WINDOWS\system32\skdbjyef.ini

C:\WINDOWS\system32\pqtwa.bak1

C:\WINDOWS\system32\ybeeg.bak1

C:\WINDOWS\system32\ybeeg.ini

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe

C:\Temp\0b9

C:\Temp\tn3

C:\WINDOWS\hosts

C:\WINDOWS\system32\launcher.exe

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CORE

 

 

((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))

 

 

2007-06-15 22:23 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-15 22:17 <DIR> d-------- C:\VundoFix Backups

2007-06-11 10:32 263,220 --a------ C:\WINDOWS\system32\geeby.dll.vir

2007-06-11 00:42 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007

2007-06-11 00:38 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll

2007-06-11 00:38 52,432 --a------ C:\WINDOWS\system32\drivers\fopn.sys

2007-06-11 00:38 11,984 --a------ C:\WINDOWS\system32\stera.exe

2007-06-11 00:29 33,302 --a------ C:\WINDOWS\system32\fccbayw.dll.vir

2007-06-07 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-06 21:35 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard

2007-06-06 21:35 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007

2007-06-06 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

2007-06-06 21:28 <DIR> d-------- C:\temp\x2b

2007-06-04 22:57 11,272,192 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat

2007-05-30 22:13 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll

2007-05-30 22:13 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll

2007-05-30 22:13 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll

2007-05-30 22:13 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll

2007-05-30 22:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll

2007-05-30 22:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll

2007-05-30 22:13 76,288 --a------ C:\WINDOWS\system32\uniime.dll

2007-05-30 22:13 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll

2007-05-30 22:13 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll

2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll

2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll

2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll

2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll

2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101.dll

2007-05-30 22:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

2007-05-30 22:13 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll

2007-05-30 22:13 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll

2007-05-26 16:31 967 --a------ C:\WINDOWS\ScUnin.pif

2007-05-26 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe

2007-05-26 16:31 35,382 --a------ C:\WINDOWS\scunin.dat

2007-05-26 16:30 <DIR> d-------- C:\Program Files\Starcraft

2007-05-23 22:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2007-05-18 21:25 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2007-05-18 21:25 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-15 19:18:22 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\uTorrent

2007-06-13 23:27:51 -------- d-----w C:\Program Files\AIM6

2007-06-13 07:37:39 55,744 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\GDIPFONTCACHEV1.DAT

2007-06-11 07:41:04 -------- d-----w C:\Program Files\AIM+

2007-06-10 20:07:17 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-26 23:29:58 -------- d-----w C:\Program Files\MAME32k

2007-05-23 02:47:25 1,406 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat

2007-05-19 06:15:18 340 ----a-w C:\WINDOWS\system32\lsprst7.dll

2007-05-19 06:15:07 -------- d-----w C:\Program Files\SPSS

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-14 02:55:04 -------- d-----w C:\Program Files\WarRock

2007-05-12 06:40:54 -------- d-----w C:\Program Files\WiFiConnector

2007-05-08 06:28:04 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll

2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth2.dll

2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth1.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\ssprs.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth2.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth1.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\nsprs.dll

2007-05-01 03:26:23 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Viewpoint

2007-04-30 03:51:04 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\acccore

2007-04-30 03:49:49 -------- d-----w C:\Program Files\Viewpoint

2007-04-30 03:49:23 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-30 03:19:58 -------- d-----w C:\Program Files\AIM

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 23:36:40 -------- d-----w C:\Program Files\Apache Group

2007-04-22 01:39:39 4,620 ----a-w C:\WINDOWS\XChange.dat

2007-04-19 00:03:05 -------- d-----w C:\Program Files\Avant Browser

2007-04-19 00:02:22 -------- d-----w C:\Program Files\DivX

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-03-21 05:26:54 1,285 ----a-w C:\WINDOWS\checkip.dat

2007-03-21 05:21:58 1,280 ----a-w C:\WINDOWS\ipconfig.dat

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2006-05-01 09:05:44 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 11:41]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-04 21:05]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 20:18]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 00:12]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 17:19 C:\WINDOWS\arpwrmsg.exe]

"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 03:41]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]

"Aim6"="" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TA_Start.lnk]

path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TA_Start.lnk

backup=C:\WINDOWS\pss\TA_Start.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]

"C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{4C-C4-47-78-ZN}]

c:\windows\system32\dwdsregt.exe CHD003

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-16 05:23:00 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-15 22:28:33

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-15 22:29:35 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-15 22:29

 

--- E O F ---

 

 

Comments on running Computer

Currently my computer is running at a better speed than before I did everything. The Menu's open at a normal speed like before. Checked for Spyware and Adaware 2x, and they keep coming back. I think that I should do this in Safe Mode, so I'm not sure about that one. Everything else is good though. Thank you. :D

Share this post


Link to post
Share on other sites

Welcome back

Currently my computer is running at a better speed than before I did everything. The Menu's open at a normal speed like before, Everything else is good though. Thank you

Yes!!

