View Full Version : Help with Perfect Keylogger
QueenMom
2007-01-01, 06:40
Hi -
I've been battling Perfect Keylogger for awhile. It was installed about 18 months ago and I got it removed...but now I'm having several issues and depending on which scan I run, it says the keylogger is back. (Very slow running, all my passwords were changed when I got online a few days ago, not being able to connect to the Internet)
I tried running Panda Activescan twice - the first time it disappeared after about 1 1/2 hours and the second time it disappeared after about 8 hours. Both times it listed 16 errors under "spyware".
One of the things I installed this weekend (before finding Spybot S&D) is Spyware Doctor. That program says I do have the keylogger - I have a copy of that log as well if you'd like to see it.
Thanks in advance for any information and help!!
HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 10:16:47 PM, on 12/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\AntiSpy\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee Privacy Service Popup Blocker - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [OASClnt] "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPSExe] "c:\PROGRA~1\mcafee.com\mps\mscifapp.exe" /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124431282776
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.10/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Oh yeah - and as a final question...Every time I shut down my computer a window pops up that's called "HiddenShellIcon" - and it gives me the option of ending now or canceling. Could that have anything to do with the keylogger - or is that something else entirely?
Thanks again - I'm afraid to think of the trouble I might cause if you guys weren't around and willing to help!! :bow:
Hi QueenMom and welcome to the forums :)
Here is my speech in case of a keylogger:
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
==============
Ok so the pc is running slow. You have (2) antiviruses installed and running, AVG Antivirus McAfee. Running more that one antivirus at the same time causes all kinds of problems and is NOT recommended. This is what makes your computer so slow.
You have (2) firewalls installed and running, AVG and ZoneAlarm. Running more that one firewall at the same time causes all kinds of problems and is NOT recommended. Your problems with internet are propably caused by this.
So the first thing is to get rid of al the extra programs. You should leave only one firewall and one antivirus running. It would be simplest to just leave AVG Antivirus & Firewall running and remove McAfee & ZoneAlarm. But this is of course your choice.
So my recommendation is that you remove ZonaAlarm and McAfee via Control Panel, Add/Remove Programs.. The restart the computer and notice the difference.
==========
Are you using this LogMeIn (https://secure.logmein.com) remote control software ?
=========
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
==================
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
QueenMom
2007-01-01, 15:54
Mr_JAk3 -
Thank you SO much for your post and help. I'm going to follow your instructions as soon as I finish this post - but I have a couple of questions.
* I've tried to remove McAfee several times...but can't. After reading your post I tried again - but continue to get this message: In order to uninstall McAfee Privacy Service, you must be logged in as the Administrator of McAfee Privacy Service.
[showing my total ignorance here] McAfee is not active right now and hasn't been for a few months. I'm not the one who held the McAfee account. I don't have access to that account (username & password on McAfee's website) - and the subscription has lapsed. Any ideas how to remove it?
* Before removing ZoneAlarm...AVG is a trial version - I installed it when I was trying to clean all this up. Should I subscribe to AVG and then uninstall ZoneAlarm? I've had ZoneAlarm since I originally began battling this keylogger, as the tech dept at my old job told me to download it after getting the keylogger off. My question to you - do you feel subscribing to AVG (and uninstalling ZoneAlarm) is a better way to go? (I'll follow your advice - I just wanted to clarify.) :)
* LogMeIn - No, I don't use it. I originally installed it because a friend asked me to. He's out of state and used it to help me fix issues on my computer. But since the infection of the impossible-to-remove keylogger, I'm scared to give anyone access to my machine - even people I know. Since I don't use it, is it better to get rid of it?
Thank you for all your help. I'm in awe of you and Tashi!
Happy New Year,
The Queen :crowned:
:::off to follow your instructions:::
Hi :)
* I've tried to remove McAfee several times...but can't. After reading your post I tried again - but continue to get this message: In order to uninstall McAfee Privacy Service, you must be logged in as the Administrator of McAfee Privacy Service.
[showing my total ignorance here] McAfee is not active right now and hasn't been for a few months. I'm not the one who held the McAfee account. I don't have access to that account (username & password on McAfee's website) - and the subscription has lapsed. Any ideas how to remove it?
