Jump to content


Photo

desktop hijacked


  • This topic is locked This topic is locked
8 replies to this topic

#1 richpeterson

richpeterson

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 12 June 2007 - 11:53 PM

My desktop has been hijacked. I can't change my desktop picture. I've run ad-aware, spybot, AVG (log included), BitDefender (log included), F-secure, Panda, and Hijackthis (log included).

I can't get rid of "newdotcom". I presume that is the problem.
Thanks



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:14:50 AM 5/31/2007

+ Scan result:



C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\NewDotNet\newdotnet7_48.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINNT\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink.1 -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CLSID -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Tldctl2.URLLink\CurVer -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\New.net Startup -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-583907252-1935655697-1801674531-1000\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@reciperewards.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@rotator.dex.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@rotator.its.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@thunderbolt.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@ad.admarketplace[2].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@www.adobe[2].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@ads.cnn[2].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@ie.search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Tom and LuRinda Pete\Cookies\tom and lurinda pete@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end





BitDefender Online Scanner



Scan report generated at: Tue, Jun 12, 2007 - 15:12:05





Scan path: A:\;C:\;D:\;







Statistics

Time
01:43:53

Files
168190

Folders
3596

Boot Sectors
2

Archives
8306

Packed Files
9591




Results

Identified Viruses
4

Infected Files
5

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
5




Engines Info

Virus Definitions
513261

Engine build
AVCORE v1.0 (build 2409) (i386) (May 9 2007 18:01:21)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Tom and LuRinda Pete\Local Settings\Temp\rr-toolbar.exe=>(NSIS o)=>lzma_solid_nsis0004
Infected with: Trojan.Startpage.DLL

C:\Documents and Settings\Tom and LuRinda Pete\Local Settings\Temp\rr-toolbar.exe=>(NSIS o)=>lzma_solid_nsis0004
Disinfection failed

C:\Documents and Settings\Tom and LuRinda Pete\Local Settings\Temp\rr-toolbar.exe=>(NSIS o)=>lzma_solid_nsis0004
Deleted

C:\Documents and Settings\Tom and LuRinda Pete\Local Settings\Temp\rr-toolbar.exe=>(NSIS o)
Update failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0049=>(CAB Sfx r)=>VVSN.exe
Infected with: Generic.Adw.SaveNow.56AD4696

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0049=>(CAB Sfx r)=>VVSN.exe
Disinfection failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0049=>(CAB Sfx r)=>VVSN.exe
Deleted

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0049=>(CAB Sfx r)
Update failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0050
Detected with: Application.Adware.NewDotNet.B.Dropper

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0050
Deleted

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe
Update failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0052
Infected with: Trojan.Downloader.Agent.AVZ

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0052
Disinfection failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0052
Deleted

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe
Update failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0053
Infected with: Trojan.Downloader.Agent.AVZ

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0053
Disinfection failed

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe=>wise0053
Deleted

C:\Documents and Settings\Tom and LuRinda Pete\My Documents\playtoadgeneralfree.exe
Update failed








Logfile of HijackThis v1.99.1
Scan saved at 4:18:36 PM, on 6/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\You've Got Mail\You've Got Mail.EXE
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.equibase....ntry/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HILLPROXY.HILL.AFMC.DS.AF.MIL:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {9285901C-2731-4E57-8F17-6B016168CA98} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmonk32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [You've Got Mail] C:\Program Files\You've Got Mail\You've Got Mail.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .xfd: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.../rr-toolbar.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162954153812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://privacyprotec...cyprotector.cab
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)

#2 Asiadeep

Asiadeep

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 13 June 2007 - 01:37 AM

Am no expert in this but I had that same problem with you. Try download Norton Anti-Virus. You can use it for 15 days free and by which time you should have gotten rid of the virus already anyway.

#3 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,521 posts

Posted 15 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#4 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 17 June 2007 - 03:25 PM

Welcome to the forum :wave:

I apologize for the delay getting to you, the helpers here are all volunteers and we have been very busy here lately.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press the F8 key
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Save it to a convienent place.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with the following.
1. Sdfix log
2. Combofix log
3. A fresh HijackThis log
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#5 richpeterson

richpeterson

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 18 June 2007 - 11:51 PM

Here are my logs:


SDFix: Version 1.88

Run by Tom and LuRinda Pete on Mon 06/18/2007 at 9:18p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINNT\Downloaded Program Files\UPRP_0001_D21M2103NetInstaller.exe - Deleted
C:\DOCUME~1\TOMAND~1\LOCALS~1\Temp\tmp*.tmp - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINNT\
C:\WINNT
No streams found.