 

Go to start > controlpanel > software > add/remove programs and uninstall if present:

 

WinAntiVirus Pro 2007

 

then reboot

 

 

Open notepad and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\drivers\fopn.sys

C:\WINDOWS\system32\geeby.dll.vir

C:\WINDOWS\system32\stera.exe

C:\WINDOWS\system32\fccbayw.dll.vir

C:\temp\x2b

c:\windows\system32\dwdsregt.exe CHD003

 

Folder::

C:\QooBox

C:\Program Files\Common Files\WinAntiVirus Pro 2007

C:\VundoFix Backups

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{4C-C4-47-78-ZN}]

Save this as ComboFix-Do.txt drag ComboFix-Do.txt into ComboFix.exe Combo-Do.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

 

 

 

One last scan to check for left-overs.

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

 

 

 

 

 

I didn't detect any active process of a firewall on your system.

 

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.

If you decide to download and install another Firewall....please disable Windows Firewall.

Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.

Sygate free firewall

ZoneAlarm free firewall

Outpost free Firewall

Comodo

Kerio Personal Firewall

Jetico Personal Firewall

 

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of some available ones see the link below

http://www.bleepingcomputer.com/tutorials/tutorial60.html

 

 

In your next reply I need:

ComboFix log

DrWeb.csv log

New HJT

Comments on how the computer is now.

Share this post


Link to post
Share on other sites

Updated HJT

Logfile of HijackThis v1.99.1

Scan saved at 2:14:57 PM, on 6/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\RTHDCPL.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"

O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB

O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangame.co.kr/static/cab/common/scsk4.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.com/common/HanSetup1009.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.net/com/KALogoutComponent.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

 

Updated ComboFix

ComboFix 07-06-13.7 - C:\Documents and Settings\HP_Administrator\Desktop\VirusScansLogs\ComboFix.exe

"HP_Administrator" - 2007-06-17 8:31:06 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode

C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\history.db

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log

C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat

C:\Program Files\Common Files\WinAntiVirus Pro 2007

C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe

C:\Program Files\Common Files\WinAntiVirus Pro 2007\wa7pinst.exe

C:\QooBox

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\hosts.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\feyjbdks.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\Launcher.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\pqtwa.bak1.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\skdbjyef.ini.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\ybeeg.bak1.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir

C:\QooBox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf

C:\VundoFix Backups

C:\VundoFix Backups\addmorefiles.txt

C:\VundoFix Backups\fccbaxx.dll.bad

C:\VundoFix Backups\qomjjgd.dll.bad

C:\WINDOWS\system32\drivers\fopn.sys

C:\WINDOWS\system32\fccbayw.dll.vir

C:\WINDOWS\system32\geeby.dll.vir

C:\WINDOWS\system32\stera.exe

 

 

((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))

 

 

2007-06-16 23:57 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\.realobjects

2007-06-15 22:23 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-11 00:38 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll

2007-06-07 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-06 21:35 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard

2007-06-06 21:28 <DIR> d-------- C:\temp\x2b

2007-06-04 22:57 11,272,192 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat

2007-05-30 22:13 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll

2007-05-30 22:13 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll

2007-05-30 22:13 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll

2007-05-30 22:13 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll

2007-05-30 22:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll

2007-05-30 22:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll

2007-05-30 22:13 76,288 --a------ C:\WINDOWS\system32\uniime.dll

2007-05-30 22:13 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll

2007-05-30 22:13 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll

2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll

2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll

2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll

2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll

2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll

2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101.dll

2007-05-30 22:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll

2007-05-30 22:13 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll

2007-05-30 22:13 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll

2007-05-26 16:31 967 --a------ C:\WINDOWS\ScUnin.pif

2007-05-26 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe

2007-05-26 16:31 35,382 --a------ C:\WINDOWS\scunin.dat

2007-05-26 16:30 <DIR> d-------- C:\Program Files\Starcraft

2007-05-23 22:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment

2007-05-18 21:25 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys

2007-05-18 21:25 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-17 15:14:24 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\uTorrent

2007-06-16 17:42:16 -------- d-----w C:\Program Files\Download Manager

2007-06-13 23:27:51 -------- d-----w C:\Program Files\AIM6

2007-06-13 07:37:39 55,744 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\GDIPFONTCACHEV1.DAT

2007-06-11 07:41:04 -------- d-----w C:\Program Files\AIM+

2007-06-10 20:07:17 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-05-26 23:29:58 -------- d-----w C:\Program Files\MAME32k

2007-05-23 02:47:25 1,406 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat

2007-05-19 06:15:18 340 ----a-w C:\WINDOWS\system32\lsprst7.dll

2007-05-19 06:15:07 -------- d-----w C:\Program Files\SPSS

2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-14 02:55:04 -------- d-----w C:\Program Files\WarRock

