Jump to content


Photo

Trojan's keep coming back


  • This topic is locked This topic is locked
21 replies to this topic

#1 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 11 June 2007 - 09:35 PM

here's my log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:21:04 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Documents and Settings\HP_Administrator\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O1 - Hosts: 85.214.19.81 l2testauthd.lineage2.com
O1 - Hosts: 85.214.19.81 l2authd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\fccbayw.dll
O2 - BHO: (no name) - {92fecfc8-83cc-4943-854f-fbcb46c3c24e} - (no file)
O2 - BHO: (no name) - {A5EB3F8F-8A41-4684-B1A4-19F467771860} - C:\WINDOWS\system32\geeby.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [{4C-C4-47-78-ZN}] c:\windows\system32\dwdsregt.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\HP_Administrator\Local Settings\Temp\TICHD003.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyre...AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyre...plateviewer.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangam...ommon/scsk4.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron....cab/Dekaron.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame....amePlugin19.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.n...WebLauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.co...anSetup1009.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.n...utComponent.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab55200.cab
O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)
O20 - Winlogon Notify: fccbayw - C:\WINDOWS\SYSTEM32\fccbayw.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - http://www.square-en...8_1280x1024.jpg

--
End of file - 16744 bytes

#2 mejensen1

mejensen1

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 June 2007 - 10:30 PM

I had a few days of pop ups and got some very reputable anti spy ad software, but the pop ups would come back.

However, since running this program they have seemed to have stopped, though it might have been a different program, I think it this one as it is intended for basically just one bug!

http://www.atribune....tent/view/24/2/


Friday, 03 February 2006
VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.

Please download VundoFix.exe to your desktop.

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 14 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 15 June 2007 - 12:20 PM

Hi and welcome

The version of HijackThis you are running is Beta, a product that is normally in its final stages of testing.
Often, a Beta version of a product may contain minor bugs and glitches, so let’s work with final version HijackThis 1.99.1 instead.

Use Control Panel > Add/Remove Programs to remove HijackThis v2.
Then, do a search and also delete any Folders or Files the program created.

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Do this now.


How to remove the Sony - XCP DRM Rootkit


After you follow through with the above procedure then next--


Open HJT and click scan only, place a check by these entries

O1 - Hosts: 85.214.19.81 l2testauthd.lineage2.com
O1 - Hosts: 85.214.19.81 l2authd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\fccbayw.dll
O2 - BHO: (no name) - {92fecfc8-83cc-4943-854f-fbcb46c3c24e} - (no file)
O2 - BHO: (no name) - {A5EB3F8F-8A41-4684-B1A4-19F467771860} - C:\WINDOWS\system32\geeby.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [{4C-C4-47-78-ZN}] c:\windows\system32\dwdsregt.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\HP_Administrator\Local Settings\Temp\TICHD003.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.drivecleaner.com (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantispyware.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc.../bridge-c18.cab
O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)
O20 - Winlogon Notify: fccbayw - C:\WINDOWS\SYSTEM32\fccbayw.dll
O20 - Winlogon Notify: geeby - C:\WINDOWS\system32\geeby.dll

Close all windows and browsers except HJT and click fix checked


Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As":
http://www.mvps.org/.../DelDomains.inf
Save the file to the desktop.
Then go to the desktop, right click on DelDomains.inf, and choose Install. You may not see any noticeable changes or prompts; this is normal.




Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot
.




Download Combofix from http://download.blee...ta/ComboFix.exe
Important.....Place it on your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall




Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE)6u1
  • Scroll to Java Runtime Environment (JRE) 6u1 and click on the download button
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    Go to Start > Control Panel double-click on the Software icon > add/remove programs.
    Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have this icon next to it: Posted Image
    Select it and click Remove.
  • Close any programs you may have running - especially your web browser.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.


In your next reply post:
Vundo C:\vundofix.txt log
ComboFix log
New HJT log

Comments on how the computer is running now
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 7,070 posts

Posted 15 June 2007 - 03:12 PM

Greetings XPuser57

Please know that the group Members have no standing here as Helpers. It would be in your best interest to accept advice only when it is given by a member of one of our trained Helper groups. See here Who is helping you?

I will now leave you in the capable hands of Juliet.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#6 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 June 2007 - 12:34 AM

NEW HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:55:37 PM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\CDProxyServ.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O1 - Hosts: 85.214.19.81 l2testauthd.lineage2.com
O1 - Hosts: 85.214.19.81 l2authd.lineage2.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyre...AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyre...plateviewer.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangam...ommon/scsk4.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron....cab/Dekaron.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame....amePlugin19.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.n...WebLauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.co...anSetup1009.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.n...utComponent.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab55200.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINDOWS\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Vundo Fix Log

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.

Scan started at 10:17:59 PM 6/15/2007

Listing files found while scanning....

C:\windows\system32\fccbaxx.dll
C:\windows\system32\qomjjgd.dll

Beginning removal...

Attempting to delete C:\windows\system32\fccbaxx.dll
C:\windows\system32\fccbaxx.dll Has been deleted!

Attempting to delete C:\windows\system32\qomjjgd.dll
C:\windows\system32\qomjjgd.dll Has been deleted!

Performing Repairs to the registry.
Done!

