Jump to content


Photo

Help with log file !


  • This topic is locked This topic is locked
10 replies to this topic

#1 Ericks

Ericks

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 June 2007 - 04:43 PM

The comp has a horrible pop up problem , most of the blockers and what not cant seem to fix it. I've run ad aware , avg , CWShredder etc. but can't seem to get it all. It's also been very slow . I don't know the extent of the problems , these are just the major ones . Thanks in advance !

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:10:46 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\Documents and Settings\Belle\Desktop\BeLLA\Hijack this\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rd.yahoo.com/...?.redir=ymmapi1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar41.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar41.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLSYMP] C:\WINDOWS\FLSYMP.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pqvgjjsmu] c:\windows\system32\pqvgjjsmu.exe pqvgjjsmu
O4 - HKLM\..\Run: [hegrcl] c:\windows\system32\hegrcl.exe hegrcl
O4 - HKLM\..\Run: [ttlhpu] c:\windows\system32\ttlhpu.exe ttlhpu
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [vlnjbkqt] c:\windows\system32\vlnjbkqt.exe -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iahqtdlu] c:\windows\system32\iahqtdlu.exe iahqtdlu
O4 - HKCU\..\Run: [qausvxp] c:\windows\system32\qausvxp.exe qausvxp
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Belle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 8983 bytes

#2 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 July 2007 - 03:08 AM

Hi,

You have a lot of Adware on this PC.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Please also post a fresh HiJackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#3 Ericks

Ericks

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 18 July 2007 - 06:22 PM

Sorry for such a late reply , heres a log from both .


newdotnet7_48.dll;c:\program files\newdotnet;Adware.NewDotNet;Incurable.Moved.;
atrc8parb_.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Adware.SAHAgent;Incurable.Moved.;
hqrhil7kg_.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Adware.SAHAgent;Incurable.Moved.;
liqp7c25q_.dll;C:\Documents and Settings\Owner\Local Settings\Temp;Adware.SAHAgent;Incurable.Moved.;
umqltg4cl_.exe;C:\Documents and Settings\Owner\Local Settings\Temp;Adware.SAHAgent;Incurable.Moved.;
rav_temp.exe;C:\Documents and Settings\Owner\Local Settings\Temp\EACDownload;Probably DLOADER.Trojan;Incurable.Moved.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\Documents and Settings\Owner\Local Settings\Temp\ICD2.tmp;Trojan.DownLoader.10346;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\Documents and Settings\Owner\Local Settings\Temp\ICD3.tmp;Trojan.DownLoader.10346;Deleted.;
UWAS6_0001_N69M0903NetInstaller.exe;C:\Documents and Settings\Owner\Local Settings\Temp\ICD4.tmp;Trojan.Fakealert;Deleted.;
PPCInstall.dll;C:\Documents and Settings\Owner\Local Settings\Temp\PeoplePC\ISP6130;Probably STPAGE.Trojan;Incurable.Moved.;
PPCInstall.dll;C:\Documents and Settings\Owner\Local Settings\Temp\PeoplePC Online;Probably STPAGE.Trojan;Incurable.Moved.;
BH2.exe;C:\Documents and Settings\Owner\Local Settings\Temp\pft3B~tmp;Modification of APE.based;Moved.;
UmFjR3VFVXlxNVlBQUNFbTBBTQ1[1].htm;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OHAJQZK9;Win32.HLLM.Graz;Incurable.Moved.;
installdrivecleanerstart.exe;C:\Documents and Settings\Owner\My Documents;Trojan.DownLoader.13909;Deleted.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
msnfixjs.js;C:\hp\patches\32WW5MSN\msnfix;Probably SCRIPT.Virus;Incurable.Moved.;
EN_CA-ie.reg;C:\hp\region;Trojan.StartPage.1505;Deleted.;
NNWDAC638.EXE;C:\Program Files\FileSubmit\dmblndbringtolife.zip;Adware.NewDotNet;Incurable.Moved.;
NNWDAC638.EXE;C:\Program Files\FileSubmit\kjaqueendnd.exe;Adware.NewDotNet;Incurable.Moved.;
PPCInstall.dll;C:\Program Files\PeoplePC\ISP6330\Bin;Probably STPAGE.Trojan;Incurable.Moved.;
NNWDAB638.EXE;C:\Program Files\themexp;Adware.NewDotNet;Incurable.Moved.;
A0122738.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP404;Adware.Zango;Incurable.Moved.;
A0123196.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP404;Adware.Altnet;Incurable.Moved.;
A0123200.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP404;Adware.Altnet;Incurable.Moved.;
A0123203.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP404;Adware.Altnet;Incurable.Moved.;
A0123204.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP404;Adware.Altnet;Incurable.Moved.;
A0123206.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP404;Adware.Altnet;Incurable.Moved.;
A0123473.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP405;Adware.Zango;Incurable.Moved.;
A0124329.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124330.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124331.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124332.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124333.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Adware.F1Organizer;Incurable.Moved.;
A0124338.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124339.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124340.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124341.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124342.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124343.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124344.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124345.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124346.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124347.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0124354.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;BackDoor.Ruller;Incurable.Moved.;
A0124356.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP406;Dialer.Egroup;Incurable.Moved.;
A0127779.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP412;Adware.SaveNow;Incurable.Moved.;
A0128761.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP412;Adware.Relevant;Incurable.Moved.;
A0128769.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP412;Adware.SaveNow;Incurable.Moved.;
A0128775.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP412;Adware.SaveNow;Incurable.Moved.;
A0128794.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP412;Adware.NewDotNet;Incurable.Moved.;
A0128800.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP412;Adware.Relevant;Incurable.Moved.;
A0128825.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP413;Adware.Relevant;Incurable.Moved.;
A0128861.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP413;Adware.Whenu;Incurable.Moved.;
A0128870.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP413;Adware.SaveNow;Incurable.Moved.;
A0128904.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP414;Adware.SaveNow;Incurable.Moved.;
A0128915.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP414;Adware.SaveNow;Incurable.Moved.;
A0128938.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP414;Adware.Relevant;Incurable.Moved.;
A0128951.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP415;Adware.Whenu;Incurable.Moved.;
A0128955.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP415;Adware.SaveNow;Incurable.Moved.;
A0129036.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP415;Adware.SaveNow;Incurable.Moved.;
A0129093.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP415;Adware.Relevant;Incurable.Moved.;
A0129426.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP417;Adware.Whenu;Incurable.Moved.;
A0129427.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP417;Adware.SaveNow;Incurable.Moved.;
A0129460.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP417;Modification of APE.based;Moved.;
A0134805.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP420;Program.OSS-Proxy;Incurable.Moved.;
A0149418.EXE;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Websearch;Incurable.Moved.;
A0149425.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.SaveNow;Incurable.Moved.;
A0149426.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.SaveNow;Incurable.Moved.;
A0149427.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.SaveNow;Incurable.Moved.;
A0149428.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.MyWay;Incurable.Moved.;
A0149432.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149434.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Trojan.Isbar.438;Deleted.;
A0149436.SCR;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149438.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149439.EXE;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149440.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Trojan.DownLoader.7028;Deleted.;
A0149442.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149444.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149445.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.MWS;Incurable.Moved.;
A0149446.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149447.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149452.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Msearch;Incurable.Moved.;
A0149455.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.MWS;Incurable.Moved.;
A0149457.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.NewDotNet;Incurable.Moved.;
A0149458.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.NewDotNet;Incurable.Moved.;
A0149459.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.SaveNow;Incurable.Moved.;
A0149460.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.nCase;Incurable.Moved.;
A0149461.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.nCase;Incurable.Moved.;
A0149462.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.NewDotNet;Incurable.Moved.;
A0150405.DLL;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP429;Adware.Websearch;Incurable.Moved.;
A0154615.dll;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP434;Adware.NewDotNet;Incurable.Moved.;
A0154616.exe;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP434;Trojan.KillApp.30208;Deleted.;
A0154617.reg;C:\System Volume Information\_restore{F03BC7CA-958E-4E73-B64E-7D9F75261CF2}\RP434;Trojan.StartPage.1505;Deleted.;
NDNuninstall7_48.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.10346;Deleted.;
UWAS6_0001_N69M0903NetInstaller.exe;C:\WINDOWS\Downloaded Program Files;Trojan.Fakealert;Deleted.;
UWA6P_0001_N822M1605NetInstaller.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.1;Trojan.DownLoader.10346;Deleted.;
TTIL.exe;C:\WINDOWS\iLookup;Adware.Ezula;Incurable.Moved.;
egaccess4_1066.dll;C:\WINDOWS\system32;Dialer.Egroup;Incurable.Moved.;
f3PSSavr.scr;C:\WINDOWS\system32;Adware.Msearch;Incurable.Moved.;
msclock32.dll;C:\WINDOWS\system32;Dialer.Eghost;Deleted.;
msplock32.dll;C:\WINDOWS\system32;Dialer.Eghost;Deleted.;
prodsrvs.exe;C:\WINDOWS\system32;Dialer.Egroup;Incurable.Moved.;
prosvsys.exe;C:\WINDOWS\system32;Dialer.Egroup;Incurable.Moved.;
msnfixjs.js;D:\hp\patches\32WW5MSN\msnfix;Probably SCRIPT.Virus;Incurable.Moved.;