2007-05-12 06:40:54 -------- d-----w C:\Program Files\WiFiConnector

2007-05-08 06:28:04 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll

2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth2.dll

2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth1.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\ssprs.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth2.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth1.dll

2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\nsprs.dll

2007-05-01 03:26:23 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Viewpoint

2007-04-30 03:51:04 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\acccore

2007-04-30 03:49:49 -------- d-----w C:\Program Files\Viewpoint

2007-04-30 03:49:23 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-30 03:19:58 -------- d-----w C:\Program Files\AIM

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-23 23:36:40 -------- d-----w C:\Program Files\Apache Group

2007-04-22 01:39:39 4,620 ----a-w C:\WINDOWS\XChange.dat

2007-04-19 00:03:05 -------- d-----w C:\Program Files\Avant Browser

2007-04-19 00:02:22 -------- d-----w C:\Program Files\DivX

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2007-03-21 05:26:54 1,285 ----a-w C:\WINDOWS\checkip.dat

2007-03-21 05:21:58 1,280 ----a-w C:\WINDOWS\ipconfig.dat

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2006-05-01 09:05:44 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 11:41]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]

"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-04 21:05]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 20:18]

"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 00:12]

"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 17:19 C:\WINDOWS\arpwrmsg.exe]

"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 03:41]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]

"Aim6"="" []

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]

path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk

backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TA_Start.lnk]

path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TA_Start.lnk

backup=C:\WINDOWS\pss\TA_Start.lnkStartup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]

"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]

"C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]

C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

 

 

Contents of the 'Scheduled Tasks' folder

2007-06-17 15:33:00 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-17 08:33:20

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-17 8:33:40

C:\ComboFix2.txt ... 2007-06-15 22:29

 

--- E O F ---

 

Dr. Cure CSV

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;Incurable.Moved.;

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1;Probably BACKDOOR.Trojan;Incurable.Moved.;

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;

KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;

WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;

MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;

SetupDTSB.exe;C:\Program Files\DAEMON Tools;Adware.SaveNow;Incurable.Moved.;

PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Moved.;

A0087711.reg;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP475;Trojan.StartPage.1505;Deleted.;

A0096708.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP571;Adware.ZenoSearch;Incurable.Moved.;

A0097803.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Probably BACKDOOR.Trojan;Incurable.Moved.;

A0097843.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Probably BACKDOOR.Trojan;Incurable.Moved.;

A0097881.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;

A0097916.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.DownLoader.10963;Deleted.;

A0097917.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;

A0097918.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;

A0097919.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;

A0097921.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;

A0097976.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;

A0098332.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Fakealert;Deleted.;

A0098337.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.DownLoader.10963;Deleted.;

A0098344.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;

A0098488.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Fakealert;Deleted.;

A0098502.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;

A0098523.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;

A0098574.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.NtRootKit.239;Deleted.;

A0098575.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;

A0098612.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Virtumod;Deleted.;

A0098613.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Virtumod;Deleted.;

A0098627.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;

A0098640.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Virtumod;Deleted.;

A0098859.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP586;Probably BACKDOOR.Trojan;Incurable.Moved.;

A0099037.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP588;Trojan.Virtumod;Deleted.;

A0099038.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP588;Trojan.Virtumod;Deleted.;

A0099260.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP589;Trojan.DownLoader.10963;Deleted.;

UWA7P_0001_N91M0809NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.10963;Deleted.;

firstopt.js;D:\I386\Apps\APP15514;Probably SCRIPT.Virus;Incurable.Moved.;

 

 

Computer Notes

Currently the computer is still running the same speed as the last time I posted. After this post, I am going to install the ZoneAlarm Firewall.

Share this post


Link to post
Share on other sites

Welcome back

 

 

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
     
    C:\temp\x2b
    C:\WINDOWS\ScUnin.pif
    C:\WINDOWS\system32\feyjbdks.dll
     
     
  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

 

Please post the log from OTMoveIt, located here:

 

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

 

 

 

Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" ..It will look like this reg.gif

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

 

 

 

 

System restore had several infections located there so it is best at this time to flush that out.

 

Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.

After reboot, go back in and turn System Restore back on. That will flush system restore out

More info and screenshots:

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

You can find instructions on how to disable and reenable system restore here also:

Windows XP System Restore Guide

 

 

 

In your next reply post

OTMoveIt log

New HJT log

Comments on what issues remain now.

Share this post


Link to post
Share on other sites

OtMoveIt Log:

C:\temp\x2b moved successfully.

C:\WINDOWS\ScUnin.pif moved successfully.

File/Folder C:\WINDOWS\system32\feyjbdks.dll not found.

