Page 1 of 4 1234 LastLast
Results 1 to 10 of 39

Thread: Not sure what is infecting me

  1. #1
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Thumbs down Not sure what is infecting me

    Hello,
    I am not sure what is infecting me. When I start windows it starts up strangely.. very slow, the music comes on before the desk top appears and my zonealarm shows this box about intializing setup. Also, I get a lot of "that website is offline" messages from IE. I also get a "There is no disk in the drive." and occansioanlly some other errors that I don't remember.

    I run my antivirus and it ussually finds stuff, but never the same stuff. I run my spybot and it comes back pretty much clear--a few cookies but that's about it. I just can't find out what is actually causing all my grief. Can someone look at my hijackthis file and see if they see anything odd? I can't seem to get Kaspersky to work. It keeps giving me an error that it cannot find a file. (I can give more details about that if you need them).

    Any help would be great!!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:22:49 AM, on 9/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O15 - Trusted Zone: http://play.toontown.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/fil...FamilyTree.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/151424a964205b3...zip/RdxIE2.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4331.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5267 bytes

  2. #2
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Default More is going on now

    Now, I am getting a lot of popups for WinAntispyware2007. I hope that helps diganose the problem.

  3. #3
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Default Another Hijackthis file

    Hello,
    After reading the reasons for renaming hijackthis, I went ahead and did that myself and now I have a new hijackthis file. Hopefully someone can help me get this fixed.

    Here is the new hijackthis file after I moved and renamed the program.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:18:51 AM, on 9/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\abnmecgi.exe
    C:\Program Files\Trend Micro\HijackThis\dumbie.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3F7BBE01-520B-47F2-A7E7-3D1E0CEA7D54} - C:\WINDOWS\system32\vtsts.dll
    O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\System32\rqrppnl.dll (file missing)
    O2 - BHO: 0 - {FA70FCA2-9AF8-46EB-4F8A-F084FFD6CF44} - C:\Program Files\Creative\lagubikaz.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O15 - Trusted Zone: http://play.toontown.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/fil...FamilyTree.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/151424a964205b3...zip/RdxIE2.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4331.cab
    O20 - Winlogon Notify: rqrppnl - rqrppnl.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\abnmecgi.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 6054 bytes

  4. #4
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Default

    I was wondering if there is anything that could maybe help me. My request has gotten pushed to the second page and I really don't know where else to go and ask for help.. so please forgive me but I didn't want my request to go unnoticed.

    Thanks!

  5. #5
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Default

    Well I guess I have it fixed.

    Here is what I've done:

    I ran spybot in safe mode and then had it remove everything it found.

    Then I installed and ran ARG and updated it. Then I ran it and had it delete everything it found.

    The I ran Vondufix.exe and it deleted one file.

    The I ran combofix.exe and had it delete everything it found.

    Here is what my hijackthis log (hijack was renamed to dumbie) says now. If anyone would like to put my mind at a little more ease and tell me if it looks clean I would really apprecaite it. If anyone thinks I forgot to do something then please let me know. I'm still not completely confident that my system is clear. I'm going to reboot and then run my AV again just to be a bit more sure but it would be nice if someone could confirm it..

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:55, on 2007-09-05
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\dumbie.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: 0 - {FA70FCA2-9AF8-46EB-4F8A-F084FFD6CF44} - C:\Program Files\Creative\lagubikaz.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .mu3: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .mus: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .myr: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O12 - Plugin for .myt: C:\Program Files\Internet Explorer\Plugins\NPMyrMus.dll
    O15 - Trusted Zone: http://play.toontown.com
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS....viewpoint.com
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.yorkphoto.com/YorkActivia.cab
    O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://aft.ancestry.com/aftfiles/fil...FamilyTree.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/151424a964205b3...zip/RdxIE2.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} - http://entimg.msn.com/client/msnmusax4331.cab
    O20 - Winlogon Notify: rqrppnl - rqrppnl.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 5705 bytes

  6. #6
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Could you post also Combofix log?
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  7. #7
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Default ComboFix-quarantined-files.txt