Checking C:\WINNT\system32
C:\WINNT\system32
No streams found.

Checking C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.

Checking C:\WINNT\system32\ntoskrnl.exe
C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\COMMAND.COM
C:\Documents and Settings\Tom and LuRinda Pete\Application Data\Microsoft\Office\Shortcut Bar\Off2.tmp

Listing User Accounts:

User accounts for \\LURINDATOM


Administrator ASPNET Guest
Tom and LuRinda Pete


Finished



ComboFix 07-06-13.7 - C:\Documents and Settings\Tom and LuRinda Pete\Desktop\ComboFix.exe
"Tom and LuRinda Pete" - 06/18/2007 22:33:02 - Service Pack 4 NTFS


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-18 22:32 49,152 --a------ C:\WINNT\nircmd.exe
2007-06-14 21:26 382,464 --a------ C:\WINNT\imgdll.dll
2007-06-14 21:26 172,032 --a------ C:\WINNT\Slideshow.scr
2007-06-11 19:34 <DIR> d-------- C:\WINNT\system32\ActiveScan
2007-06-11 15:09 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-06-09 15:02 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\PureEdge
2007-06-09 14:59 270,336 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-09 14:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Help
2007-05-31 11:25 <DIR> d-------- C:\WINNT\system32\SoftwareDistribution
2007-05-31 09:07 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-05-30 21:30 <DIR> d-------- C:\DOCUME~1\TOMAND~1\APPLIC~1\Lavasoft
2007-05-30 21:29 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-30 21:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-29 08:15 <DIR> d-------- C:\HJT
2007-05-28 19:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 02:01:21 -------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2007-06-12 02:01:08 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-12 02:01:02 -------- d-----w C:\Program Files\You've Got Mail
2007-06-12 02:00:55 -------- d-----w C:\Program Files\PrintKey2000
2007-05-31 17:25:29 -------- d--ha-w C:\Program Files\WindowsUpdate
2007-05-07 23:09:54 -------- d-----w C:\DOCUME~1\TOMAND~1\APPLIC~1\Digital Album Organizer
2007-05-07 23:09:02 -------- d-----w C:\Program Files\Fujifilm e-Systems
2007-05-07 23:09:01 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-03 19:23:08 -------- d-----w C:\Program Files\Calendar Creator 7.0 Deluxe
2007-04-25 07:52:16 147,216 ----a-w C:\WINNT\system32\SCHANNEL.DLL
2007-04-17 04:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 04:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 04:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 04:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 04:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 04:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 04:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 04:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 04:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-17 04:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll
2007-04-16 12:44:08 54,032 ----a-w C:\WINNT\system32\mpr.dll
2007-04-05 07:17:39 2,854,400 ----a-w C:\WINNT\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [05-11-21 15:54 ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [06-12-18 05:16 ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 C:\WINNT\system32\mobsync.exe]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" [03-01-14 18:02 ]
"DSL Connection Tool"="C:\Program Files\MSN\MSNIA\dslmon.exe" [02-10-26 14:43 ]
"C-Media Mixer"="Mixer.exe" [02-10-15 18:00 C:\WINNT\mixer.exe]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [02-10-23 11:40 ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-12-24 14:10 ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [04-09-29 17:49 ]
"masqform.exe"="C:\Program Files\PureEdge\Viewer 6.5\masqform.exe" [05-07-04 10:50 ]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [04-04-19 09:19 ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05-02-16 23:11 ]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [06-10-07 06:20 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [04-09-29 17:56 ]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [06-11-13 14:39 ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [06-03-30 17:45 ]
"You've Got Mail"="C:\Program Files\You've Got Mail\You've Got Mail.EXE" [05-11-14 20:23 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Tom and LuRinda Pete\My Documents\My Pictures\Christmas Eve Brkfst 06.bmp
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [06-09-28 08:13 ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
WmdmPmSN