Combo Fix Quarantine
2006-01-27 23:43	  780	--a------	C:\Qoobox\Quarantine\C\WINDOWS\hosts.vir
2007-03-07 10:37	  264376	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\Launcher.exe.vir
2007-06-07 02:21	  1836461	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\pqtwa.bak1.vir
2007-06-11 00:37	  40183	--a------	C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
2007-06-11 12:33	  1836476	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.bak1.vir
2007-06-11 12:41	  124436	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\feyjbdks.dll.vir
2007-06-11 21:03	  943877	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\skdbjyef.ini.vir
2007-06-11 21:50	  1840160	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir
2007-06-15 22:26	  1004	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf


Folder PATH listing for volume HP_PAVILION
Volume serial number is 7A54-C478
C:\QOOBOX
\---Quarantine
	+---C
	|   +---Program Files
	|   |   \---Common Files
	|   |		   Yazzle1281OinUninstaller.exe.vir
	|   |		   
	|   \---WINDOWS
	|	   |   hosts.vir
	|	   |   
	|	   \---system32
	|			   feyjbdks.dll.vir
	|			   Launcher.exe.vir
	|			   pqtwa.bak1.vir
	|			   skdbjyef.ini.vir
	|			   ybeeg.bak1.vir
	|			   ybeeg.ini.vir
	|			   
	\---Registry_backups
			LEGACY_CORE.reg.cf
			


#7 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 16 June 2007 - 08:06 AM

Welcome back

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
This will change from what we know in 2006 read this article:
http://www.clickz.co...cle.php/3561546
A side note about AIM Messenger, AOL user's and Viewpoint Manager. Viewpoint is one of the graphic engines that AOL uses and it is bundled with the application. If you continue to use AIM Messenger, it would likely be reinstalled. Or if you recieve some of the AOL E-cards it may ask you to download and run this program to view and run the graphics in E-cards.
Your call
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Then reboot.

Using windows explorer search for and delete this folder
C:\Program Files\Viewpoint


To remove the sony rootkit
Click here to download and run the XCP Uninstaller
Restart your computer you uninstall.



Open HJT and click scan only, place a check by these entries if still present

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai...cat-no-eula.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O20 - Winlogon Notify: c_8res - c_8res.dll (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Close all windows and browsers except HJT and click fix checked


In your last post you copied and pasted the results of the ComboFix quarantine log, please search for the combofix.txt and post that please with a New HJT log.

I need comments on how your computer is running now.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#8 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 16 June 2007 - 01:04 PM

NEW HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 10:45:35 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyre...AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyre...plateviewer.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangam...ommon/scsk4.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron....cab/Dekaron.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame....amePlugin19.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.n...WebLauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.co...anSetup1009.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.n...utComponent.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab55200.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

ComboFix Log
ComboFix 07-06-13.7 - C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
"HP_Administrator" - 2007-06-15 22:24:16 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\feyjbdks.dll
C:\WINDOWS\system32\skdbjyef.ini
C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\ybeeg.bak1
C:\WINDOWS\system32\ybeeg.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Temp\0b9
C:\Temp\tn3
C:\WINDOWS\hosts
C:\WINDOWS\system32\launcher.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-15 22:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 22:17 <DIR> d-------- C:\VundoFix Backups
2007-06-11 10:32 263,220 --a------ C:\WINDOWS\system32\geeby.dll.vir
2007-06-11 00:42 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-06-11 00:38 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-11 00:38 52,432 --a------ C:\WINDOWS\system32\drivers\fopn.sys
2007-06-11 00:38 11,984 --a------ C:\WINDOWS\system32\stera.exe
2007-06-11 00:29 33,302 --a------ C:\WINDOWS\system32\fccbayw.dll.vir
2007-06-07 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-06 21:35 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-06 21:35 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 21:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-06-06 21:28 <DIR> d-------- C:\temp\x2b
2007-06-04 22:57 11,272,192 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat
2007-05-30 22:13 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-05-30 22:13 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-05-30 22:13 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-05-30 22:13 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-05-30 22:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-05-30 22:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-05-30 22:13 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-05-30 22:13 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-05-30 22:13 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-05-30 22:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-05-30 22:13 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-05-30 22:13 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-05-26 16:31 967 --a------ C:\WINDOWS\ScUnin.pif
2007-05-26 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-05-26 16:31 35,382 --a------ C:\WINDOWS\scunin.dat
2007-05-26 16:30 <DIR> d-------- C:\Program Files\Starcraft
2007-05-23 22:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-05-18 21:25 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-05-18 21:25 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-15 19:18:22 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\uTorrent
2007-06-13 23:27:51 -------- d-----w C:\Program Files\AIM6
2007-06-13 07:37:39 55,744 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-11 07:41:04 -------- d-----w C:\Program Files\AIM+
2007-06-10 20:07:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 23:29:58 -------- d-----w C:\Program Files\MAME32k
2007-05-23 02:47:25 1,406 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2007-05-19 06:15:18 340 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-05-19 06:15:07 -------- d-----w C:\Program Files\SPSS
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 02:55:04 -------- d-----w C:\Program Files\WarRock
2007-05-12 06:40:54 -------- d-----w C:\Program Files\WiFiConnector
2007-05-08 06:28:04 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll
2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth2.dll
2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth1.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth2.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth1.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\nsprs.dll
2007-05-01 03:26:23 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Viewpoint
2007-04-30 03:51:04 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\acccore
2007-04-30 03:49:49 -------- d-----w C:\Program Files\Viewpoint
2007-04-30 03:49:23 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-30 03:19:58 -------- d-----w C:\Program Files\AIM
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 23:36:40 -------- d-----w C:\Program Files\Apache Group
2007-04-22 01:39:39 4,620 ----a-w C:\WINDOWS\XChange.dat
2007-04-19 00:03:05 -------- d-----w C:\Program Files\Avant Browser
2007-04-19 00:02:22 -------- d-----w C:\Program Files\DivX
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-21 05:26:54 1,285 ----a-w C:\WINDOWS\checkip.dat
2007-03-21 05:21:58 1,280 ----a-w C:\WINDOWS\ipconfig.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2006-05-01 09:05:44 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 11:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-04 21:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 20:18]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 00:12]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 17:19 C:\WINDOWS\arpwrmsg.exe]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 03:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
"C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{4C-C4-47-78-ZN}]
c:\windows\system32\dwdsregt.exe CHD003


Contents of the 'Scheduled Tasks' folder
2007-06-16 05:23:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 22:28:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-15 22:29:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-15 22:29

--- E O F ---


Comments on running Computer
Currently my computer is running at a better speed than before I did everything. The Menu's open at a normal speed like before. Checked for Spyware and Adaware 2x, and they keep coming back. I think that I should do this in Safe Mode, so I'm not sure about that one. Everything else is good though. Thank you. :D

#9 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 16 June 2007 - 03:15 PM

Welcome back

Currently my computer is running at a better speed than before I did everything. The Menu's open at a normal speed like before, Everything else is good though. Thank you

Yes!!