 

Created on 06/18/2007 15:47:06

 

New HJT Log:

Logfile of HijackThis v1.99.1

Scan saved at 4:28:43 PM, on 6/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\RTHDCPL.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Avant Browser\avant.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"

O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB

O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangame.co.kr/static/cab/common/scsk4.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.com/common/HanSetup1009.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.net/com/KALogoutComponent.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

 

 

Computer Notes:

The computer is running fine now. The only problem is that constantly the same Spyware/Ad-aware keeps coming back, even after being removed. I do the scan 2-3 times, and the same ones usually come back. I couldn't get ZoneAlarm since it would only be a trial period, so I decided to go with Sygate Personal Firewall. Also WinAnti-Virus 2007 still exists in my Control Panel, although all of its components are gone.

controlpanelrc6.jpg

Share this post


Link to post
Share on other sites

Welcome back

 

The computer is running fine now
:thumbsup:
The only problem is that constantly the same Spyware/Ad-aware keeps coming back
:ugh:

 

Can you give me the name or names of what it finds?

File paths?

What scanner are you using when you find Spyware/Adware?

 

 

Please download Registry Search Tool and save it to your desktop.

Unzip (extract) it to your desktop and double-click on regsrch.vbs

(if you have script protection, please allow this to run).

In the dialog that opens enter the following:

WinAnti-Virus 2007

 

Press OK The search will run for a while, then alert you when it is finished. Press OK and copy the contents of the WordPad window and post in this thread.

Share this post


Link to post
Share on other sites

Spyware/Ad-Aware:

AdRevolver

Advertising.com 3

AvenueA, Inc. 3

BlackCore 2

DoubleClick 4

FastClick 3

HitBox

MediaPlex

Statcounter

Blue Streak

 

The number next to them is after I scanned the computer again, and again. This was right after each other and I healed them. They were tracking cookies, and I forgot to look before I got rid of them. The scanner that I use is SpyBots S&D. It's been good to me up until now, and yeah. Those ones are the ones that come up the most, DoublClick and AvenueA[sp?].

 

After running the script, it said that there were no Instances of WinAnti-Virus 2007. Rawr. Hmmm...

Share this post


Link to post
Share on other sites

Welcome back

 

Returning cookies are not a problem and nothing to worry about. These tracking cookies are present on certain sites you visit, even good sites.

Read here what cookies are:

http://www.microsoft.com/info/cookies.mspx

An easy way to get rid of cookies is:

 

1. Start Internet Explorer.

2. On the Tools menu, click Internet Options, and then click the General tab.

3. In the Temporary Internet Files section, click Delete Cookies..., click OK, and then click OK again.

 

 

You can also use CookieWall:

http://www.analogx.com/contents/download/network/cookie.htm

This program will let you decide what cookies to allow and what cookies to deny.

 

 

Another good and suggested free program to prevent cookies:

Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.

Tutorial

Make sure both of these boxes are checked in SpywareBlaster....

"prevent the installation of ActiveX- etc"

"prevent ad/tracking cookies"

 

 

 

 

Delete an Entry from the Uninstall List

  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the entry you wish to delete ->WinAntiVirus Pro 2007
  • Click on Delete this entry
  • Click "Yes"

 

 

Windows Installer Clean Up Utility

Use the above link if HJT says it cannot delete from Uninstall list.

 

 

 

We're going to continue on to clean you up......Cleanup the tools

Next open OTMoveIt, then click on "CleanUp!". If you receive a warning from your Firewall please allow. A list of tools we used will appear in the right hand column. It should say "successful" when they appear.

You will see a pop up that tells you the system requires a reboot (to remove all the tools listed). Click YES.

 

 

 

 

 

One more scan we can use for leftover entries

 

Download the trial version of Spy Sweeper from

Here

 

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

 

You will be prompted to check for updated definitions, please do so.

(This may take several minutes)

 

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

 

Click on Sweep and allow it to fully scan your system.

 

When the sweep has finished, click Remove. Click Select All and then Next

 

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

 

Exit Spy Sweeper.

 

 

Post the log please.