Ok, seems that you haven't logged in with an administrator account. Can't you log into a account that has administrative rights ?
* Before removing ZoneAlarm...AVG is a trial version - I installed it when I was trying to clean all this up. Should I subscribe to AVG and then uninstall ZoneAlarm? I've had ZoneAlarm since I originally began battling this keylogger, as the tech dept at my old job told me to download it after getting the keylogger off. My question to you - do you feel subscribing to AVG (and uninstalling ZoneAlarm) is a better way to go? (I'll follow your advice - I just wanted to clarify.)
Ok there is also a free version of AVG which is good. You could you ZoneAlarm and the free AVG so that you wouldn't have to pay. Just remember that one firewall and one antivirus :)
* LogMeIn - No, I don't use it. I originally installed it because a friend asked me to. He's out of state and used it to help me fix issues on my computer. But since the infection of the impossible-to-remove keylogger, I'm scared to give anyone access to my machine - even people I know. Since I don't use it, is it better to get rid of it?
Yes we may remove it if you don't use it :)
Let's see what Dr.Web CureIt is able to find :bigthumb:
QueenMom
2007-01-02, 06:56
Hey Mr_JAk3 :)
Sorry it took an eon for the DrWeb CureIt scan! Before I enclose the logs you requested, I wanted to let you know I did some "research" and figured out how to remove McAfee. (I surprised even myself by figuring this out!!) I misunderstood what it meant by "administrator" - I thought it meant the person who held the username/password to the McAfee account. I am the admin of my computer - I just never use that account. (I have admin privileges under the account I always use...I just don't use the account technically called "Administrator"...in fact, I always forget it's even there.)
In case you want to make sure I uninstalled it correctly, here's a link to the directions I followed: http://ts.mcafeehelp.com/?siteID=1&resolution=1024x768.
Since I got followed the instructions to get rid of McAfee, I'm not getting the annoying pop-ups when I boot my machine - and the icon is gone in my system tray. However, I am now getting a new pop up when I boot that says I don't have a firewall installed, leaving my network vulnerable. :blink: What have I done wrong now?
Ok...onto the logs...(Wondering if I screwed up the DrWeb CureIt Log since it saved in Excel)
DRWEB CUREIT LOG
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Moved.;
dnary.mdb;C:\WINDOWS\system32\ias;Probably SCRIPT.Virus;Incurable.Moved.;
HJT LOG - VERSION 2
Logfile of HijackThis v1.99.1
Scan saved at 9:19:52 PM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\AntiSpy\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Cleanup] c:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124431282776
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.10/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
At the risk of making you totally crazy, do you see Perfect Keylogger in any of these logs? If not, why is it showing up in some scans and not others? (Which is what happened when I originally found it - several programs/scans didn't find it and then all of a sudden POOF! It popped up - and had been installed for a couple of months at that point.) Is it normal for different programs to find different "bugs" - and for some not to find things like keyloggers?
Thanks again - I appreciate everything you've done to help me! :flowers:
Hi :)
No I can't see any visible signs of a keylogger but those usually hide..if some scanner is detecting it, could you please post that part of the log to here.
Then, please use that administrator account in the cleaning process.
I can see some leftovers from McAfee so we'll remove those too. Also the ZoneAlarm firewall seems to be up and running.
Please remove the old version of Ewido anti-spyware 4.0 via Control Panel -> Add/Remove programs
We'll install the latest version, AVG Anti-Spyware 7.5 soon.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
==================
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Cleanup] c:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
Open Notepad and copy the following lines into a new document:
@echo off
sc stop "McAfee WSC Integration"
sc delete "McAfee WSC Integration"
sc stop "McAfee SecurityCenter Update Manager"
sc delete "McAfee SecurityCenter Update Manager"
Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted. A window will open and close, this is normal.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
c:\program files\mcafee.com
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- the logs that find keylogger on you pc
QueenMom
2007-01-03, 22:36
Hey :)
My apologies for taking so long to get back to this...I have finally completed everything.
The AVG scan found nothing.