Go to start > controlpanel > software > add/remove programs and uninstall if present:

WinAntiVirus Pro 2007

then reboot


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\geeby.dll.vir
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\fccbayw.dll.vir
C:\temp\x2b
c:\windows\system32\dwdsregt.exe CHD003

Folder::
C:\QooBox
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\VundoFix Backups
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{4C-C4-47-78-ZN}]

Save this as ComboFix-Do.txt drag ComboFix-Do.txt into ComboFix.exe Posted Image
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



One last scan to check for left-overs.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
• http://www.pchell.co.../safemode.shtml
•
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.





I didn't detect any active process of a firewall on your system.

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.
You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.
If you decide to download and install another Firewall....please disable Windows Firewall.
Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.
Sygate free firewall
ZoneAlarm free firewall
Outpost free Firewall
Comodo
Kerio Personal Firewall
Jetico Personal Firewall

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.
For a tutorial on Firewalls and a listing of some available ones see the link below
http://www.bleepingc...tutorial60.html


In your next reply I need:
ComboFix log
DrWeb.csv log
New HJT
Comments on how the computer is now.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#10 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 17 June 2007 - 04:21 PM

Updated HJT
Logfile of HijackThis v1.99.1
Scan saved at 2:14:57 PM, on 6/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyre...AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyre...plateviewer.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangam...ommon/scsk4.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron....cab/Dekaron.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame....amePlugin19.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.n...WebLauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.co...anSetup1009.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.n...utComponent.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab55200.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Updated ComboFix
ComboFix 07-06-13.7 - C:\Documents and Settings\HP_Administrator\Desktop\VirusScansLogs\ComboFix.exe
"HP_Administrator" - 2007-06-17 8:31:06 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\avtasks.dat
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\CookieList.dat
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\history.db
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\update.log
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\Logs\winav.log
C:\DOCUME~1\HP_ADM~1\APPLIC~1\WinAntiVirus Pro 2007\PGE.dat
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007\uwa7pcw.exe
C:\Program Files\Common Files\WinAntiVirus Pro 2007\wa7pinst.exe
C:\QooBox
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\hosts.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\feyjbdks.dll.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\Launcher.exe.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\pqtwa.bak1.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\skdbjyef.ini.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\ybeeg.bak1.vir
C:\QooBox\Quarantine\C\WINDOWS\system32\ybeeg.ini.vir
C:\QooBox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\fccbaxx.dll.bad
C:\VundoFix Backups\qomjjgd.dll.bad
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\fccbayw.dll.vir
C:\WINDOWS\system32\geeby.dll.vir
C:\WINDOWS\system32\stera.exe


((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 )))))))))))))))))))))))))))))))


2007-06-16 23:57 <DIR> d-------- C:\DOCUME~1\HP_ADM~1\.realobjects
2007-06-15 22:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 00:38 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-06-07 16:57 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-06 21:35 <DIR> d-------- C:\Program Files\Common Files\Companion Wizard
2007-06-06 21:28 <DIR> d-------- C:\temp\x2b
2007-06-04 22:57 11,272,192 --a------ C:\DOCUME~1\HP_ADM~1\ntuser.dat
2007-05-30 22:13 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2007-05-30 22:13 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2007-05-30 22:13 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2007-05-30 22:13 811,064 --a------ C:\WINDOWS\system32\imjp81k.dll
2007-05-30 22:13 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-05-30 22:13 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-05-30 22:13 76,288 --a------ C:\WINDOWS\system32\uniime.dll
2007-05-30 22:13 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2007-05-30 22:13 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2007-05-30 22:13 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2007-05-30 22:13 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-05-30 22:13 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2007-05-30 22:13 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-05-30 22:13 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-05-30 22:13 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2007-05-26 16:31 967 --a------ C:\WINDOWS\ScUnin.pif
2007-05-26 16:31 94,208 --a------ C:\WINDOWS\ScUnin.exe
2007-05-26 16:31 35,382 --a------ C:\WINDOWS\scunin.dat
2007-05-26 16:30 <DIR> d-------- C:\Program Files\Starcraft
2007-05-23 22:48 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-05-18 21:25 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-05-18 21:25 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 15:14:24 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\uTorrent
2007-06-16 17:42:16 -------- d-----w C:\Program Files\Download Manager
2007-06-13 23:27:51 -------- d-----w C:\Program Files\AIM6
2007-06-13 07:37:39 55,744 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-11 07:41:04 -------- d-----w C:\Program Files\AIM+
2007-06-10 20:07:17 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-26 23:29:58 -------- d-----w C:\Program Files\MAME32k
2007-05-23 02:47:25 1,406 ----a-w C:\DOCUME~1\HP_ADM~1\APPLIC~1\wklnhst.dat
2007-05-19 06:15:18 340 ----a-w C:\WINDOWS\system32\lsprst7.dll
2007-05-19 06:15:07 -------- d-----w C:\Program Files\SPSS
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 02:55:04 -------- d-----w C:\Program Files\WarRock
2007-05-12 06:40:54 -------- d-----w C:\Program Files\WiFiConnector
2007-05-08 06:28:04 1,025 ----a-w C:\WINDOWS\system32\sysprs7.dll
2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth2.dll
2007-05-08 06:23:55 1,024 ----a-w C:\WINDOWS\system32\clauth1.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\ssprs.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth2.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\serauth1.dll
2007-05-08 06:23:55 0 ----a-w C:\WINDOWS\system32\nsprs.dll
2007-05-01 03:26:23 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\Viewpoint
2007-04-30 03:51:04 -------- d-----w C:\DOCUME~1\HP_ADM~1\APPLIC~1\acccore
2007-04-30 03:49:49 -------- d-----w C:\Program Files\Viewpoint
2007-04-30 03:49:23 -------- d-----w C:\Program Files\Common Files\AOL
2007-04-30 03:19:58 -------- d-----w C:\Program Files\AIM
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 23:36:40 -------- d-----w C:\Program Files\Apache Group
2007-04-22 01:39:39 4,620 ----a-w C:\WINDOWS\XChange.dat
2007-04-19 00:03:05 -------- d-----w C:\Program Files\Avant Browser
2007-04-19 00:02:22 -------- d-----w C:\Program Files\DivX
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-27 07:55:23 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-03-27 07:55:23 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-03-21 05:26:54 1,285 ----a-w C:\WINDOWS\checkip.dat
2007-03-21 05:21:58 1,280 ----a-w C:\WINDOWS\ipconfig.dat
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2006-05-01 09:05:44 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll [2005-08-02 11:41]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-04-04 21:05]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-05 20:18]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 00:12]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 17:19 C:\WINDOWS\arpwrmsg.exe]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-09-21 03:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00]
"Aim6"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
"C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\system32\feyjbdks.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC


Contents of the 'Scheduled Tasks' folder
2007-06-17 15:33:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-17 08:33:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-17 8:33:40
C:\ComboFix2.txt ... 2007-06-15 22:29

--- E O F ---

Dr. Cure CSV
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.32.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
SetupDTSB.exe;C:\Program Files\DAEMON Tools;Adware.SaveNow;Incurable.Moved.;
PPCInstall.dll;C:\Program Files\Online Services\PeoplePC;Probably STPAGE.Trojan;Incurable.Moved.;
A0087711.reg;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP475;Trojan.StartPage.1505;Deleted.;
A0096708.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP571;Adware.ZenoSearch;Incurable.Moved.;
A0097803.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0097843.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0097881.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;
A0097916.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.DownLoader.10963;Deleted.;
A0097917.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;
A0097918.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;
A0097919.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;
A0097921.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;
A0097976.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP580;Trojan.Virtumod;Deleted.;
A0098332.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Fakealert;Deleted.;
A0098337.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.DownLoader.10963;Deleted.;
A0098344.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;
A0098488.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Fakealert;Deleted.;
A0098502.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;
A0098523.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;
A0098574.sys;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.NtRootKit.239;Deleted.;
A0098575.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;
A0098612.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Virtumod;Deleted.;
A0098613.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Virtumod;Deleted.;
A0098627.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Adware.ZenoSearch;Incurable.Moved.;
A0098640.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP584;Trojan.Virtumod;Deleted.;
A0098859.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP586;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0099037.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP588;Trojan.Virtumod;Deleted.;
A0099038.dll;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP588;Trojan.Virtumod;Deleted.;
A0099260.exe;C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP589;Trojan.DownLoader.10963;Deleted.;
UWA7P_0001_N91M0809NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.10963;Deleted.;
firstopt.js;D:\I386\Apps\APP15514;Probably SCRIPT.Virus;Incurable.Moved.;


Computer Notes
Currently the computer is still running the same speed as the last time I posted. After this post, I am going to install the ZoneAlarm Firewall.

#11 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 18 June 2007 - 07:49 AM

Welcome back


Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):

    C:\temp\x2b
    C:\WINDOWS\ScUnin.pif
    C:\WINDOWS\system32\feyjbdks.dll


  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.




Open notepad and copy/paste the entire text in the quotebox below: (don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files" ..It will look like this Posted Image
Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.




System restore had several infections located there so it is best at this time to flush that out.

Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.
After reboot, go back in and turn System Restore back on. That will flush system restore out
More info and screenshots:
http://service1.syma...src=sec_doc_nam
You can find instructions on how to disable and reenable system restore here also:
Windows XP System Restore Guide



In your next reply post
OTMoveIt log
New HJT log

Comments on what issues remain now.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 June 2007 - 06:40 PM

OtMoveIt Log:
C:\temp\x2b moved successfully.
C:\WINDOWS\ScUnin.pif moved successfully.
File/Folder C:\WINDOWS\system32\feyjbdks.dll not found.

Created on 06/18/2007 15:47:06

New HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 4:28:43 PM, on 6/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyre...AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyre...plateviewer.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangam...ommon/scsk4.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron....cab/Dekaron.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame....amePlugin19.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.n...WebLauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.co...anSetup1009.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.n...utComponent.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab55200.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe


Computer Notes:
The computer is running fine now. The only problem is that constantly the same Spyware/Ad-aware keeps coming back, even after being removed. I do the scan 2-3 times, and the same ones usually come back. I couldn't get ZoneAlarm since it would only be a trial period, so I decided to go with Sygate Personal Firewall. Also WinAnti-Virus 2007 still exists in my Control Panel, although all of its components are gone.
Posted Image

#13 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 18 June 2007 - 07:15 PM

Welcome back

The computer is running fine now

:thumbsup:

The only problem is that constantly the same Spyware/Ad-aware keeps coming back

:ugh:

Can you give me the name or names of what it finds?
File paths?
What scanner are you using when you find Spyware/Adware?


Please download Registry Search Tool and save it to your desktop.
Unzip (extract) it to your desktop and double-click on regsrch.vbs
(if you have script protection, please allow this to run).
In the dialog that opens enter the following:
WinAnti-Virus 2007

Press OK The search will run for a while, then alert you when it is finished. Press OK and copy the contents of the WordPad window and post in this thread.
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#14 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 June 2007 - 12:35 AM

Spyware/Ad-Aware:
AdRevolver
Advertising.com 3
AvenueA, Inc. 3
BlackCore 2
DoubleClick 4
FastClick 3
HitBox
MediaPlex
Statcounter
Blue Streak

The number next to them is after I scanned the computer again, and again. This was right after each other and I healed them. They were tracking cookies, and I forgot to look before I got rid of them. The scanner that I use is SpyBots S&D. It's been good to me up until now, and yeah. Those ones are the ones that come up the most, DoublClick and AvenueA[sp?].