Edited by Juliet

Share this post


Link to post
Share on other sites

12:15 PM: Removal process completed. Elapsed time 00:00:20

12:15 PM: Quarantining All Traces: yadro cookie

12:15 PM: Quarantining All Traces: xiti cookie

12:15 PM: Quarantining All Traces: hermoment.com cookie

12:15 PM: Quarantining All Traces: tribalfusion cookie

12:15 PM: Quarantining All Traces: trafficmp cookie

12:15 PM: Quarantining All Traces: tacoda cookie

12:15 PM: Quarantining All Traces: statcounter cookie

12:15 PM: Quarantining All Traces: realmedia cookie

12:15 PM: Quarantining All Traces: questionmarket cookie

12:15 PM: Quarantining All Traces: overture cookie

12:15 PM: Quarantining All Traces: nextag cookie

12:15 PM: Quarantining All Traces: mediaplex cookie

12:15 PM: Quarantining All Traces: bluestreak cookie

12:15 PM: Quarantining All Traces: atwola cookie

12:15 PM: Quarantining All Traces: atlas dmt cookie

12:15 PM: Quarantining All Traces: advertising cookie

12:15 PM: Quarantining All Traces: cpxinteractive cookie

12:15 PM: Quarantining All Traces: adserver cookie

12:15 PM: Quarantining All Traces: adreactor cookie

12:15 PM: Quarantining All Traces: pointroll cookie

12:15 PM: Quarantining All Traces: adrevolver cookie

12:15 PM: Quarantining All Traces: specificclick.com cookie

12:15 PM: Quarantining All Traces: 2o7.net cookie

12:15 PM: Quarantining All Traces: 247realmedia cookie

12:15 PM: Quarantining All Traces: winad

12:15 PM: Quarantining All Traces: zenosearchassistant

12:15 PM: Quarantining All Traces: purityscan

12:15 PM: Quarantining All Traces: virtumonde

12:15 PM: Removal process initiated

12:11 PM: Traces Found: 41

12:11 PM: Full Sweep has completed. Elapsed time 01:11:00

12:10 PM: File Sweep Complete, Elapsed Time: 01:06:03

12:10 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E4C000C

11:55 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\desktop\somemorepixforyouandlolapaz.zip": File not found

11:47 AM: ApplicationMinimized - EXIT

11:47 AM: ApplicationMinimized - ENTER

Not enough storage is available to process this command

11:44 AM: Warning: Unable to sweep compressed file: System Error. Code: 8.

11:40 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\local settings\temporary internet files\content.ie5\bnihhbf5\rf-060526[1].rar": File not found

Access is denied

11:39 AM: Warning: Unable to sweep compressed file: System Error. Code: 5.

11:33 AM: ApplicationMinimized - EXIT

11:33 AM: ApplicationMinimized - ENTER

11:32 AM: ApplicationMinimized - EXIT

11:32 AM: ApplicationMinimized - ENTER

11:31 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E6D000C

11:30 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E8E000C

11:29 AM: Warning: SweepDirectories: Cannot find directory "j:". This directory was not added to the list of paths to be scanned.

11:29 AM: Warning: SweepDirectories: Cannot find directory "i:". This directory was not added to the list of paths to be scanned.

11:29 AM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.

11:29 AM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.

11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@dehp.myspace[1].txt". The operation completed successfully

11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt". The operation completed successfully

11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:18 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:12 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:11 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:09 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:08 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:06 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:05 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098575.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098344.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0096708.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098627.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098523.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098502.exe (ID = 294)

11:05 AM: Found Adware: zenosearchassistant

11:04 AM: Starting File Sweep

11:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@yadro[2].txt (ID = 3743)

11:04 AM: Found Spy Cookie: yadro cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@xiti[1].txt (ID = 3717)

11:04 AM: Found Spy Cookie: xiti cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@www2.hermoment[1].txt (ID = 2774)

11:04 AM: Found Spy Cookie: hermoment.com cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tribalfusion[2].txt (ID = 3589)

11:04 AM: Found Spy Cookie: tribalfusion cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@trafficmp[1].txt (ID = 3581)

11:04 AM: Found Spy Cookie: trafficmp cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tacoda[2].txt (ID = 6444)

11:04 AM: Found Spy Cookie: tacoda cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt (ID = 3447)

11:04 AM: Found Spy Cookie: statcounter cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@realmedia[1].txt (ID = 3235)

11:04 AM: Found Spy Cookie: realmedia cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@questionmarket[2].txt (ID = 3217)

11:04 AM: Found Spy Cookie: questionmarket cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@overture[2].txt (ID = 3105)

11:04 AM: Found Spy Cookie: overture cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@nextag[2].txt (ID = 5014)

11:04 AM: Found Spy Cookie: nextag cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@msnportal.112.2o7[1].txt (ID = 1958)

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@mediaplex[2].txt (ID = 6442)

11:04 AM: Found Spy Cookie: mediaplex cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@indigio.122.2o7[1].txt (ID = 1958)

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@bluestreak[1].txt (ID = 2314)

11:04 AM: Found Spy Cookie: bluestreak cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atwola[1].txt (ID = 2255)

11:04 AM: Found Spy Cookie: atwola cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atdmt[2].txt (ID = 2253)

11:04 AM: Found Spy Cookie: atlas dmt cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@advertising[2].txt (ID = 2175)

11:04 AM: Found Spy Cookie: advertising cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserving.cpxinteractive[2].txt (ID = 8939)

11:04 AM: Found Spy Cookie: cpxinteractive cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver[1].txt (ID = 2141)

11:04 AM: Found Spy Cookie: adserver cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver.adreactor[1].txt (ID = 2087)

11:04 AM: Found Spy Cookie: adreactor cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@ads.pointroll[2].txt (ID = 3148)

11:04 AM: Found Spy Cookie: pointroll cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[3].txt (ID = 2088)

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[1].txt (ID = 2088)

11:04 AM: Found Spy Cookie: adrevolver cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adopt.specificclick[2].txt (ID = 3400)

11:04 AM: Found Spy Cookie: specificclick.com cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@2o7[2].txt (ID = 1957)

