Jump to content


Photo

OuterInfo Problem


  • This topic is locked This topic is locked
7 replies to this topic

#1 alyrian

alyrian

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 22 May 2007 - 11:05 AM

Hello,

I have problems with a software that got installed on my computer and dont know how. It's called OuterInfo, trying to uninstalling it and after reboot it comes back again, it shows in add/remove programs that it takes 600Mb of space, since i noticed it was there, the computer is very slow and sometimes ZoneAlarm comes up with some files trying to access internet.

I followed your instructions and did in the order, full scan Ad-Aware and Spybot, then AVG under Safe Mode, then Kaspersky online and finally HiJack.

Here is all the logs starting from Hijack, Kaspersky, AVG Anti Spyware 7.5

Thanks a lot for your help


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:47:17, on 22/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tools\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\System\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\System\Aqua Dock\Aqua Dock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\INTERNET\FIREFOX\FIREFOX.EXE
C:\Documents and Settings\Stev\My Documents\HiJack\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BDBD6C8B-3C16-4179-A640-429105C4455D} - C:\WINDOWS\system32\byxyv.dll
O2 - BHO: (no name) - {DA0C29E1-1889-41EC-981F-19C48FFAFCD4} - C:\WINDOWS\system32\nnnoomj.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\System\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\wjlojies.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Aqua Dock.lnk = C:\Program Files\System\Aqua Dock\Aqua Dock.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldling...ord=lingoregnow
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldling...ord=lingoregnow
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ord=lingoregnow (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ord=lingoregnow (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122660550914
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179410202254
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: byxyv - C:\WINDOWS\system32\byxyv.dll
O20 - Winlogon Notify: nnnoomj - C:\WINDOWS\SYSTEM32\nnnoomj.dll
O20 - Winlogon Notify: winucv32 - winucv32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Tools\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: BestSync Synchronizer Service (BestSyncSvc) - Unknown owner - C:\Program Files\Tools\FolderSync\BestSyncSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10879 bytes



KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 22, 2007 4:44:49 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/05/2007
Kaspersky Anti-Virus database records: 326247
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 193737
Number of viruses found 11
Number of infected objects 42
Number of suspicious objects 0
Duration of the scan process 03:36:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04700000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04700001.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540001.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540002.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540003.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540004.VBN Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540005.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09BC0000.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09BC0001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B740000.VBN Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB40000.VBN Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BB40001.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100000.VBN Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.jf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100002.VBN Infected: Trojan.Win32.Agent.qt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100003.VBN Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D100004.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D140000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stev\Application Data\.purple\logs\icq\172304175\.system\2007-05-22.113144+0100IST.txt Object is locked skipped
C:\Documents and Settings\Stev\Application Data\.purple\logs\msn\alyrian@hotmail.com\.system\2007-05-22.113150+0100IST.txt Object is locked skipped
C:\Documents and Settings\Stev\Application Data\.purple\logs\msn\alyrian@hotmail.com\gwenaelle.norcutt@hotmail.co.uk\2007-05-22.125247+0100IST.txt Object is locked skipped
C:\Documents and Settings\Stev\Application Data\.purple\logs\msn\alyrian@hotmail.com\kingsleyho@hotmail.com\2007-05-22.125527+0100IST.txt Object is locked skipped
C:\Documents and Settings\Stev\Application Data\.purple\logs\yahoo\alyrian69\.system\2007-05-22.113143+0100IST.txt Object is locked skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/U ... /[From "Lamoriniere, Steven" ][Date Mon, 18 Jul 2005 15:16:52 ... /ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/U ... /[From "Lamoriniere, Steven" ][Date Mon, 18 Jul 2005 15:16:52 ... /crack.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/U ... /[From "Lamoriniere, Steven" ][Date Mon, 18 Jul 2005 15:16:52 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/U ... /[From "Lamoriniere, Steven" ][Date Mon, 18 Jul 2005 15:16:52 ... /ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/U ... /[From "Lamoriniere, Steven" ][Date Mon, 18 Jul 2005 15:16:52 ... /crack.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/U ... /[From "Lamoriniere, Steven" ][Date Mon, 18 Jul 2005 15:16:52 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNA ... /[From "Bismarck, Alexander" ][Date Wed, 13 Jul 2005 14:00:56 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNA ... ... /[From "Menzel, Robert" ][Date Wed, 16 Mar 2005 12:28:23 +0100]/text Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNA ... /[Fr ... /[From "Doris Pappoe" ][Date Tue, 15 Mar 2005 17:37:39 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNA ... /[From "Bismarck, Alexander" ][Date Mon, 14 Mar 2005 10:54:13 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNAMED/[Fro ... / ... /[From "arnaud fouchet" ][Date Sun, 13 Mar 2005 13:11:04 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNAMED/[Fro ... /[From "Frank Thielmann" ][Date Wed, 9 Mar 2005 19:18:50 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNAMED/[From "Tran ... /[From "Roland Smith" ][Date Thu, 3 Mar 2005 15:24:17 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNAMED/[From "Tran, Michael Q T" ][Date Fri, 25 Feb 2005 13:52:30 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Wed, 23 Feb 2005 15:18:36 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED/[From "Milo Shaffer" ][Date Mon, 21 Feb 2005 19:33:05 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED/[From "Shaffer, Milo S P" ][Date Tue, 1 Jun 2004 15:24:53 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX/[From "Simpson, Rebecca" ][Date Thu, 3 Jun 2004 09:10:40 +0100]/UNNAMED Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX Mail Berkeley mbox: infected - 18 skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\INBOX.msf Object is locked skipped
C:\Documents and Settings\Stev\Application Data\Thunderbird\Profiles\rsxs5rew.default\ImapMail\icex.imperial.ac.uk\Trash.msf Object is locked skipped
C:\Documents and Settings\Stev\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Stev\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Stev\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Stev\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stev\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Stev\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Stev\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Stev\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\LAMO.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\byxyv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\cbxvvwu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\nnnoomj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wjlojies.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\WINDOWS\Temp\ZLT02891.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07ace.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\Personal\DL\Temp\002.part Object is locked skipped
D:\Personal\DL\Temp\003.part Object is locked skipped
D:\Personal\DL\Temp\004.part Object is locked skipped
D:\Personal\DL\Temp\001.part Object is locked skipped
D:\Personal\DL\Temp\012.part Object is locked skipped
D:\Personal\DL\Temp\013.part Object is locked skipped
D:\Personal\DL\Temp\017.part Object is locked skipped
D:\Personal\DL\Temp\020.part Object is locked skipped
D:\Personal\DL\Temp\029.part Object is locked skipped
Scan process completed.