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:19:29 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\IMVU\IMVUClient.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Belle\Desktop\BeLLA\Hijack this\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rd.yahoo.com/...?.redir=ymmapi1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar41.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar41.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLSYMP] C:\WINDOWS\FLSYMP.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pqvgjjsmu] c:\windows\system32\pqvgjjsmu.exe pqvgjjsmu
O4 - HKLM\..\Run: [echraz] c:\windows\system32\echraz.exe echraz
O4 - HKLM\..\Run: [hegrcl] c:\windows\system32\hegrcl.exe hegrcl
O4 - HKCU\..\Run: [vlnjbkqt] c:\windows\system32\vlnjbkqt.exe -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iahqtdlu] c:\windows\system32\iahqtdlu.exe iahqtdlu
O4 - HKCU\..\Run: [qausvxp] c:\windows\system32\qausvxp.exe qausvxp
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Belle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9088 bytes

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 19 July 2007 - 10:08 AM

Hi again,

Please follow these instructions exactly as shown in order to achieve the best results:

1. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
2. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

3. Restart your computer in Safe Mode

4. Open My Computer and navigate to the c:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select EGDACCESS.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
5. Reboot back to normal mode and post:
  • The content of the file C:\egd.txt that was created by the script.
  • The content of the folder bfubackups in your System(32) folder. This folder was also created by the script.
  • A new HijackThis log
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 Ericks

Ericks

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 20 July 2007 - 02:16 AM

okay heres the rest of the logs . oh but the bfubackups folder didn't contain anything ....


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"AutoTBar"="C:\\hp\\bin\\autotbar.exe"
"WCOLOREAL"="\"C:\\Program Files\\Coloreal\\coloreal.exe\""
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"nwiz"="nwiz.exe /install"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"FLSYMP"="C:\\WINDOWS\\FLSYMP.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\ConnectionManager.exe "="SBC Yahoo! Connection Manager"
"Bart Station"="C:\\Program Files\\PeoplePC\\ISP6330\\BIN\\PPCOLink.exe -STATION"
"My Web Search Bar"="rundll32 C:\\PROGRA~1\\MYWEBS~1\\bar\\2.bin\\MWSBAR.DLL,S"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"pqvgjjsmu"="c:\\windows\\system32\\pqvgjjsmu.exe pqvgjjsmu"
"echraz"="c:\\windows\\system32\\echraz.exe echraz"
"hegrcl"="c:\\windows\\system32\\hegrcl.exe hegrcl"
"euptzqjwo"="c:\\windows\\system32\\euptzqjwo.exe euptzqjwo"



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:10:09 AM, on 7/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Belle\Desktop\BeLLA\Hijack this\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rd.yahoo.com/...?.redir=ymmapi1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar41.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar41.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLSYMP] C:\WINDOWS\FLSYMP.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [pqvgjjsmu] c:\windows\system32\pqvgjjsmu.exe pqvgjjsmu
O4 - HKLM\..\Run: [echraz] c:\windows\system32\echraz.exe echraz
O4 - HKLM\..\Run: [hegrcl] c:\windows\system32\hegrcl.exe hegrcl
O4 - HKCU\..\Run: [vlnjbkqt] c:\windows\system32\vlnjbkqt.exe -start
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [iahqtdlu] c:\windows\system32\iahqtdlu.exe iahqtdlu
O4 - HKCU\..\Run: [qausvxp] c:\windows\system32\qausvxp.exe qausvxp
O4 - HKCU\..\Run: [Instant Access] C:\WINDOWS\system32\linkprd.exe /res
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Belle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 9050 bytes

#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 20 July 2007 - 03:19 AM

Hi again,

OK, that's thinned out the Malware quite a lot, though we have a way to go yet. Next step:

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 Ericks

Ericks

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 21 July 2007 - 04:32 AM

k heres the log it produced



"Belle" - 2007-07-21 3:19:03 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2006\Logs\update.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiVirus Pro 2006\PGE.dat
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\companion wizard\compwiz.exe
C:\Program Files\Common Files\companion wizard\WapCHK.dll
C:\Program Files\Common Files\companion wizard\WapCHK{45B628EE-6703-47AB-BB45-FF279297F734}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{465A138A-D3C5-45B4-B063-2E0D2CBBCCC2}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{7C73DFD3-A1B0-4311-B31E-63FF4A333661}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{7C815F3D-27E1-4CFD-9833-53FF60BC0B60}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{7CF35C3F-B8BA-4775-963D-5BDA9B7574D7}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{9B9F59E5-978E-48DC-B0DD-223C0A9D0F41}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{AEDEB73E-8EC2-4823-89FF-F54902940E5C}.dll
C:\Program Files\Common Files\companion wizard\WapCHK{DE98A4FC-CCE8-4D2A-9A9C-486DCC536A75}.dll
C:\Program Files\newdotnet
C:\WINDOWS\system32\echraz.exe
C:\WINDOWS\system32\euptzqjwo.dat
C:\WINDOWS\system32\euptzqjwo.exe
C:\WINDOWS\system32\euptzqjwo_nav.dat
C:\WINDOWS\system32\euptzqjwo_navps.dat
C:\WINDOWS\system32\hegrcl.dat
C:\WINDOWS\system32\hegrcl.exe
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\nvs2.inf
C:\WINDOWS\system32\pqvgjjsmu.dat
C:\WINDOWS\system32\pqvgjjsmu.exe
C:\WINDOWS\system32\pqvgjjsmu_nav.dat
C:\WINDOWS\system32\pqvgjjsmu_navps.dat
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_VSPF


((((((((((((((((((((((((( Files Created from 2007-06-21 to 2007-07-21 )))))))))))))))))))))))))))))))


2007-07-21 03:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 02:00 <DIR> d-------- C:\WINDOWS\system32\bfubackups
2007-07-20 01:49 <DIR> d-------- C:\BFU
2007-07-16 21:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-07-16 21:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-06-28 23:52 <DIR> d-------- C:\Program Files\InterMute
2007-06-28 22:36 278,528 --a------ C:\WINDOWS\system32\ttlhpu.exe
2007-06-27 01:37 43,596 --a------ C:\WINDOWS\system32\kpoedwb.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-21 10:05:43 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\IMVU
2007-07-19 11:17:29 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\AdobeUM
2007-06-29 22:06:22 -------- d-----w C:\Program Files\MyWebSearch
2007-06-05 06:38:09 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\Yahoo!
2007-06-03 02:01:16 1,834,506 ----a-w C:\WINDOWS\Magic Daydreams.scr
2007-06-03 02:01:16 -------- d-----w C:\Program Files\Magic Daydreams
2007-06-03 02:00:14 2,566,313 ----a-w C:\WINDOWS\Fairy Garden of Dreams.scr
2007-06-03 01:59:19 1,896,605 ----a-w C:\WINDOWS\Enchanted Night.scr
2007-06-03 01:59:19 -------- d-----w C:\Program Files\Enchanted Night
2007-06-01 06:12:31 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\Smith Micro
2007-06-01 06:08:58 -------- d-----w C:\Program Files\Verizon Wireless
2007-06-01 06:07:24 -------- d-----w C:\Program Files\LG Drivers
2007-05-30 11:30:56 -------- d-----w C:\Program Files\themexp
2007-05-30 11:27:52 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\Help
2007-05-30 03:40:44 -------- d-----w C:\Program Files\Winamp
2007-05-30 03:40:43 -------- d-----w C:\Program Files\Simple Backup for My Pictures
2007-05-30 03:40:42 -------- d-----w C:\Program Files\Quicken
2007-05-30 03:40:40 -------- d-----w C:\Program Files\Movie Maker
2007-05-30 03:40:38 -------- d-----w C:\Program Files\Messenger
2007-05-30 03:40:36 -------- d-----w C:\Program Files\AtBackup
2007-05-30 03:38:57 -------- d-----w C:\Program Files\IMVU
2007-05-29 05:14:25 -------- d-----w C:\Program Files\FileSubmit
2007-05-27 10:18:27 -------- d-----w C:\Program Files\TGTSoft
2007-05-27 05:52:43 1,489,784 ----a-w C:\WINDOWS\Underworld.scr
2007-05-27 05:52:43 -------- d-----w C:\Program Files\Underworld
2007-05-27 05:47:57 3,828,300 ----a-w C:\WINDOWS\system32\Hentai BabeFest.scr
2007-05-27 05:43:34 149,504 ----a-w C:\WINDOWS\system32\Mpegdll.dll
2007-05-23 06:39:21 1,416 ----a-w C:\WINDOWS\mozver.dat
2007-05-21 06:49:03 94,696 ----a-w C:\WINDOWS\system32\fjlkovh.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 06:25:26 34,834 ----a-w C:\WINDOWS\system32\pstkajwro.exe
2007-05-12 20:48:35 42,134 ----a-w C:\WINDOWS\system32\rqzzorhxl.exe
2007-05-11 07:33:45 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-05-10 19:38:36 46,514 ----a-w C:\WINDOWS\system32\opedpkdlg.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2003-11-10 04:53:46 271 ----a-w C:\Program Files\options.ini
2003-11-10 04:52:51 193,968 -c--a-w C:\Program Files\autosave.sav


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2007-03-20 15:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 13:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED}]
2006-01-19 17:43 176128 --a------ C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2006-01-24 17:07 220672 --a------ C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2427968 -ra------ c:\program files\google\googletoolbar41.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 23:23]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 09:01]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" []
"nwiz"="nwiz.exe" [2002-09-10 00:35 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-19 12:08]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"="" []
"Bart Station"="C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe" [2006-03-21 19:40]
"My Web Search Bar"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-19 23:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vlnjbkqt"="c:\windows\system32\vlnjbkqt.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"iahqtdlu"="c:\windows\system32\iahqtdlu.exe" []
"qausvxp"="c:\windows\system32\qausvxp.exe" []
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\Belle\STARTM~1\Programs\Startup
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2007-05-24 18:46:34]
V CAST Music Monitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2005-11-30 11:32:10]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 20:08:34]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 21:20:02]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [2007-06-29 00:07:30]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-06-19 17:23:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="c:\Program Files\InterMute\SpySubtract\sshook.dll" [2007-06-29 00:07]


**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-21 04:05:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000225

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\ConnectionManager.exe "="SBC Yahoo! Connection Manager"

Completion time: 2007-07-21 4:09:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-21 04:08

--- E O F ---

#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 21 July 2007 - 04:44 AM

Hi again,

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
C:\WINDOWS\system32\ttlhpu.exe
C:\WINDOWS\system32\kpoedwb.exe
C:\WINDOWS\system32\fjlkovh.exe
C:\WINDOWS\system32\pstkajwro.exe
C:\WINDOWS\system32\rqzzorhxl.exe
C:\WINDOWS\system32\opedpkdlg.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vlnjbkqt"=-
"iahqtdlu"=-
"qausvxp"=-


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 Ericks

Ericks

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 25 July 2007 - 03:39 AM

ok here's both the logs

"Belle" - 2007-07-25 2:08:50 - ComboFix 07-07-17.8 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Belle\Desktop\CFScript.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fjlkovh.exe
C:\WINDOWS\system32\kpoedwb.exe
C:\WINDOWS\system32\opedpkdlg.exe
C:\WINDOWS\system32\pstkajwro.exe
C:\WINDOWS\system32\rqzzorhxl.exe
C:\WINDOWS\system32\ttlhpu.exe


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-21 03:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 02:00 <DIR> d-------- C:\WINDOWS\system32\bfubackups
2007-07-20 01:49 <DIR> d-------- C:\BFU
2007-07-16 21:13 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-07-16 21:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Talkback
2007-06-28 23:52 <DIR> d-------- C:\Program Files\InterMute