HJT LOG
Logfile of HijackThis v1.99.1
Scan saved at 2:21:25 PM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Documents and Settings\CR\My Documents\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\AntiSpy\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124431282776
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.10/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\CR\My Documents\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
KEYLOGGER LOG (found by SPYWARE DOCTOR
Scan Results:
scan start: 12/31/2006 7:00:14 PM
scan stop: 12/31/2006 8:42:54 PM
scanned items: 119311
found items: 98
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@123count[2].txt Low
Advertising C:\Documents and Settings\CR\Cookies\cr@237246[1].txt Low
Advertising C:\Documents and Settings\CR\Cookies\cr@44183334[1].txt Low
Advertising C:\Documents and Settings\CR\Cookies\cr@52021626[1].txt Low
Advertising C:\Documents and Settings\CR\Cookies\cr@59062074[1].txt Low
Advertising C:\Documents and Settings\CR\Cookies\cr@62486853[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@74613876[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@76226072[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@abcnews.go[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@addictedtorubberstamps[1].txt Low
Advertising C:\Documents and Settings\CR\Cookies\cr@ads.addesktop[1].txt Low
Common Components for Claria C:\Documents and Settings\CR\Cookies\cr@belnk[1].txt Elevated
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@cgi-bin[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@CGI-BIN[3].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@ct.360i[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@disney.go[1].txt Low
Common Components for Claria C:\Documents and Settings\CR\Cookies\cr@dist.belnk[2].txt Elevated
Known Bad Sites C:\Documents and Settings\CR\Cookies\cr@focalex[2].txt High
Rogue Anti-Spyware Products C:\Documents and Settings\CR\Cookies\cr@freeze[1].txt High
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@go[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@m.webtrends[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@pricegrabber[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@psc.disney.go[1].txt Low
Starware C:\Documents and Settings\CR\Cookies\cr@recipe[1].txt Low
Rogue Anti-Spyware Products C:\Documents and Settings\CR\Cookies\cr@register.freeze[1].txt High
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@rsi.abcnews.go[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@rubbertreestamps[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@survey.otxresearch[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@www.abcnews.go[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@www.disney.go[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@www.gozingsurveys[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\CR\Cookies\cr@xiti[1].txt Low
Tracking Cookie(s) cookies.txt - Line #30 Low
Tracking Cookie(s) cookies.txt - Line #31 Low
Tracking Cookie(s) cookies.txt - Line #32 Low
Tracking Cookie(s) cookies.txt - Line #33 Low
Tracking Cookie(s) cookies.txt - Line #34 Low
Tracking Cookie(s) cookies.txt - Line #44 Low
Tracking Cookie(s) cookies.txt - Line #45 Low
Tracking Cookie(s) cookies.txt - Line #47 Low
Tracking Cookie(s) cookies.txt - Line #48 Low
Tracking Cookie(s) cookies.txt - Line #60 Low
Tracking Cookie(s) cookies.txt - Line #70 Low
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A} High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}## High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\ProxyStubClsid High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\ProxyStubClsid## High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\ProxyStubClsid32 High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\ProxyStubClsid32## High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\TypeLib High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\TypeLib## High
Perfect Keylogger HKCR\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}\TypeLib##Version High
Perfect Keylogger HKCR\SS.SS.1 High
Perfect Keylogger HKCR\SS.SS.1## High
Perfect Keylogger HKCR\SS.SS.1\CLSID High
Perfect Keylogger HKCR\SS.SS.1\CLSID## High
HotBar HKCU\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87 Low
HotBar HKCU\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87## Low
HotBar HKCU\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87\Implemented Categories Low
HotBar HKCU\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87\Implemented Categories## Low
HotBar HKCU\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87\Implemented Categories\{2AFFA3D6-217B-4A69-8B18-71A01B2A732B} Low
HotBar HKCU\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87\Implemented Categories\{2AFFA3D6-217B-4A69-8B18-71A01B2A732B}## Low
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD## Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD##NextInstance Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000 Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000## Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Capabilities Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Class Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##ClassGUID Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##ConfigFlags Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##DeviceDesc Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Legacy Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Service Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD## Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD##NextInstance Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000 Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000## Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Capabilities Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Class Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##ClassGUID Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##ConfigFlags Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##DeviceDesc Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Legacy Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Service Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD## Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD##NextInstance Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000 Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000## Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Capabilities Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Class Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##ClassGUID Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##ConfigFlags Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##DeviceDesc Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Legacy Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Service Elevated
(Note: I did uncheck "word wrap" in the text file before copying this...I didn't remove anything because I didn't know if it was supposed to be there.)