11:04 AM: Found Spy Cookie: 2o7.net cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@247realmedia[1].txt (ID = 1953)

11:04 AM: Found Spy Cookie: 247realmedia cookie

11:04 AM: Starting Cookie Sweep

11:04 AM: Registry Sweep Complete, Elapsed Time:00:00:40

11:04 AM: HKLM\software\microsoft\windows\currentversion\uninstall\outerinfo\ (ID = 2063030)

11:04 AM: Found Adware: purityscan

11:04 AM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)

11:04 AM: HKLM\software\microsoft\rasap2k\ (ID = 1511572)

11:04 AM: Found Adware: virtumonde

11:04 AM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)

11:04 AM: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1049593)

11:04 AM: HKCR\appid\activex.dll\ || appid (ID = 1049592)

11:04 AM: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1023385)

11:04 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (ID = 763026)

11:04 AM: Found Adware: winad

11:04 AM: Starting Registry Sweep

11:04 AM: Memory Sweep Complete, Elapsed Time: 00:04:06

11:00 AM: ApplicationMinimized - EXIT

11:00 AM: ApplicationMinimized - ENTER

11:00 AM: Starting Memory Sweep

11:00 AM: Start Full Sweep

11:00 AM: Sweep initiated using definitions version 935

10:58 AM: ApplicationMinimized - EXIT

10:58 AM: ApplicationMinimized - ENTER

10:58 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities

Keylogger: Off

10:58 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities

E-mail Attachment: On

BHO Shield: On

IE Security Shield: On

Alternate Data Stream (ADS) Execution Shield: On

Startup Shield: On

Common Ad Sites: Off

Hosts File Shield: On

Internet Communication Shield: On

ActiveX Shield: On

Windows Messenger Service Shield: On

IE Favorites Shield: On

File System Shield: On

Execution Shield: On

System Services Shield: On

IE Hijack Shield: On

IE Tracking Cookies Shield: Off

10:58 AM: Shield States

10:58 AM: License Check Status (0): Success

10:57 AM: Spyware Definitions: 923

10:57 AM: Spy Sweeper 5.5.1.3354 started

10:57 AM: Spy Sweeper 5.5.1.3354 started

10:57 AM: | Start of Session, Thursday, June 21, 2007 |

***************

There is the log from Spy Sweeper. Sorry it's taken a while, my cousin just graduated, and my sister came in town randomly, so yeah. My apologies.

Share this post


Link to post
Share on other sites

12:15 PM: Removal process completed. Elapsed time 00:00:20

12:15 PM: Quarantining All Traces: yadro cookie

12:15 PM: Quarantining All Traces: xiti cookie

12:15 PM: Quarantining All Traces: hermoment.com cookie

12:15 PM: Quarantining All Traces: tribalfusion cookie

12:15 PM: Quarantining All Traces: trafficmp cookie

12:15 PM: Quarantining All Traces: tacoda cookie

12:15 PM: Quarantining All Traces: statcounter cookie

12:15 PM: Quarantining All Traces: realmedia cookie

12:15 PM: Quarantining All Traces: questionmarket cookie

12:15 PM: Quarantining All Traces: overture cookie

12:15 PM: Quarantining All Traces: nextag cookie

12:15 PM: Quarantining All Traces: mediaplex cookie

12:15 PM: Quarantining All Traces: bluestreak cookie

12:15 PM: Quarantining All Traces: atwola cookie

12:15 PM: Quarantining All Traces: atlas dmt cookie

12:15 PM: Quarantining All Traces: advertising cookie

12:15 PM: Quarantining All Traces: cpxinteractive cookie

12:15 PM: Quarantining All Traces: adserver cookie

12:15 PM: Quarantining All Traces: adreactor cookie

12:15 PM: Quarantining All Traces: pointroll cookie

12:15 PM: Quarantining All Traces: adrevolver cookie

12:15 PM: Quarantining All Traces: specificclick.com cookie

12:15 PM: Quarantining All Traces: 2o7.net cookie

12:15 PM: Quarantining All Traces: 247realmedia cookie

12:15 PM: Quarantining All Traces: winad

12:15 PM: Quarantining All Traces: zenosearchassistant

12:15 PM: Quarantining All Traces: purityscan

12:15 PM: Quarantining All Traces: virtumonde

12:15 PM: Removal process initiated

12:11 PM: Traces Found: 41

12:11 PM: Full Sweep has completed. Elapsed time 01:11:00

12:10 PM: File Sweep Complete, Elapsed Time: 01:06:03

12:10 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E4C000C

11:55 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\desktop\somemorepixforyouandlolapaz.zip": File not found

11:47 AM: ApplicationMinimized - EXIT

11:47 AM: ApplicationMinimized - ENTER

Not enough storage is available to process this command

11:44 AM: Warning: Unable to sweep compressed file: System Error. Code: 8.