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 01:11:57 22/05/2007

+ Scan result:



:mozilla.6:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.43:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Stev\Cookies\stev@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.36:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.37:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.38:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.39:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.40:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Stev\Cookies\stev@skype[1].txt -> TrackingCookie.Skype : Cleaned.
:mozilla.53:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.54:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.55:C:\Documents and Settings\Stev\Application Data\Mozilla\Firefox\Profiles\xm3p98r8.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\Temp\win56.tmp.exe -> Trojan.Agent.qt : Cleaned.
C:\Documents and Settings\Stev\Local Settings\Temporary Internet Files\Content.IE5\LFGWO1EY\q3q99[1].exe -> Trojan.Dialer.pz : Cleaned.
C:\WINDOWS\system32\winucv32.dll -> Trojan.Dialer.qn : Cleaned.
C:\Program Files\Dassault Systemes\B16\intel_a\resources\msgcatalog\German\CATMMediaCaptureSizeDialog.CATNls -> Trojan.Runner.i : Cleaned.
D:\Win XP Setup\ Microsoft Windows Key Gen. 2003 or XP Pro or Office-XP keygen(1).zip/XPKey.exe -> Trojan.Small.edz : Cleaned.


::Report end

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 25 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 27 May 2007 - 10:58 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Open your Control Panel in *Add/Remove Programs* look for the following

Think-Adz Search Assistant
Enhanced Ads by Think-Adz
Surfsidekick
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
(Anything) by OIN
Zolero
Tizzletalk
MediaTickets
Cowabanga
outerinfo

and any other programs you didn't install or don't recognize - if your not sure please ask first

If found, click on it and click remove.

Do not restart the computer

Then, download and run this OiUninstaller.exe uninstaller: follow the instructions on this page.
http://www.outerinfo.com/howto.html

=*=

Please download Atribune's VundoFix.exe from this site:
http://www.atribune..../click.php?id=4 and place it on your desktop.

Double-click VundoFix.exe to run it.

Click the Scan for Vundo button.

Once it's done scanning, click the Remove Vundo button.

You will receive a prompt asking if you want to remove the files,
click YES

Once you click yes, your desktop will go blank as it starts removing
Vundo.

When completed, it will prompt that it will reboot your computer,
click OK.

=*=

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {BDBD6C8B-3C16-4179-A640-429105C4455D} - C:\WINDOWS\system32\byxyv.dll
O2 - BHO: (no name) - {DA0C29E1-1889-41EC-981F-19C48FFAFCD4} - C:\WINDOWS\system32\nnnoomj.dll
O20 - Winlogon Notify: byxyv - C:\WINDOWS\system32\byxyv.dll
O20 - Winlogon Notify: nnnoomj - C:\WINDOWS\SYSTEM32\nnnoomj.dll
O20 - Winlogon Notify: winucv32 - winucv32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold.

C:\WINDOWS\system32\nnnoomj.dll
O20 - Winlogon Notify: byxyv - C:\WINDOWS\system32\byxyv.dll

Restart the computer normally.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Let me know what problem persist.

Please post the contents of C:\vundofix.txt and a new HiJackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 alyrian

alyrian

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 29 May 2007 - 10:24 AM

Hi nasdaq,

Thanks a lot for all your help. I did everything you said and here are the new logs

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:12:10, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Tools\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\System\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\System\Aqua Dock\Aqua Dock.exe
C:\Documents and Settings\Stev\My Documents\HiJack\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\System\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Aqua Dock.lnk = C:\Program Files\System\Aqua Dock\Aqua Dock.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldling...ord=lingoregnow
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldling...ord=lingoregnow
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ord=lingoregnow (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ord=lingoregnow (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122660550914
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179410202254
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Tools\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: BestSync Synchronizer Service (BestSyncSvc) - Unknown owner - C:\Program Files\Tools\FolderSync\BestSyncSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10373 bytes


DrWeb log:

WinAntiVirusPro2007FreeInstall[1].exe;C:\Documents and Settings\Stev\Local Settings\Temporary Internet Files\Content.IE5\HSU2NGI3;Trojan.DownLoader.10963;Deleted.;
backup-20070529-103831-614.dll;C:\Documents and Settings\Stev\My Documents\HiJack\backups;Trojan.Virtumod;Deleted.;
ENOVWebActiveXDll.dll;C:\Program Files\Dassault Systemes\B16\intel_a\code\bin;Probably DLOADER.Trojan;;



VundoFix V6.4.1

Checking Java version...

Scan started at 10:12:53 29/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\byxyv.dll
C:\WINDOWS\system32\cbxvvwu.dll
C:\WINDOWS\system32\vyxyb.bak1
C:\WINDOWS\system32\vyxyb.bak2
C:\WINDOWS\system32\vyxyb.ini
C:\WINDOWS\system32\wjlojies.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\byxyv.dll
C:\WINDOWS\system32\byxyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxvvwu.dll
C:\WINDOWS\system32\cbxvvwu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyxyb.bak1
C:\WINDOWS\system32\vyxyb.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyxyb.bak2
C:\WINDOWS\system32\vyxyb.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vyxyb.ini
C:\WINDOWS\system32\vyxyb.ini Has been deleted!

Performing Repairs to the registry.
Done!


Now the system seems to run fine, on the probably Dloader Trojan found by DrWeb, I didnt quarantine the files as it is part of 2 software I use quite often, it seems to be just for activation purposes but as they are dll I am not sure. Shall I quarantine them just in case?

Cheers Nasdaq

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 30 May 2007 - 07:38 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nice work your log is clean of malware.

Now the system seems to run fine, on the probably Dloader Trojan found by DrWeb, I didnt quarantine the files as it is part of 2 software I use quite often, it seems to be just for activation purposes but as they are dll I am not sure. Shall I quarantine them just in case?

No if it's not broken do not fix it.

You may wish to clean these empty items.

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ord=lingoregnow (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldling...ord=lingoregnow (file missing)
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0023-ABCDEFABCDEF} (JInitiator 1.3.1.23) -


Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally to reset the registry.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 alyrian

alyrian

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 31 May 2007 - 04:45 AM

Everything done, I include a last hijack log just in case but now the system is running perfectly fine and with the speed I had before so it's great

Thanks a lot again, very much appreciated


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:40:13, on 31/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\System\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\System\Aqua Dock\Aqua Dock.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Stev\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Stev\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\Stev\My Documents\HiJack\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\System\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Aqua Dock.lnk = C:\Program Files\System\Aqua Dock\Aqua Dock.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldling...ord=lingoregnow
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldling...ord=lingoregnow
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122660550914
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1179410202254
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Tools\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: BestSync Synchronizer Service (BestSyncSvc) - Unknown owner - C:\Program Files\Tools\FolderSync\BestSyncSvc.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Hard Drive Thermal (HDThermal) - Hewlett-Packard Company - C:\Program Files\HPQ\HDThermal\HDThermal.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 10153 bytes

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 31 May 2007 - 07:18 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 11 June 2007 - 08:21 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button