Thank you for your continued help - and for making all the instructions very clear and easy to follow!
Ok good, we'll get rid of the nastie leftovers...
Disable the leftover services
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to McAfee WSC Integration (McDetect.exe)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Scroll down to McAfee SecurityCenter Update Manager (mcupdmgr.exe)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; McDetect.exe
Answer Yes
Press Delete an NT service again.
Copy the following line to the box and press OK; mcupdmgr.exe
Answer Yes
Close HIjackThis
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_CLASSES_ROOT\Interface\{1D1B2878-99FF-11E3-8D96-D7ACAC95952A}]
[-HKEY_CLASSES_ROOT\SS.SS.1]
[-HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\98154D9215813D11F8DE723CF4D17D87]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Restart your computer.
Run a new scan with SpywareDoctor and post the log to here if it finds something. Also post a fresh HijackThis log
:bigthumb:
QueenMom
2007-01-05, 21:03
Hey - I hope you've had a good week. Sick kids are keeping me from concentrating on this as much as I'd like to - and I apologize for not responding more quickly.
I ran the Spyware Doctor report and the keylogger appears to be gone.
Scan Results:
scan start: 1/5/2007 10:50:43 AM
scan stop: 1/5/2007 12:20:13 PM
scanned items: 174045
found items: 48
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner
Infection Name Location Risk
Advertising cookies.txt - Line #104 Low
Tracking Cookie(s) cookies.txt - Line #20 Low
Tracking Cookie(s) cookies.txt - Line #38 Low
Tracking Cookie(s) cookies.txt - Line #39 Low
Tracking Cookie(s) cookies.txt - Line #40 Low
Advertising cookies.txt - Line #42 Low
Advertising cookies.txt - Line #43 Low
Tracking Cookie(s) cookies.txt - Line #54 Low
Tracking Cookie(s) cookies.txt - Line #55 Low
Advertising cookies.txt - Line #63 Low
Advertising cookies.txt - Line #64 Low
Advertising cookies.txt - Line #65 Low
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD## Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD##NextInstance Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000 Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000## Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Capabilities Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Class Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##ClassGUID Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##ConfigFlags Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##DeviceDesc Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Legacy Elevated
WinFixer HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD\0000##Service Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD## Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD##NextInstance Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000 Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000## Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Capabilities Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Class Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##ClassGUID Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##ConfigFlags Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##DeviceDesc Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Legacy Elevated
WinFixer HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD\0000##Service Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD## Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD##NextInstance Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000 Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000## Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Capabilities Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Class Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##ClassGUID Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##ConfigFlags Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##DeviceDesc Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Legacy Elevated
WinFixer HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD\0000##Service Elevated
And here is the latest HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 10:36:04 AM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Documents and Settings\CR\My Documents\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\AntiSpy\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\Cardbus F5D7010\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: *.alpineaccess.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124431282776
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.21.10/ttinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - LMIinit.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Documents and Settings\CR\My Documents\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
What do you think?
QueenMom
2007-01-05, 21:08
Sorry - I can't figure out how to edit my last post. I forgot to ask you - do you know why I keep getting the pop up box titled "ShellIconHiddenWindow" every time I shut down my machine? It gives me the options to "end now" or "cancel". It just showed up one day and has been there for a couple of months now.
Hi, looks better :)
Still something in the log that we'll get rid of.
Now we will remove the Service from the Registry. Maybe all of the following entries wont be present. If you don't find a key, proceed to the next key.
Click Start then Run
Type in regedit
Click Ok.
In left pane of registry editor, Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DF_KMD
If LEGACY_DF_KMD exists then right click on it and choose Delete from the menu.
If you have trouble deleting a key, click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.
Repeat the above procedure for these if found (although you might not find the service listed in those keys):
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DF_KMD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DF_KMD
Restart the computer and run SpywareDoctor again. If it finds something, post the log to here.
=========
Then the "ShellIconHiddenWindow" error seems to be caused by the MusicMatch software you have installed. Something about the error here (http://www.wilderssecurity.com/showthread.php?t=65316). Uninstalling and dowloading & installing the latest version propably helps.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
:bigthumb:
How is it going QueenMom. :)
This topic is closed due to lack of a response.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.