11:40 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\local settings\temporary internet files\content.ie5\bnihhbf5\rf-060526[1].rar": File not found

Access is denied

11:39 AM: Warning: Unable to sweep compressed file: System Error. Code: 5.

11:33 AM: ApplicationMinimized - EXIT

11:33 AM: ApplicationMinimized - ENTER

11:32 AM: ApplicationMinimized - EXIT

11:32 AM: ApplicationMinimized - ENTER

11:31 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E6D000C

11:30 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E8E000C

11:29 AM: Warning: SweepDirectories: Cannot find directory "j:". This directory was not added to the list of paths to be scanned.

11:29 AM: Warning: SweepDirectories: Cannot find directory "i:". This directory was not added to the list of paths to be scanned.

11:29 AM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.

11:29 AM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.

11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@dehp.myspace[1].txt". The operation completed successfully

11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt". The operation completed successfully

11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:18 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:12 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:11 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:09 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:08 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:06 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:05 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098575.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098344.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0096708.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098627.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098523.exe (ID = 294)

11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098502.exe (ID = 294)

11:05 AM: Found Adware: zenosearchassistant

11:04 AM: Starting File Sweep

11:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@yadro[2].txt (ID = 3743)

11:04 AM: Found Spy Cookie: yadro cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@xiti[1].txt (ID = 3717)

11:04 AM: Found Spy Cookie: xiti cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@www2.hermoment[1].txt (ID = 2774)

11:04 AM: Found Spy Cookie: hermoment.com cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tribalfusion[2].txt (ID = 3589)

11:04 AM: Found Spy Cookie: tribalfusion cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@trafficmp[1].txt (ID = 3581)

11:04 AM: Found Spy Cookie: trafficmp cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tacoda[2].txt (ID = 6444)

11:04 AM: Found Spy Cookie: tacoda cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt (ID = 3447)

11:04 AM: Found Spy Cookie: statcounter cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@realmedia[1].txt (ID = 3235)

11:04 AM: Found Spy Cookie: realmedia cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@questionmarket[2].txt (ID = 3217)

11:04 AM: Found Spy Cookie: questionmarket cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@overture[2].txt (ID = 3105)

11:04 AM: Found Spy Cookie: overture cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@nextag[2].txt (ID = 5014)

11:04 AM: Found Spy Cookie: nextag cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@msnportal.112.2o7[1].txt (ID = 1958)

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@mediaplex[2].txt (ID = 6442)

11:04 AM: Found Spy Cookie: mediaplex cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@indigio.122.2o7[1].txt (ID = 1958)

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@bluestreak[1].txt (ID = 2314)

11:04 AM: Found Spy Cookie: bluestreak cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atwola[1].txt (ID = 2255)

11:04 AM: Found Spy Cookie: atwola cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atdmt[2].txt (ID = 2253)

11:04 AM: Found Spy Cookie: atlas dmt cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@advertising[2].txt (ID = 2175)

11:04 AM: Found Spy Cookie: advertising cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserving.cpxinteractive[2].txt (ID = 8939)

11:04 AM: Found Spy Cookie: cpxinteractive cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver[1].txt (ID = 2141)

11:04 AM: Found Spy Cookie: adserver cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver.adreactor[1].txt (ID = 2087)

11:04 AM: Found Spy Cookie: adreactor cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@ads.pointroll[2].txt (ID = 3148)

11:04 AM: Found Spy Cookie: pointroll cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[3].txt (ID = 2088)

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[1].txt (ID = 2088)

11:04 AM: Found Spy Cookie: adrevolver cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adopt.specificclick[2].txt (ID = 3400)

11:04 AM: Found Spy Cookie: specificclick.com cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@2o7[2].txt (ID = 1957)

11:04 AM: Found Spy Cookie: 2o7.net cookie

11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@247realmedia[1].txt (ID = 1953)

11:04 AM: Found Spy Cookie: 247realmedia cookie

11:04 AM: Starting Cookie Sweep

11:04 AM: Registry Sweep Complete, Elapsed Time:00:00:40

11:04 AM: HKLM\software\microsoft\windows\currentversion\uninstall\outerinfo\ (ID = 2063030)

11:04 AM: Found Adware: purityscan

11:04 AM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)

11:04 AM: HKLM\software\microsoft\rasap2k\ (ID = 1511572)

11:04 AM: Found Adware: virtumonde

11:04 AM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)

11:04 AM: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1049593)

11:04 AM: HKCR\appid\activex.dll\ || appid (ID = 1049592)

11:04 AM: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1023385)

11:04 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (ID = 763026)