After running the script, it said that there were no Instances of WinAnti-Virus 2007. Rawr. Hmmm...

#15 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 19 June 2007 - 06:54 AM

Welcome back

Returning cookies are not a problem and nothing to worry about. These tracking cookies are present on certain sites you visit, even good sites.
Read here what cookies are:
http://www.microsoft...fo/cookies.mspx
An easy way to get rid of cookies is:

1. Start Internet Explorer.
2. On the Tools menu, click Internet Options, and then click the General tab.
3. In the Temporary Internet Files section, click Delete Cookies..., click OK, and then click OK again.


You can also use CookieWall:
http://www.analogx.c...work/cookie.htm
This program will let you decide what cookies to allow and what cookies to deny.


Another good and suggested free program to prevent cookies:
Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.
Tutorial
Make sure both of these boxes are checked in SpywareBlaster....
"prevent the installation of ActiveX- etc"
"prevent ad/tracking cookies"




Delete an Entry from the Uninstall List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the entry you wish to delete ->WinAntiVirus Pro 2007
  • Click on Delete this entry
  • Click "Yes"


Windows Installer Clean Up Utility
Use the above link if HJT says it cannot delete from Uninstall list.



We're going to continue on to clean you up......Cleanup the tools
Next open OTMoveIt, then click on "CleanUp!". If you receive a warning from your Firewall please allow. A list of tools we used will appear in the right hand column. It should say "successful" when they appear.
You will see a pop up that tells you the system requires a reboot (to remove all the tools listed). Click YES.





One more scan we can use for leftover entries

Download the trial version of Spy Sweeper from
Here


Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.


Post the log please.

Edited by Juliet, 19 June 2007 - 08:45 AM.

Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#16 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2007 - 03:13 PM

12:15 PM: Removal process completed. Elapsed time 00:00:20
12:15 PM: Quarantining All Traces: yadro cookie
12:15 PM: Quarantining All Traces: xiti cookie
12:15 PM: Quarantining All Traces: hermoment.com cookie
12:15 PM: Quarantining All Traces: tribalfusion cookie
12:15 PM: Quarantining All Traces: trafficmp cookie
12:15 PM: Quarantining All Traces: tacoda cookie
12:15 PM: Quarantining All Traces: statcounter cookie
12:15 PM: Quarantining All Traces: realmedia cookie
12:15 PM: Quarantining All Traces: questionmarket cookie
12:15 PM: Quarantining All Traces: overture cookie
12:15 PM: Quarantining All Traces: nextag cookie
12:15 PM: Quarantining All Traces: mediaplex cookie
12:15 PM: Quarantining All Traces: bluestreak cookie
12:15 PM: Quarantining All Traces: atwola cookie
12:15 PM: Quarantining All Traces: atlas dmt cookie
12:15 PM: Quarantining All Traces: advertising cookie
12:15 PM: Quarantining All Traces: cpxinteractive cookie
12:15 PM: Quarantining All Traces: adserver cookie
12:15 PM: Quarantining All Traces: adreactor cookie
12:15 PM: Quarantining All Traces: pointroll cookie
12:15 PM: Quarantining All Traces: adrevolver cookie
12:15 PM: Quarantining All Traces: specificclick.com cookie
12:15 PM: Quarantining All Traces: 2o7.net cookie
12:15 PM: Quarantining All Traces: 247realmedia cookie
12:15 PM: Quarantining All Traces: winad
12:15 PM: Quarantining All Traces: zenosearchassistant
12:15 PM: Quarantining All Traces: purityscan
12:15 PM: Quarantining All Traces: virtumonde
12:15 PM: Removal process initiated
12:11 PM: Traces Found: 41
12:11 PM: Full Sweep has completed. Elapsed time 01:11:00
12:10 PM: File Sweep Complete, Elapsed Time: 01:06:03
12:10 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E4C000C
11:55 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\desktop\somemorepixforyouandlolapaz.zip": File not found
11:47 AM: ApplicationMinimized - EXIT
11:47 AM: ApplicationMinimized - ENTER
Not enough storage is available to process this command
11:44 AM: Warning: Unable to sweep compressed file: System Error. Code: 8.
11:40 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\local settings\temporary internet files\content.ie5\bnihhbf5\rf-060526[1].rar": File not found
Access is denied
11:39 AM: Warning: Unable to sweep compressed file: System Error. Code: 5.
11:33 AM: ApplicationMinimized - EXIT
11:33 AM: ApplicationMinimized - ENTER
11:32 AM: ApplicationMinimized - EXIT
11:32 AM: ApplicationMinimized - ENTER
11:31 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E6D000C
11:30 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E8E000C
11:29 AM: Warning: SweepDirectories: Cannot find directory "j:". This directory was not added to the list of paths to be scanned.
11:29 AM: Warning: SweepDirectories: Cannot find directory "i:". This directory was not added to the list of paths to be scanned.
11:29 AM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
11:29 AM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@dehp.myspace[1].txt". The operation completed successfully
11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt". The operation completed successfully