*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS

Contents of the 'Scheduled Tasks' folder
2007-06-10 18:03:01 C:\WINNT\tasks\{09597CDE-5E54-4D69-BC4D-290B1DD086D5}_LURINDATOM_Tom and LuRinda Pete.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 22:39:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-18 22:42:03 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-06-18 22:41

--- E O F ---



Logfile of HijackThis v1.99.1
Scan saved at 10:50:46 PM, on 6/18/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINNT\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\You've Got Mail\You've Got Mail.EXE
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.equibase....ntry/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HILLPROXY.HILL.AFMC.DS.AF.MIL:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: (no name) - {9285901C-2731-4E57-8F17-6B016168CA98} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [You've Got Mail] C:\Program Files\You've Got Mail\You've Got Mail.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .xfd: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.../rr-toolbar.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162954153812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://privacyprotec...cyprotector.cab
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)


Thanks so much
Rich

#6 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 19 June 2007 - 09:38 PM

[*]Run HijackThis, Choose "Do a system scan only" and checkmark the box next to the following entries.R3 - URLSearchHook: (no name) - {9285901C-2731-4E57-8F17-6B016168CA98} - (no file)
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.../rr-toolbar.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://privacyprotec...cyprotector.cab
O23 - Service: Microsoft NetWork FireWall Services - Unknown owner - NetServices.exe (file missing)
[*]Close all other windows and browsers, then click "Fix Checked".

Please reboot and post a fresh HijackThis log.

Can you change your desktop now? If not what kind of picture is stuck there is it this one Christmas Eve Brkfst 06.bmp ?
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#7 richpeterson

richpeterson

    Member

  • Full Member
  • Pip
  • 41 posts

Posted 05 July 2007 - 08:42 AM

Here's the new log. I think it is fixed. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 8:21:58 AM, on 7/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\WINNT\Mixer.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\You've Got Mail\You've Got Mail.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.equibase....ntry/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = HILLPROXY.HILL.AFMC.DS.AF.MIL:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [You've Got Mail] C:\Program Files\You've Got Mail\You've Got Mail.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Startup: Launch Internet Explorer Browser (2).lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Startup: Launch Microsoft Office Outlook (2).lnk = C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoft....com/activescan (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .xfd: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1162954153812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)

#8 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 05 July 2007 - 08:00 PM

Glad to here your computer is running better. :thumbsup:

I notice you have put Outlook and Internet Explorer in your startup. I am not sure how safe that is. It would be better to launch them from the icon after your Anti-virus and Firewall has had time to load, but it is up to you.

Below I have included a couple recommendations for how to protect your computer in order to prevent future malware infections.

[*]Please make sure to run your antivirus software regularly, and to keep it up-to-date.If your subscription is expired let me know and I can recommend some alternatives.
[*]If you do not already have one, consider maintaining a firewall.[*]Please also read Tony Klein's excellent article: How I got Infected in the First Place
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

#9 aczechgurl

aczechgurl

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 5,577 posts

Posted 07 July 2007 - 07:32 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
<!--fonto:Century Gothic--><span style="font-family:Century Gothic"><!--/fonto-->
<!--sizeo:2--><span style="font-size:10pt;line-height:100%"><!--/sizeo--><!--coloro:purple--><span style="color:purple"><!--/coloro--><b>Aczechgurl</b><!--colorc--></span><!--/colorc--><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->

<!--sizeo:1--><span style="font-size:8pt;line-height:100%"><!--/sizeo--><!--fonto:Arial--><span style="font-family:Arial"><!--/fonto-->

Please consider <a href="http://flyinghamster...om/support-us/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Supporting SWI</b><!--colorc--></span><!--/colorc--></a>'s fight against Malware.

Member of <a href="http://asap.maddoktor2.com/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>ASAP</b><!--colorc--></span><!--/colorc--></a> (Alliance of Security Analysis Professionals)

Fight back <a href="http://www.malwareco...mplaints.info/" target="_blank"><!--coloro:blue--><span style="color:blue"><!--/coloro--><b>Malware Complaints</b><!--colorc--></span><!--/colorc--></a><!--sizec--></span><!--/sizec--><!--fontc--></span><!--/fontc-->




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button