11:04 AM: Found Adware: winad

11:04 AM: Starting Registry Sweep

11:04 AM: Memory Sweep Complete, Elapsed Time: 00:04:06

11:00 AM: ApplicationMinimized - EXIT

11:00 AM: ApplicationMinimized - ENTER

11:00 AM: Starting Memory Sweep

11:00 AM: Start Full Sweep

11:00 AM: Sweep initiated using definitions version 935

10:58 AM: ApplicationMinimized - EXIT

10:58 AM: ApplicationMinimized - ENTER

10:58 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities

Keylogger: Off

10:58 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities

E-mail Attachment: On

BHO Shield: On

IE Security Shield: On

Alternate Data Stream (ADS) Execution Shield: On

Startup Shield: On

Common Ad Sites: Off

Hosts File Shield: On

Internet Communication Shield: On

ActiveX Shield: On

Windows Messenger Service Shield: On

IE Favorites Shield: On

File System Shield: On

Execution Shield: On

System Services Shield: On

IE Hijack Shield: On

IE Tracking Cookies Shield: Off

10:58 AM: Shield States

10:58 AM: License Check Status (0): Success

10:57 AM: Spyware Definitions: 923

10:57 AM: Spy Sweeper 5.5.1.3354 started

10:57 AM: Spy Sweeper 5.5.1.3354 started

10:57 AM: | Start of Session, Thursday, June 21, 2007 |

***************

There is the log from Spy Sweeper. Sorry it's taken a while, my cousin just graduated, and my sister came in town randomly, so yeah. My apologies.

Share this post


Link to post
Share on other sites

Welcome back

 

How are things running now?

 

In my last post I suggested

 

Delete an Entry from the Uninstall List

 

Open HiJackThis

Click on the "Config..." button on the bottom right

Click on the tab "Misc Tools"

Click on the Box that says "Uninstall Manager"

Click on the entry you wish to delete ->WinAntiVirus Pro 2007

Click on Delete this entry

Click "Yes"

 

 

 

Windows Installer Clean Up Utility

Use the above link if HJT says it cannot delete from Uninstall list.

 

Can you post a New HJT log please

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 9:44:23 PM, on 6/22/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WiFiConnector\NintendoWFCReg.exe

C:\WINDOWS\arservice.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\System32\svchost.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\RTHDCPL.EXE

c:\windows\system\hpsysdrv.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Grisoft\AVG7\avgcc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\wisptis.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Avant Browser\avant.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"

O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE

O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup

O4 - HKLM\..\Run: [smcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui

O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe

O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html

O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"

O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm

O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: CM_AdvancedCAB - https://www.gs.reyrey.com/common/ClientChec...AdvancedCAB.CAB

O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyrey.com/clientdll/printtemplateviewer.cab

O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab

O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangame.co.kr/static/cab/common/scsk4.cab

O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab

O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron.co.kr/_DownUtil/syscab/Dekaron.CAB

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab

O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame.com/dist/activex/HanGamePlugin19.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab

O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab

O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab55579.cab

O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab55762.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.com/common/HanSetup1009.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.net/com/KALogoutComponent.cab

O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab

O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab55200.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

 

The computer is running fine now. Sometimes the internet is slow, but i think that's the company. Haha. When I checked the HJT, it did not detect anything with WinAnti-Virus2007. That's the weird thing, it wasn't in the un-installer list, and yeah. >_>

Share this post


Link to post
Share on other sites

Welcome back

The computer is running fine now. Sometimes the internet is slow, but i think that's the company. Haha. When I checked the HJT, it did not detect anything with WinAnti-Virus2007.

:thumbsup:

 

I see in your startups programs list two active Firewalls?

Sygate Firewall

Outpost Firewall

One needs to be removed, this would be a huge waste of system resources and it will not give you added protection but rather conflicts along with errors.

 

 

Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

 

To disable SpySweeper:

 

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".

Over to the left click "shields"

  • Click the "Internet Explorer" tab and and uncheck all there.
  • Click the "Windows System" tab and uncheck all there.
  • Click the "Host File" tab and uncheck all there.
  • Click the "Startup Programs" tab and uncheck "Startup Items Shield".

Remember after your system is clean to re-enable Spy Sweeper.

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab

 

 

We're going to continue on to clean you up.

Next open OTMoveIt, then click on "CleanUp!". If you receive a warning from your Firewall please allow...In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.

Do not edit anything in that Window!

Don't worry if it displays some tools you didn't download/use.

Click Yes when it asks to Begin cleanup process.

Then reboot your computer.

 

 

Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.

After reboot, go back in and turn System Restore back on. That will flush system restore out

More info and screenshots:

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

You can find instructions on how to disable and reenable system restore here also:

Windows XP System Restore Guide

 

 

 

If there are no more issues or problems your good to go!

 

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

 

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.

 

 

Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.

Tutorial

 

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.

Tutorial

 

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

Tutorial

Run on a regular basis

 

Install and Update Ad-Aware SE Personal

You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

Tutorial

Run on a regular basis

 

SUPERAntiSpyware

This is another excellent FREE scanner to look for nasties that might be lurking in your system.

SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well. Quick Guide: How to use!

 

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.

And to run them regularly as this can prevent a great deal of spyware hassle.

 

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.

Another valueable article to read Dealing with Unwanted Spyware and Parasites

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0