11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:18 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:12 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:11 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:09 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:08 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:06 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:05 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098575.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098344.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0096708.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098627.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098523.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098502.exe (ID = 294)
11:05 AM: Found Adware: zenosearchassistant
11:04 AM: Starting File Sweep
11:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@yadro[2].txt (ID = 3743)
11:04 AM: Found Spy Cookie: yadro cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@xiti[1].txt (ID = 3717)
11:04 AM: Found Spy Cookie: xiti cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@www2.hermoment[1].txt (ID = 2774)
11:04 AM: Found Spy Cookie: hermoment.com cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tribalfusion[2].txt (ID = 3589)
11:04 AM: Found Spy Cookie: tribalfusion cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@trafficmp[1].txt (ID = 3581)
11:04 AM: Found Spy Cookie: trafficmp cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tacoda[2].txt (ID = 6444)
11:04 AM: Found Spy Cookie: tacoda cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt (ID = 3447)
11:04 AM: Found Spy Cookie: statcounter cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@realmedia[1].txt (ID = 3235)
11:04 AM: Found Spy Cookie: realmedia cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@questionmarket[2].txt (ID = 3217)
11:04 AM: Found Spy Cookie: questionmarket cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@overture[2].txt (ID = 3105)
11:04 AM: Found Spy Cookie: overture cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@nextag[2].txt (ID = 5014)
11:04 AM: Found Spy Cookie: nextag cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@msnportal.112.2o7[1].txt (ID = 1958)
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@mediaplex[2].txt (ID = 6442)
11:04 AM: Found Spy Cookie: mediaplex cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@indigio.122.2o7[1].txt (ID = 1958)
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@bluestreak[1].txt (ID = 2314)
11:04 AM: Found Spy Cookie: bluestreak cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atwola[1].txt (ID = 2255)
11:04 AM: Found Spy Cookie: atwola cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atdmt[2].txt (ID = 2253)
11:04 AM: Found Spy Cookie: atlas dmt cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@advertising[2].txt (ID = 2175)
11:04 AM: Found Spy Cookie: advertising cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserving.cpxinteractive[2].txt (ID = 8939)
11:04 AM: Found Spy Cookie: cpxinteractive cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver[1].txt (ID = 2141)
11:04 AM: Found Spy Cookie: adserver cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver.adreactor[1].txt (ID = 2087)
11:04 AM: Found Spy Cookie: adreactor cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@ads.pointroll[2].txt (ID = 3148)
11:04 AM: Found Spy Cookie: pointroll cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[3].txt (ID = 2088)
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[1].txt (ID = 2088)
11:04 AM: Found Spy Cookie: adrevolver cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adopt.specificclick[2].txt (ID = 3400)
11:04 AM: Found Spy Cookie: specificclick.com cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@2o7[2].txt (ID = 1957)
11:04 AM: Found Spy Cookie: 2o7.net cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@247realmedia[1].txt (ID = 1953)
11:04 AM: Found Spy Cookie: 247realmedia cookie
11:04 AM: Starting Cookie Sweep
11:04 AM: Registry Sweep Complete, Elapsed Time:00:00:40
11:04 AM: HKLM\software\microsoft\windows\currentversion\uninstall\outerinfo\ (ID = 2063030)
11:04 AM: Found Adware: purityscan
11:04 AM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
11:04 AM: HKLM\software\microsoft\rasap2k\ (ID = 1511572)
11:04 AM: Found Adware: virtumonde
11:04 AM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
11:04 AM: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1049593)
11:04 AM: HKCR\appid\activex.dll\ || appid (ID = 1049592)
11:04 AM: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1023385)
11:04 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (ID = 763026)
11:04 AM: Found Adware: winad
11:04 AM: Starting Registry Sweep
11:04 AM: Memory Sweep Complete, Elapsed Time: 00:04:06
11:00 AM: ApplicationMinimized - EXIT
11:00 AM: ApplicationMinimized - ENTER
11:00 AM: Starting Memory Sweep
11:00 AM: Start Full Sweep
11:00 AM: Sweep initiated using definitions version 935
10:58 AM: ApplicationMinimized - EXIT
10:58 AM: ApplicationMinimized - ENTER
10:58 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
Keylogger: Off
10:58 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:58 AM: Shield States
10:58 AM: License Check Status (0): Success
10:57 AM: Spyware Definitions: 923
10:57 AM: Spy Sweeper 5.5.1.3354 started
10:57 AM: Spy Sweeper 5.5.1.3354 started
10:57 AM: | Start of Session, Thursday, June 21, 2007 |
***************
There is the log from Spy Sweeper. Sorry it's taken a while, my cousin just graduated, and my sister came in town randomly, so yeah. My apologies.

#17 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2007 - 03:13 PM

12:15 PM: Removal process completed. Elapsed time 00:00:20
12:15 PM: Quarantining All Traces: yadro cookie
12:15 PM: Quarantining All Traces: xiti cookie
12:15 PM: Quarantining All Traces: hermoment.com cookie
12:15 PM: Quarantining All Traces: tribalfusion cookie
12:15 PM: Quarantining All Traces: trafficmp cookie
12:15 PM: Quarantining All Traces: tacoda cookie
12:15 PM: Quarantining All Traces: statcounter cookie
12:15 PM: Quarantining All Traces: realmedia cookie
12:15 PM: Quarantining All Traces: questionmarket cookie
12:15 PM: Quarantining All Traces: overture cookie
12:15 PM: Quarantining All Traces: nextag cookie
12:15 PM: Quarantining All Traces: mediaplex cookie
12:15 PM: Quarantining All Traces: bluestreak cookie
12:15 PM: Quarantining All Traces: atwola cookie
12:15 PM: Quarantining All Traces: atlas dmt cookie
12:15 PM: Quarantining All Traces: advertising cookie
12:15 PM: Quarantining All Traces: cpxinteractive cookie
12:15 PM: Quarantining All Traces: adserver cookie
12:15 PM: Quarantining All Traces: adreactor cookie
12:15 PM: Quarantining All Traces: pointroll cookie
12:15 PM: Quarantining All Traces: adrevolver cookie
12:15 PM: Quarantining All Traces: specificclick.com cookie
12:15 PM: Quarantining All Traces: 2o7.net cookie
12:15 PM: Quarantining All Traces: 247realmedia cookie
12:15 PM: Quarantining All Traces: winad
12:15 PM: Quarantining All Traces: zenosearchassistant
12:15 PM: Quarantining All Traces: purityscan
12:15 PM: Quarantining All Traces: virtumonde
12:15 PM: Removal process initiated
12:11 PM: Traces Found: 41
12:11 PM: Full Sweep has completed. Elapsed time 01:11:00
12:10 PM: File Sweep Complete, Elapsed Time: 01:06:03
12:10 PM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E4C000C
11:55 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\desktop\somemorepixforyouandlolapaz.zip": File not found
11:47 AM: ApplicationMinimized - EXIT
11:47 AM: ApplicationMinimized - ENTER
Not enough storage is available to process this command
11:44 AM: Warning: Unable to sweep compressed file: System Error. Code: 8.
11:40 AM: Warning: Unable to sweep compressed file: "c:\documents and settings\hp_administrator\local settings\temporary internet files\content.ie5\bnihhbf5\rf-060526[1].rar": File not found
Access is denied
11:39 AM: Warning: Unable to sweep compressed file: System Error. Code: 5.
11:33 AM: ApplicationMinimized - EXIT
11:33 AM: ApplicationMinimized - ENTER
11:32 AM: ApplicationMinimized - EXIT
11:32 AM: ApplicationMinimized - ENTER
11:31 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E6D000C
11:30 AM: Warning: SweepCompressedFiles: Access violation at address 00401D84 in module 'SpySweeper.exe'. Read of address 7E8E000C
11:29 AM: Warning: SweepDirectories: Cannot find directory "j:". This directory was not added to the list of paths to be scanned.
11:29 AM: Warning: SweepDirectories: Cannot find directory "i:". This directory was not added to the list of paths to be scanned.
11:29 AM: Warning: SweepDirectories: Cannot find directory "h:". This directory was not added to the list of paths to be scanned.
11:29 AM: Warning: SweepDirectories: Cannot find directory "g:". This directory was not added to the list of paths to be scanned.
11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@dehp.myspace[1].txt". The operation completed successfully
11:22 AM: Warning: Failed to open file "c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt". The operation completed successfully
11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:19 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:18 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:12 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:11 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:10 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:09 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:08 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:06 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:05 AM: Warning: DoTerm :\Device\HarddiskVolume2\WINDOWS\system32\csrss.exe
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098575.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098344.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0096708.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098627.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098523.exe (ID = 294)
11:05 AM: C:\Documents and Settings\HP_Administrator\DoctorWeb\Quarantine\A0098502.exe (ID = 294)
11:05 AM: Found Adware: zenosearchassistant
11:04 AM: Starting File Sweep
11:04 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@yadro[2].txt (ID = 3743)
11:04 AM: Found Spy Cookie: yadro cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@xiti[1].txt (ID = 3717)
11:04 AM: Found Spy Cookie: xiti cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@www2.hermoment[1].txt (ID = 2774)
11:04 AM: Found Spy Cookie: hermoment.com cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tribalfusion[2].txt (ID = 3589)
11:04 AM: Found Spy Cookie: tribalfusion cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@trafficmp[1].txt (ID = 3581)
11:04 AM: Found Spy Cookie: trafficmp cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@tacoda[2].txt (ID = 6444)
11:04 AM: Found Spy Cookie: tacoda cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@statcounter[1].txt (ID = 3447)
11:04 AM: Found Spy Cookie: statcounter cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@realmedia[1].txt (ID = 3235)
11:04 AM: Found Spy Cookie: realmedia cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@questionmarket[2].txt (ID = 3217)
11:04 AM: Found Spy Cookie: questionmarket cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@overture[2].txt (ID = 3105)
11:04 AM: Found Spy Cookie: overture cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@nextag[2].txt (ID = 5014)
11:04 AM: Found Spy Cookie: nextag cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@msnportal.112.2o7[1].txt (ID = 1958)
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@mediaplex[2].txt (ID = 6442)
11:04 AM: Found Spy Cookie: mediaplex cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@indigio.122.2o7[1].txt (ID = 1958)
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@bluestreak[1].txt (ID = 2314)
11:04 AM: Found Spy Cookie: bluestreak cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atwola[1].txt (ID = 2255)
11:04 AM: Found Spy Cookie: atwola cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@atdmt[2].txt (ID = 2253)
11:04 AM: Found Spy Cookie: atlas dmt cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@advertising[2].txt (ID = 2175)
11:04 AM: Found Spy Cookie: advertising cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserving.cpxinteractive[2].txt (ID = 8939)
11:04 AM: Found Spy Cookie: cpxinteractive cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver[1].txt (ID = 2141)
11:04 AM: Found Spy Cookie: adserver cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adserver.adreactor[1].txt (ID = 2087)
11:04 AM: Found Spy Cookie: adreactor cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@ads.pointroll[2].txt (ID = 3148)
11:04 AM: Found Spy Cookie: pointroll cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[3].txt (ID = 2088)
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adrevolver[1].txt (ID = 2088)
11:04 AM: Found Spy Cookie: adrevolver cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@adopt.specificclick[2].txt (ID = 3400)
11:04 AM: Found Spy Cookie: specificclick.com cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@2o7[2].txt (ID = 1957)
11:04 AM: Found Spy Cookie: 2o7.net cookie
11:04 AM: c:\documents and settings\hp_administrator\cookies\hp_administrator@247realmedia[1].txt (ID = 1953)
11:04 AM: Found Spy Cookie: 247realmedia cookie
11:04 AM: Starting Cookie Sweep
11:04 AM: Registry Sweep Complete, Elapsed Time:00:00:40
11:04 AM: HKLM\software\microsoft\windows\currentversion\uninstall\outerinfo\ (ID = 2063030)
11:04 AM: Found Adware: purityscan
11:04 AM: HKLM\software\microsoft\uniqdata\ (ID = 1997747)
11:04 AM: HKLM\software\microsoft\rasap2k\ (ID = 1511572)
11:04 AM: Found Adware: virtumonde
11:04 AM: HKLM\software\classes\appid\activex.dll\ || appid (ID = 1049594)
11:04 AM: HKLM\software\classes\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1049593)
11:04 AM: HKCR\appid\activex.dll\ || appid (ID = 1049592)
11:04 AM: HKCR\appid\{d28cd14c-50be-4cfa-951e-b37f25da3472}\ (ID = 1023385)
11:04 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediagatewayx.dll\ (ID = 763026)
11:04 AM: Found Adware: winad
11:04 AM: Starting Registry Sweep
11:04 AM: Memory Sweep Complete, Elapsed Time: 00:04:06
11:00 AM: ApplicationMinimized - EXIT
11:00 AM: ApplicationMinimized - ENTER
11:00 AM: Starting Memory Sweep
11:00 AM: Start Full Sweep
11:00 AM: Sweep initiated using definitions version 935
10:58 AM: ApplicationMinimized - EXIT
10:58 AM: ApplicationMinimized - ENTER
10:58 AM: Informational: ShieldEmail: Start monitoring port 25 for mail activities
Keylogger: Off
10:58 AM: Informational: ShieldEmail: Start monitoring port 110 for mail activities
E-mail Attachment: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
File System Shield: On
Execution Shield: On
System Services Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
10:58 AM: Shield States
10:58 AM: License Check Status (0): Success
10:57 AM: Spyware Definitions: 923
10:57 AM: Spy Sweeper 5.5.1.3354 started
10:57 AM: Spy Sweeper 5.5.1.3354 started
10:57 AM: | Start of Session, Thursday, June 21, 2007 |
***************
There is the log from Spy Sweeper. Sorry it's taken a while, my cousin just graduated, and my sister came in town randomly, so yeah. My apologies.

#18 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 21 June 2007 - 03:14 PM

-Deleted- Reposted too much since computer was lagging.

Edited by XPuser57, 22 June 2007 - 11:36 PM.


#19 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 21 June 2007 - 05:38 PM

Welcome back

How are things running now?

In my last post I suggested

Delete an Entry from the Uninstall List

Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Uninstall Manager"
Click on the entry you wish to delete ->WinAntiVirus Pro 2007
Click on Delete this entry
Click "Yes"



Windows Installer Clean Up Utility
Use the above link if HJT says it cannot delete from Uninstall list.

Can you post a New HJT log please
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#20 XPuser57

XPuser57

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 22 June 2007 - 11:45 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:44:23 PM, on 6/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.goodsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CM_AdvancedCAB - https://www.gs.reyre...AdvancedCAB.CAB
O16 - DPF: PrintTemplateViewerCab - https://www.gs.reyre...plateviewer.cab
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescamp...GamesCampus.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/...UI.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://images.hangam...ommon/scsk4.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/...dy.cab55579.cab
O16 - DPF: {4F091885-8A80-478E-8F48-C53508CA12FD} (DekaronAutoPlay Control) - http://file.dekaron....cab/Dekaron.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay11...es/MsnPUpld.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/...at.cab55579.cab
O16 - DPF: {5876CAD0-1636-42EA-AC50-4C06F3196089} (HanGamePlugin19 Class) - http://down.hangame....amePlugin19.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.n...WebLauncher.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/...O1.cab55579.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zon...nt.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1009 Class) - http://r2.hangame.co...anSetup1009.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gra...protect/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://cabalonline.n...utComponent.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/...xy.cab55579.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zon...ss.cab55200.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

The computer is running fine now. Sometimes the internet is slow, but i think that's the company. Haha. When I checked the HJT, it did not detect anything with WinAnti-Virus2007. That's the weird thing, it wasn't in the un-installer list, and yeah. >_>

#21 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 23 June 2007 - 07:09 AM

Welcome back

The computer is running fine now. Sometimes the internet is slow, but i think that's the company. Haha. When I checked the HJT, it did not detect anything with WinAnti-Virus2007.

:thumbsup:

I see in your startups programs list two active Firewalls?
Sygate Firewall
Outpost Firewall
One needs to be removed, this would be a huge waste of system resources and it will not give you added protection but rather conflicts along with errors.


Please disable SpySweeper, as it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.

To disable SpySweeper:

Open it, click > Options over to the left then > click the Program tab > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left click "shields"
  • Click the "Internet Explorer" tab and and uncheck all there.
  • Click the "Windows System" tab and uncheck all there.
  • Click the "Host File" tab and uncheck all there.
  • Click the "Startup Programs" tab and uncheck "Startup Items Shield".
Remember after your system is clean to re-enable Spy Sweeper.



Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://nprotect1.gra...Crypt/npkcx.cab


We're going to continue on to clean you up.
Next open OTMoveIt, then click on "CleanUp!". If you receive a warning from your Firewall please allow...In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.


Start->Control Panel->System, System restore. Check "Turn off System Restore" and reboot. That will erase all restore points.
After reboot, go back in and turn System Restore back on. That will flush system restore out
More info and screenshots:
http://service1.syma...src=sec_doc_nam
You can find instructions on how to disable and reenable system restore here also:
Windows XP System Restore Guide



If there are no more issues or problems your good to go!

Below I have included a number of recommendations to protect your computer in order to prevent future malware infections.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates" for Windows.


Install and Update SpywareBlaster protects against bad ActiveX, browser hijackers, and dialers that are some of the fastest-growing threats on the Internet today.
Tutorial

IE-SPYAD puts over 5000 sites in your restricted zone so you will be protected when you visit innocent-looking sites that aren't actually innocent at all.
Tutorial

Install and Update SpyBot Search&Destroy Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.
Tutorial
Run on a regular basis

Install and Update Ad-Aware SE Personal
You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.
Tutorial
Run on a regular basis

SUPERAntiSpyware
This is another excellent FREE scanner to look for nasties that might be lurking in your system.
SUPERAntiSpyware and AVG Anti-Spyware compliment each other very well. Quick Guide: How to use!

Update all these programs regularly . Without regular updates you will not be protected when new malicious programs are released.
And to run them regularly as this can prevent a great deal of spyware hassle.

Please take the time to read this article with suggestions and information on 'Safe Computing Practices.'

So how did I get infected in the first place.
Another valueable article to read Dealing with Unwanted Spyware and Parasites
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#22 Juliet

Juliet

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 843 posts

Posted 05 July 2007 - 08:58 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter
Sometimes the angels fly close enough to you that you can hear the flutter of their wings
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button