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 07:57:17 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\IMVU
2007-07-19 11:17:29 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\AdobeUM
2007-06-29 22:06:22 -------- d-----w C:\Program Files\MyWebSearch
2007-06-05 06:38:09 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\Yahoo!
2007-06-03 02:01:16 1,834,506 ----a-w C:\WINDOWS\Magic Daydreams.scr
2007-06-03 02:01:16 -------- d-----w C:\Program Files\Magic Daydreams
2007-06-03 02:00:14 2,566,313 ----a-w C:\WINDOWS\Fairy Garden of Dreams.scr
2007-06-03 01:59:19 1,896,605 ----a-w C:\WINDOWS\Enchanted Night.scr
2007-06-03 01:59:19 -------- d-----w C:\Program Files\Enchanted Night
2007-06-01 06:12:31 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\Smith Micro
2007-06-01 06:08:58 -------- d-----w C:\Program Files\Verizon Wireless
2007-06-01 06:07:24 -------- d-----w C:\Program Files\LG Drivers
2007-05-30 11:27:52 -------- d-----w C:\DOCUME~1\Belle\APPLIC~1\Help
2007-05-30 03:40:44 -------- d-----w C:\Program Files\Winamp
2007-05-30 03:40:43 -------- d-----w C:\Program Files\Simple Backup for My Pictures
2007-05-30 03:40:42 -------- d-----w C:\Program Files\Quicken
2007-05-30 03:40:40 -------- d-----w C:\Program Files\Movie Maker
2007-05-30 03:40:38 -------- d-----w C:\Program Files\Messenger
2007-05-30 03:40:36 -------- d-----w C:\Program Files\AtBackup
2007-05-30 03:38:57 -------- d-----w C:\Program Files\IMVU
2007-05-29 05:14:25 -------- d-----w C:\Program Files\FileSubmit
2007-05-27 10:18:27 -------- d-----w C:\Program Files\TGTSoft
2007-05-27 05:52:43 1,489,784 ----a-w C:\WINDOWS\Underworld.scr
2007-05-27 05:52:43 -------- d-----w C:\Program Files\Underworld
2007-05-27 05:47:57 3,828,300 ----a-w C:\WINDOWS\system32\Hentai BabeFest.scr
2007-05-27 05:43:34 149,504 ----a-w C:\WINDOWS\system32\Mpegdll.dll
2007-05-23 06:39:21 1,416 ----a-w C:\WINDOWS\mozver.dat
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 07:33:45 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2003-11-10 04:53:46 271 ----a-w C:\Program Files\options.ini
2003-11-10 04:52:51 193,968 -c--a-w C:\Program Files\autosave.sav


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2007-03-20 15:39 803864 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2003-11-03 13:17 54248 --a------ C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED}]
2006-01-19 17:43 176128 --a------ C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8FB8EB3-183B-4598-924D-86F0E5E37085}]
2006-01-24 17:07 220672 --a------ C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2427968 -ra------ c:\program files\google\googletoolbar41.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 19:42]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 23:23]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 09:01]
"AutoTBar"="C:\hp\bin\autotbar.exe" []
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" []
"nwiz"="nwiz.exe" [2002-09-10 00:35 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-01-19 12:08]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 C:\WINDOWS\ALCXMNTR.EXE]
"C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"="" []
"Bart Station"="C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe" [2006-03-21 19:40]
"My Web Search Bar"="C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-19 23:24]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

C:\DOCUME~1\Belle\STARTM~1\Programs\Startup
IMVU.lnk - C:\Program Files\IMVU\IMVUClient.exe [2007-05-24 18:46:34]
V CAST Music Monitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe [2005-11-30 11:32:10]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2002-12-02 20:08:34]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2002-09-20 21:20:02]
SpySubtract.lnk - C:\Program Files\InterMute\SpySubtract\SpySub.exe [2007-06-29 00:07:30]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2003-06-19 17:23:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="c:\Program Files\InterMute\SpySubtract\sshook.dll" [2007-06-29 00:07]


**************************************************************************

catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 02:28:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\ConnectionManager.exe "="SBC Yahoo! Connection Manager"

Completion time: 2007-07-25 2:30:10
C:\ComboFix-quarantined-files.txt ... 2007-07-25 02:29
C:\ComboFix2.txt ... 2007-07-21 04:09

--- E O F ---


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:39:11 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\PeoplePC\ISP6330\Browser\Bartshel.exe
C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\PeoplePC\ISP6330\Browser\PPShared.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Belle\Desktop\BeLLA\Hijack this\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://rd.yahoo.com/...?.redir=ymmapi1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PPCScamBHO Class - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar41.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar41.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6330\BIN\PPCOLink.exe -STATION
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music\V CAST Music Monitor.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Belle\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A6E074A-0B3E-4A57-9E6E-792D6C2C8832}: NameServer = 209.244.0.3 209.244.0.4
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 7344 bytes

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 25 July 2007 - 02:35 PM

Hi again,

Good, that's looking a lot better.

Let's see if there are any leftovers:

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 August 2007 - 04:49 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button