    Code:
    1995-12-22 10:16      432    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\cfx32.lic.vir
    1996-06-10 14:24      307200    --a--c---    C:\Qoobox\Quarantine\C\WINDOWS\system32\cfx32.ocx.vir
    2007-02-13 13:19      386    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\OWNER~1.TAM\Desktop\Internet.lnk.vir
    2007-04-24 12:21      9248    --a------    C:\Qoobox\Quarantine\C\Temp\1cb\syscheck.log.vir
    2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
    2007-08-07 16:30      163840    --a------    C:\Qoobox\Quarantine\C\Program Files\PhoneTools\hocyw22011.exe.vir
    2007-09-04 20:20      192580    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\twinomdt.exe.vir
    2007-09-04 20:20      930    --a------    C:\Qoobox\Quarantine\C\Temp\fse\tmpZTF.log.vir
    2007-09-04 20:24      244832    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtsts.dll.vir
    2007-09-04 20:26      6448    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ststv.bak1.vir
    2007-09-04 23:43      21    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
    2007-09-05 09:29      1981991    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ststv.bak2.vir
    2007-09-05 09:30      75328    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\abnmecgi.exe.vir
    2007-09-05 12:05      124    --a------    C:\Qoobox\BackEnv\MY PICTURES.folder.cf
    2007-09-05 12:05      135    --a------    C:\Qoobox\BackEnv\DESKTOP.folder.cf
    2007-09-05 12:05      139    --a------    C:\Qoobox\BackEnv\START MENU.folder.cf
    2007-09-05 12:05      139    --a------    C:\Qoobox\BackEnv\TEMPLATES.folder.cf
    2007-09-05 12:05      174    --a------    C:\Qoobox\BackEnv\FAVORITES.folder.cf
    2007-09-05 12:05      175    --a------    C:\Qoobox\BackEnv\PROGRAMS.folder.cf
    2007-09-05 12:05      207    --a------    C:\Qoobox\BackEnv\STARTUP.folder.cf
    2007-09-05 12:05      209    --a------    C:\Qoobox\BackEnv\PERSONAL.folder.cf
    2007-09-05 12:05      271    --a------    C:\Qoobox\BackEnv\LOCAL SETTINGS.folder.cf
    2007-09-05 12:05      306    --a------    C:\Qoobox\BackEnv\APPDATA.folder.cf
    2007-09-05 12:05      3268    --a------    C:\Qoobox\BackEnv\setpath.bat
    2007-09-05 12:05      343    --a------    C:\Qoobox\BackEnv\CACHE.folder.cf
    2007-09-05 12:05      343    --a------    C:\Qoobox\BackEnv\LOCAL APPDATA.folder.cf
    2007-09-05 12:05      369    --a------    C:\Qoobox\BackEnv\profiles.folder.cf
    2007-09-05 16:02      1098    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
    2007-09-05 16:02      2016203    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ststv.ini.vir
    2007-09-05 16:02      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
    2007-09-05 16:02      832    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf
    2007-09-05 16:02      862    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf
    2007-09-05 16:03      152    --a------    C:\Qoobox\Quarantine\catchme.log
    2007-09-05 16:03      224924    --a------    C:\Qoobox\Quarantine\catchme2007-09-05_160839.92.zip
    2007-09-05 16:13      796359    --a------    C:\Qoobox\snapshot_2007-09-05_161322.46.cf
    
    
    Folder PATH listing
    Volume serial number is C4F5-DB8C
    C:\QOOBOX
    |   snapshot_2007-09-05_161322.46.cf
    |   
    +---BackEnv
    |       APPDATA.folder.cf
    |       CACHE.folder.cf
    |       DESKTOP.folder.cf
    |       FAVORITES.folder.cf
    |       LOCAL APPDATA.folder.cf
    |       LOCAL SETTINGS.folder.cf
    |       MY PICTURES.folder.cf
    |       PERSONAL.folder.cf
    |       profiles.folder.cf
    |       PROGRAMS.folder.cf
    |       setpath.bat
    |       START MENU.folder.cf
    |       STARTUP.folder.cf
    |       TEMPLATES.folder.cf
    |       
    \---Quarantine
        |   catchme.log
        |   catchme2007-09-05_160839.92.zip
        |   
        +---C
        |   +---ComboFix
        |   |       FProps.vbs.vir
        |   |       
        |   +---DOCUME~1
        |   |   \---OWNER~1.TAM
        |   |       \---Desktop
        |   |               Internet.lnk.vir
        |   |               
        |   +---Program Files
        |   |   \---PhoneTools
        |   |           hocyw22011.exe.vir
        |   |           
        |   +---Temp
        |   |   +---1cb
        |   |   |       syscheck.log.vir
        |   |   |       
        |   |   \---fse
        |   |           tmpZTF.log.vir
        |   |           
        |   \---WINDOWS
        |       \---system32
        |               abnmecgi.exe.vir
        |               cfx32.lic.vir
        |               cfx32.ocx.vir
        |               ststv.bak1.vir
        |               ststv.bak2.vir
        |               ststv.ini.vir
        |               twinomdt.exe.vir
        |               vtsts.dll.vir
        |               zxdnt3d.cfg.vir
        |               
        \---Registry_backups
                LEGACY_CMDSERVICE.reg.cf
                LEGACY_DOMAINSERVICE.reg.cf
                LEGACY_NETWORK_MONITOR.reg.cf
                services_DomainService.reg.cf

  8. #8
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    That's the list of quarantined files. The log should be in c:\combofix.txt file.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

  9. #9
    Junior Member
    Join Date
    Sep 2007
    Posts
    28

    Default

    Hi ya,
    I don't see c:\combofix.txt. I just see the one I posted. should I run combofix again?

    Also, now I can't open up hijackthis. Everytime I do, my antivirus program (AVG) tells me that it detect worm/generic.dht and then moves the file to the vault.

    I'm so frustrated <sigh>

    I'm running Panda now (I saw other people suggest that in other threads since they (and I) cannot run kerpetsky.

    Thanks for your time!

  10. #10
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi

    Yes, run ComboFix again.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •