View Full Version : AntiVermin etc..
Howdy! I have spyware popups etc. so found thread and followed guide.
Logfile of HijackThis v1.99.1
Scan saved at 7:36:17 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
C:\windows\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: OIN Search - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - C:\Program Files\OIN Search\OINSearch.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll
BitDefender Online Scanner
Scan report generated at: Sun, Jan 21, 2007 - 17:34:09
Scan path: C:\;D:\;E:\;F:\;G:\;H:\;J:\;V:\;
Statistics
Time
02:48:32
Files
598295
Folders
10337
Boot Sectors
2
Archives
11677
Packed Files
26397
Results
Identified Viruses
7
Infected Files
12
Suspect Files
1
Warnings
0
Disinfected
0
Deleted Files
11
Engines Info
Virus Definitions
390101
Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)
Scan plugins
14
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\WINDOWS\system32\gwquvw.dll
Infected with: Trojan.Downloader.Agent.AEY
C:\WINDOWS\system32\gwquvw.dll
Disinfection failed
C:\WINDOWS\system32\gwquvw.dll
Delete failed
C:\Documents and Settings\slim\Local Settings\Temp\ERS4C.exe
Infected with: Trojan.Downloader.Winfixer.O
C:\Documents and Settings\slim\Local Settings\Temp\ERS4C.exe
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temp\ERS4C.exe
Deleted
C:\Documents and Settings\slim\Local Settings\Temp\is-GEU3V.tmp\plugin.exe
Suspected of: BehavesLike:Trojan.Downloader
C:\Documents and Settings\slim\Local Settings\Temp\is-GEU3V.tmp\plugin.exe
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temp\is-GEU3V.tmp\plugin.exe
Deleted
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab=>UERS_9999_N91S2507NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab=>UERS_9999_N91S2507NetInstaller.exe
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab=>UERS_9999_N91S2507NetInstaller.exe
Deleted
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab
Update failed
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\WinAntiVirusPro2007FreeInstall[1].exe
Infected with: Trojan.Downloader.Winfixer.O
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\WinAntiVirusPro2007FreeInstall[1].exe
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\WinAntiVirusPro2007FreeInstall[1].exe
Deleted
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.BKK
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)
Update failed
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.BKK
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)
Update failed
C:\Documents and Settings\slim\Application Data\winantiviruspro2007freeinstall[1].exe
Infected with: Trojan.Downloader.Winfixer.O
C:\Documents and Settings\slim\Application Data\winantiviruspro2007freeinstall[1].exe
Disinfection failed
C:\Documents and Settings\slim\Application Data\winantiviruspro2007freeinstall[1].exe
Deleted
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)=>(Instyler Module 78)
Infected with: GenPack:Trojan.Downloader.Swizzor.DO
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)=>(Instyler Module 78)
Disinfection failed
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)=>(Instyler Module 78)
Deleted
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)
Update failed
C:\Program Files\eMule\Income\ebooks\Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others - Asheron's Call.zip=>Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others.exe
Infected with: Trojan.Downloader.Small.CRG
C:\Program Files\eMule\Income\ebooks\Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others - Asheron's Call.zip=>Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others.exe
Disinfection failed
C:\Program Files\eMule\Income\ebooks\Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others - Asheron's Call.zip=>Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others.exe
Deleted
C:\Program Files\eMule\Income\ebooks\Trucchi e soluzioni - Tips and Tricks for PsOne, Playstation2, PSP, xBox, GameBoy, PC, Amiga, and others - Asheron's Call.zip
Updated
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
Detected with: Adware.Mywebsearch.G
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
Disinfection failed
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
Deleted
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
Detected with: Adware.Mywebsearch.G
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
Disinfection failed
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
Delete failed
C:\Program Files\Video ActiveX Object\uninst.exe=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Downloader.Zlob.AJW
C:\Program Files\Video ActiveX Object\uninst.exe=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed
C:\Program Files\Video ActiveX Object\uninst.exe=>(NSIS o)=>lzma_solid_nsis0000
Deleted
C:\Program Files\Video ActiveX Object\uninst.exe=>(NSIS o)
Update failed
Alright. Thanks. Anything else?
pskelley
2007-01-22, 15:21
Welcome to the forum, if you still need help and are not receiving it elsewhere, you need to know you have a very infected computer and my first suggestion is to stay offline as much as possible, this junk will attract more. If you want my help please follow the directions in the posted order.
1) I believe you have cut off the HJT log because I see no services (023) running on a Windows XP machine and this would be very unusual. When you post your next log, click on Edit then Select All. Copy and Paste all of the highlited infomation.
2) You are running MSConfig in Selective Startup mode. I need to see the logs in Normal mode for the duration of the cleanup. You may return to Selective Startup to save your resources when we are finished.
3) Among others, you have a PurityScan/OIN infection. Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN Search, OIN, OuterInfo or Need2Find Bar. Uninstall any other program you know do not belong there, if you are unsure, let me know and I will look. If you see none of those, run this uninstaller:
http://www.outerinfo.com/howto.html
4) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions:
Search: Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Once you have followed the above directions, restart the computer and post the C:\rapport.txt and a new HJT log.
Thanks
Hi. Here are online/htj/rapport scans.
BitDefender Online Scanner
Scan report generated at: Mon, Jan 22, 2007 - 16:38:15
Statistics
Time
01:38:47
Files
491894
Folders
10060
Boot Sectors
2
Archives
9131
Packed Files
25129
Results
Identified Viruses
6
Infected Files
7
Suspect Files
0
Warnings
0
Disinfected
0
Deleted Files
7
Engines Info
Virus Definitions
390332
Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)
Scan plugins
14
Archive plugins
38
Unpack plugins
6
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
*;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
C:\WINDOWS\system32\gwquvw.dll
Infected with: Trojan.Downloader.Agent.AEY
C:\WINDOWS\system32\gwquvw.dll
Disinfection failed
C:\WINDOWS\system32\gwquvw.dll
Deleted
C:\Documents and Settings\slim\Local Settings\Temp\temp.frA847\uninst.exe=>(NSIS o)=>lzma_solid_nsis0000
Infected with: Trojan.Downloader.Zlob.AJW
C:\Documents and Settings\slim\Local Settings\Temp\temp.frA847\uninst.exe=>(NSIS o)=>lzma_solid_nsis0000
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temp\temp.frA847\uninst.exe=>(NSIS o)=>lzma_solid_nsis0000
Deleted
C:\Documents and Settings\slim\Local Settings\Temp\temp.frA847\uninst.exe=>(NSIS o)
Update failed
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\9NS04UL4\!update-4295[1].0000
Infected with: Trojan.Downloader.PurityScan.BP
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\9NS04UL4\!update-4295[1].0000
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\9NS04UL4\!update-4295[1].0000
Deleted
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab=>UERS_9999_N91S2507NetInstaller.exe
Infected with: Trojan.Downloader.Winfixer.O
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab=>UERS_9999_N91S2507NetInstaller.exe
Disinfection failed
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab=>UERS_9999_N91S2507NetInstaller.exe
Deleted
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab
Update failed
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.BKK
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\slim\My Documents\download\movie2-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)
Update failed
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.BKK
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\slim\My Documents\download\movie1-1.exe=>(NSIS o)=>lzma_nsis0002=>(NSIS o)
Update failed
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)=>(Instyler Module 78)
Infected with: GenPack:Trojan.Downloader.Swizzor.DO
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)=>(Instyler Module 78)
Disinfection failed
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)=>(Instyler Module 78)
Deleted
C:\Program Files\eMule\Income\programs\netpumper-1.25.1-setup-NP_0061.exe=>(Instyler o)
Update failed
Logfile of HijackThis v1.99.1
Scan saved at 5:40:37 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
Logfile of HijackThis v1.99.1
Scan saved at 5:40:37 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\System32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [MSConfig] C:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
So, now I have these, what should i add/remove or anything else?
I upgraded my security to what is in the "How did I get infected..." thread"
Thanks.
Hi. I have tried some firewalls and can't seem to integrate my other computers normally shared net (dsl/router) with them. Any advice?
Thanks.
I have normal Java. should i get Sun Java? I did a toolkit test and saw how java could lead to infection.
Besides staying away from adult sites, + sites in IE-SPYAD/mvpshosts, and using full up to date "the whole works" antivirus protection, is there anything else you can do to avoid infection. If I go to a site that needs cookies enabled will AVG eliminate tracking cookie be enough? Do I need to worry about using Java for something, how do I know if it's a clean site I can trust?
I didn't see any teatimer anywhere when I opened Spybot, is it Autorun or something I have to setup? Thanks.
Hello.
Seven topics merged, please click Reply and not start new topic. ;)
Your helper's response above:
http://forums.spybot.info/showpost.php?p=65385&postcount=2
Ok, I uninstalled OIN Search, OIN, OuterInfo and Need2Find Bar, but in my AVG test
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:18:58 PM 1/22/2007
+ Scan result:
C:\Documents and Settings\slim\Local Settings\Temp\18018C.tmp -> Adware.180Solution : Ignored.
C:\Documents and Settings\slim\My Documents\download\Setup.exe -> Adware.180Solutions : Ignored.
C:\Documents and Settings\slim\Local Settings\Temp\temp.fr2C92\pmexe.cab/Points Manager.exe -> Adware.Altnet : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Ignored.
HKU\S-1-5-21-2326369520-2387590086-153489426-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Ignored.
HKU\S-1-5-21-2326369520-2387590086-153489426-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : Ignored.
C:\WINDOWS\system32\P2P Networking v126.cpl -> Adware.P2PNet : Ignored.
C:\Documents and Settings\slim\Application Data\Аdobe\rυndll.exe -> Adware.PurityScan : Ignored.
C:\WINDOWS\system32\rkpmn.dll -> Adware.PurityScan : Ignored.
HKLM\SOFTWARE\Classes\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22} -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422} -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422} -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier.1 -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier.1\CLSID -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier\CLSID -> Adware.WinAntiSpyware : Ignored.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier\CurVer -> Adware.WinAntiSpyware : Ignored.
HKLM\SYSTEM\CurrentControlSet\Services\wasfsd -> Adware.WinAntiSpyware : Ignored.
HKLM\SYSTEM\CurrentControlSet\Services\wasfsd\Enum -> Adware.WinAntiSpyware : Ignored.
HKLM\SYSTEM\CurrentControlSet\Services\wasfsd\Security -> Adware.WinAntiSpyware : Ignored.
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll -> Adware.Zango : Ignored.
C:\Documents and Settings\slim\Local Settings\Temp\!update.exe -> Downloader.PurityScan.co : Ignored.
C:\Documents and Settings\slim\Local Settings\Temp\tmp1 -> Downloader.PurityScan.co : Ignored.
C:\Documents and Settings\slim\Application Data\WіnSxS\WіnSxS\!update-4300.0000 -> Downloader.PurityScan.dx : Ignored.
C:\Documents and Settings\slim\Local Settings\Temporary Internet Files\Content.IE5\ELCSNF8G\ErrorSafeNewReleaseInstall[1].cab/UERS_9999_N91S2507NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Ignored.
C:\WINDOWS\system32\wapisvit.exe -> Trojan.Small : Ignored.
::Report end
I still have PuritySCAN By OIN. I am not doing anything else on my comp.
What to do next?
pskelley
2007-01-23, 13:26
What you need to do is read and follow the directions. Return to post #2 and complete all of those instruction and then post the information I bolded at the end of the instruction. While I may request a scan using AVG Anti-Spyware, I have yet to do this. Please post only what I ask for, you ignored the junk AVG Anti-Spyware found anyway.
Please wait until we finish the cleanup to post questions, at that point I will post links from experts, once you have read that information if you still have questions, then please post them. For now I want questions that apply to the instructions I post only and comments you think will help.
Thanks
Ok. Did you see that I did all that you asked in the post right after?
I redid my scans because I went online and I did get more viruses ( which im not now) so on post 3 is scans you wanted.
pskelley
2007-01-23, 20:52
You have not, you have such a mess from making post after post I don't even like to look there, here is what I asked for:
Once you have followed the above directions, restart the computer and post the C:\rapport.txt and a new HJT log.
and I asked for logs with MSconfig in the Normal Startup mode so I can see everything running.
Please do that in your next post and nothing else. What I want to see is bolded in black and the instructions for achieving this were in my first post.
Thanks
SmitFraudFix v2.133
Scan done at 16:32:32.95, Tue 01/23/2007
Run from C:\Documents and Settings\slim\My Documents\download\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\slim
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\slim\Application Data
C:\Documents and Settings\slim\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVerminser 2.1.lnk FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\slim\FAVORI~1
C:\DOCUME~1\slim\FAVORI~1\Online Security Test.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Documents and Settings\\slim\\My Documents\\TUESDAY!!!.txt"
"SubscribedURL"="C:\\Documents and Settings\\slim\\My Documents\\TUESDAY!!!.txt"
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"
[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 4:26:55 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\windows\System32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\shicoxp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
C:\Program Files\Digital Lifeline\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Registry Defender\RegistryDefender.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
C:\Program Files\Common Files\MotiveBrowser\MotiveBrowser.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video ActiveX Object\isaddon.dll (file missing)
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKLM\..\Run: [Typehidetonsace] C:\Documents and Settings\All Users\Application Data\Movecreativetypehide\kind 32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [regskindmeallite] C:\Documents and Settings\All Users\Application Data\itch new regs kind\PeakSlow.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [PowerS] C:\WINDOWSPowerS.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NI.ERS_9999_N91S2007] "C:\DOCUME~1\slim\LOCALS~1\Temp\ERS4C.exe" -nag
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [bpk] c:\program files\internet explorer\bpk.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AntiVerminser] C:\Program Files\AntiVerminser\AntiVerminser.exe /h
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [windowinside] C:\DOCUME~1\slim\APPLIC~1\FOURPL~1\DebugStop.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\slim\APPLIC~1\WNSXS~1\arpa.exe" -vt tzt
O4 - HKCU\..\Run: [ErrorSafeFree] "C:\Program Files\ErrorSafe Free\uers.exe" /min
O4 - HKCU\..\Run: [ErrorSafe] C:\Program Files\Error Safe\ERS.exe /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\Error Safe\AdwareProtector.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: RegistryDefender.lnk = C:\Program Files\Registry Defender\RegistryDefender.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Smart Reminder.lnk = C:\Program Files\Surado\Smart Contact Manager Pro\rem_dsk.exe
O4 - Global Startup: Remote.lnk = C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
O4 - Global Startup: Digital Lifeline.lnk = C:\Program Files\Digital Lifeline\bin\mpbtn.exe
O4 - Global Startup: Creating Keepsakes Scrapbook Designer Event Reminder.lnk = C:\Program Files\Scrapbook Designer\scrapremind.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - C:\WINDOWS\system32\gwquvw.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
pskelley
2007-01-24, 01:09
Thanks for returning your information, Smitfraudfix has located the infection, please follow these directions.
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
This computer is still very infected, and my best advice is to keep it offline unless you are troubleshooting until it is clean. This junk will attract more. I think you even have a LOP/C2 Media infection usually caused by downloading the sponsor programs along with MessengerPlus. It is going to take a while to get all of this junk. Please follow the directions exactly.
Open Start > Control Panel > Add Remove programs and uninstall PuritySCAN By OIN, OIN or OuterInfo, MessengerPlus (if there), zango, MyWebSearch, Kazaa and I srongly suggest you uninstall LimeWire. Please also uninstall any programs you know do not belong there.
Restart the computer and then carefully follow these directions:
Thanks to sUBs and anyone who helped with this fix.
1. Download ComboFix.exe using either of these links:
* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Post the C:\Report.txt from the "Clean" function in Smitfraudfix, the Combofix log, and a new HJT log.
Thanks
SmitFraudFix v2.133
Scan done at 20:33:16.64, Tue 01/23/2007
Run from C:\Documents and Settings\slim\My Documents\download\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"
[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\Documents and Settings\slim\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVerminser 2.1.lnk Deleted
C:\DOCUME~1\slim\FAVORI~1\Online Security Test.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
SmitFraudFix v2.133
Scan done at 20:33:16.64, Tue 01/23/2007
Run from C:\Documents and Settings\slim\My Documents\download\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8d8c2387-7f80-4022-9be6-43630a969558}"="carbinyl"
[HKEY_CLASSES_ROOT\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8d8c2387-7f80-4022-9be6-43630a969558}\InProcServer32]
@="C:\WINDOWS\system32\gwquvw.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\Documents and Settings\slim\Application Data\Microsoft\Internet Explorer\Quick Launch\AntiVerminser 2.1.lnk Deleted
C:\DOCUME~1\slim\FAVORI~1\Online Security Test.url Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 10:49:56 PM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\shicoxp.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\windows\System32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKLM\..\Run: [Typehidetonsace] C:\Documents and Settings\All Users\Application Data\Movecreativetypehide\kind 32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [regskindmeallite] C:\Documents and Settings\All Users\Application Data\itch new regs kind\PeakSlow.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWSPowerS.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [bpk] c:\program files\internet explorer\bpk.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKLM\..\Run: [MSConfig] C:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [windowinside] C:\DOCUME~1\slim\APPLIC~1\FOURPL~1\DebugStop.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\slim\APPLIC~1\WNSXS~1\arpa.exe" -vt tzt
O4 - HKCU\..\Run: [ErrorSafeFree] "C:\Program Files\ErrorSafe Free\uers.exe" /min
O4 - HKCU\..\Run: [ErrorSafe] C:\Program Files\Error Safe\ERS.exe /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\Error Safe\AdwareProtector.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Remote.lnk = C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
I'm really sorry. I didn't mean to make a new post I read post a new log and i was thinking new post was new thread, sorry.
I made a new thread accidentally
pskelley
2007-01-24, 14:04
1) This HJT log was created while MSConfig (System Configuration Utility) was in Selective Started Mode???
O4 - HKLM\..\Run: [MSConfig] C:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Place MSConfig in Normal Mode and leave it there until we are done.
2) Where is the log from combofix? If you have not run combofix, return to the last instructions I posted in #16 and follow them. Once you have the combofix log, then restart the computer and post the combofix log and a HJT log while MSConfig is running in Normal Startup Mode. Do not make the HJT log until after a reboot once you have run combofix and please use POST REPLY to place this information in your topic.
Thanks
"slim" - 07-01-24 15:57:32 Service Pack 2
ComboFix 07-01-23.2 - Running from: "C:\Documents and Settings\slim\My Documents\download"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\WINDOWS\ICROSO~1
C:\qoobox\purity\WINDOWS\system32\DOBE~1
C:\qoobox\purity\WINDOWS\system32\FNTS~1
C:\qoobox\purity\Program Files\SMBOLS~1
C:\qoobox\purity\Program Files\Common Files\MCROSO~1.NET
C:\qoobox\purity\Program Files\Common Files\YSTEM~1
C:\qoobox\purity\DOCUME~1\slim
C:\qoobox\purity\DOCUME~1\slim\Application Data
C:\qoobox\purity\DOCUME~1\slim\My Documents
C:\qoobox\purity\DOCUME~1\slim\Application Data\from.txt
C:\qoobox\purity\DOCUME~1\slim\Application Data\DOBE~1
C:\qoobox\purity\DOCUME~1\slim\Application Data\ICROSO~1
C:\qoobox\purity\DOCUME~1\slim\Application Data\WNSXS~1
C:\qoobox\purity\DOCUME~1\slim\Application Data\STEM32~1
C:\qoobox\purity\DOCUME~1\slim\Application Data\WNSXS~1\W?nSxS
C:\qoobox\purity\DOCUME~1\slim\Application Data\WNSXS~1\W?nSxS\!update-4300.0000
C:\qoobox\purity\DOCUME~1\slim\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\slim\My Documents\SMBOLS~1
C:\qoobox\purity\DOCUME~1\slim\My Documents\FNTS~1
((((((((((((((((((((((((((((((( Files Created from 2006-12-24 to 2007-01-24 ))))))))))))))))))))))))))))))))))
2007-01-23 22:47 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-23 22:47 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-23 22:47 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-23 22:47 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-23 22:47 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-23 22:47 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-22 18:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-22 17:50 7,830 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-22 14:54 <DIR> d-------- C:\DOCUME~1\slim\SmitfraudFix
2007-01-22 01:15 3,120 --a------ C:\WINDOWS\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
2007-01-22 01:13 <DIR> d-------- C:\Program Files\AARONS CLIKER
2007-01-22 00:12 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-01-21 21:34 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-21 21:32 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-01-21 20:59 <DIR> d-------- C:\Program Files\HOSTS Secure
2007-01-21 20:50 21,312 --a------ C:\WINDOWS\choice.exe
2007-01-21 20:43 <DIR> d-------- C:\ie-spyad2
2007-01-21 20:35 <DIR> d-------- C:\Program Files\SpywareGuard
2007-01-21 20:30 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-01-21 19:28 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-21 14:43 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-21 11:36 <DIR> d-------- C:\Program Files\Registry Defender
2007-01-20 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-20 14:25 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-20 14:23 <DIR> d-------- C:\DOCUME~1\slim\.housecall6.6
2007-01-17 15:52 <DIR> d-------- C:\DOCUME~1\slim\Application Data\AVG7
2007-01-17 15:50 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-17 03:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Avg7
2007-01-11 17:35 <DIR> d-------- C:\DOCUME~1\slim\Application Data\ZangoToolbar
2007-01-11 17:34 39,936 --a------ C:\npclntax.dll
2007-01-11 13:50 <DIR> d-------- C:\DOCUME~1\slim\Application Data\Viewpoint
2007-01-10 03:00 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-07 22:55 28,672 --a------ C:\WINDOWS\system32\f3PSSavr.scr
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-12-19 01:30 2 --a------ C:\WINDOWS\system32\wapisvit.exe
2006-12-15 22:08 -------- d-------- C:\Program Files\windows live toolbar
2006-12-07 17:11 -------- d-------- C:\Program Files\yahoo!
2006-11-23 15:59 131072 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --a------ C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --a------ C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --a------ C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --a------ C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Rguzmxn"="C:\\Documents and Settings\\slim\\Application Data\\?dobe\\r?ndll.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"windowinside"="C:\\DOCUME~1\\slim\\APPLIC~1\\FOURPL~1\\DebugStop.exe"
"tbon"="C:\\Program Files\\TBONBin\\tbon.exe /r"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\SIMPLE~1\\PHOTOS~1\\data\\Xtras\\mssysmgr.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Ltho"="\"C:\\DOCUME~1\\slim\\APPLIC~1\\WNSXS~1\\arpa.exe\" -vt tzt"
"ErrorSafeFree"="\"C:\\Program Files\\ErrorSafe Free\\uers.exe\" /min"
"ErrorSafe"="C:\\Program Files\\Error Safe\\ERS.exe /min"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"AdwareProtector"="C:\\Program Files\\Error Safe\\AdwareProtector.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"My Web Search Bar Search Scope Monitor"="\"C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\m3SrchMn.exe\" /m=0"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"zBrowser Launcher"="C:\\Program Files\\Logitech\\iTouch\\iTouch.exe"
"zango"="\"c:\\program files\\zango\\zango.exe\""
"WinDVR SchSvr"="\"C:\\Program Files\\Common Files\\InterVideo\\SchSvr\\SchSvr.exe\""
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"was_check"="C:\\Program Files\\ErrorSafe Free\\PASmon.exe"
"VTTimer"="VTTimer.exe"
"VC5Player"="C:\\Program Files\\HHVcdV5Sys\\VC5Play.exe"
"UERScw"="C:\\Program Files\\ErrorSafe Free\\UERScw.exe -c"
"Typehidetonsace"="C:\\Documents and Settings\\All Users\\Application Data\\Movecreativetypehide\\kind 32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"SoundMan"="SOUNDMAN.EXE"
"shicoxp"="C:\\WINDOWS\\shicoxp.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl04b\\BrStDvPt.exe"
"SemanticInsight"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"regskindmeallite"="C:\\Documents and Settings\\All Users\\Application Data\\itch new regs kind\\PeakSlow.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"PowerS"="C:\\WINDOWSPowerS.exe"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""
"PaperPort PTD"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"NetPumper"="\"C:\\Program Files\\NetPumper\\NetPumperIEProxy.exe\""
"Logitech Utility"="Logi_MwX.Exe"
"KernelFaultCheck"="%systemroot%\\system32\\dumprep 0 -k"
"KAZAA"="C:\\Program Files\\Kazaa\\kazaa.exe /SYSTRAY"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"IndexSearch"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1141366775\\ee\\AOLSoftware.exe"
"FLMK08KB"="C:\\Program Files\\Muiltmedia keyboard utility\\1.1\\MMKEYBD.EXE"
"ControlCenter2.0"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"bpk"="c:\\program files\\internet explorer\\bpk.exe"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"AltnetPointsManager"="c:\\program files\\altnet\\points manager\\points manager.exe -s"
"AIMPro"="\"C:\\Program Files\\AIM\\AIM Pro\\aimpro.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NCUpdateSvc"=dword:00000002
"AOL ACS"=dword:00000002
"AVGEMS"=dword:00000002
"tmproxy"=dword:00000002
"Tmntsrv"=dword:00000002
"PcCtlCom"=dword:00000002
"SPBBCSvc"=dword:00000002
"Avg7UpdSvc"=dword:00000002
"Avg7Alrt"=dword:00000002
"iPodService"=dword:00000003
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B9E618A2-A4FE-11D4-83C2-005004636C96}"="OE Shell Hook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"none"="C:\\Program Files\\Video ActiveX Object\\pmsngr.exe"
"isamini.exe"="C:\\Program Files\\Video ActiveX Object\\isamonitor.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\20571B429E30F2BA.job
C:\WINDOWS\tasks\A0B27DE1918DFCAD.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
Completion time: 07-01-24 16:00:17
C:\ComboFix2.txt ... 07-01-23 22:43
Logfile of HijackThis v1.99.1
Scan saved at 4:11:54 PM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\shicoxp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKLM\..\Run: [Typehidetonsace] C:\Documents and Settings\All Users\Application Data\Movecreativetypehide\kind 32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [regskindmeallite] C:\Documents and Settings\All Users\Application Data\itch new regs kind\PeakSlow.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWSPowerS.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [bpk] c:\program files\internet explorer\bpk.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [windowinside] C:\DOCUME~1\slim\APPLIC~1\FOURPL~1\DebugStop.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\slim\APPLIC~1\WNSXS~1\arpa.exe" -vt tzt
O4 - HKCU\..\Run: [ErrorSafeFree] "C:\Program Files\ErrorSafe Free\uers.exe" /min
O4 - HKCU\..\Run: [ErrorSafe] C:\Program Files\Error Safe\ERS.exe /min
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\Error Safe\AdwareProtector.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Remote.lnk = C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
pskelley
2007-01-25, 00:27
1) Download NoLop to your Desktop from here:
http://www.spywareedge.net/nolop/NoLop.exe
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it.
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
(Hold those logs until we finish)
If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.
http://www.boletrice.com/downloads/mscomctl.ocx
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
5) SpywareGuard: Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.
This item >> O4 - HKLM\..\Run: [bpk] c:\program files\internet explorer\bpk.exe looks like a keylogger. If you installed it on purpose you can leave it.
http://www.castlecops.com/startuplist-449.html <<< see that information
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
O2 - BHO: (no name) - {0715DA17-50E1-6C32-820B-7C09AB902983} - C:\DOCUME~1\dee\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: (no name) - {756C6024-725F-B361-DBA2-673273EDCD38} - C:\DOCUME~1\slim\APPLIC~1\STUPID~1\Poke Gram.exe (file missing)
O2 - BHO: (no name) - {F9A8E80B-52E9-5946-9B69-7FE55C1F1792} - C:\WINDOWS\system32\rkpmn.dll (file missing)
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=0
O4 - HKLM\..\Run: [zango] "c:\program files\zango\zango.exe"
O4 - HKLM\..\Run: [was_check] C:\Program Files\ErrorSafe Free\PASmon.exe
O4 - HKLM\..\Run: [UERScw] C:\Program Files\ErrorSafe Free\UERScw.exe -c
O4 - HKLM\..\Run: [Typehidetonsace] C:\Documents and Settings\All Users\Application Data\Movecreativetypehide\kind 32.exe
O4 - HKLM\..\Run: [SemanticInsight] C:\Program Files\RXToolBar\Semantic Insight\SemanticInsight.exe
O4 - HKLM\..\Run: [regskindmeallite] C:\Documents and Settings\All Users\Application Data\itch new regs kind\PeakSlow.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: c:\program files\internet explorer\bpk.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKCU\..\Run: [Rguzmxn] C:\Documents and Settings\slim\Application Data\?dobe\r?ndll.exe
O4 - HKCU\..\Run: [windowinside] C:\DOCUME~1\slim\APPLIC~1\FOURPL~1\DebugStop.exe
O4 - HKCU\..\Run: [tbon] C:\Program Files\TBONBin\tbon.exe /r
O4 - HKCU\..\Run: [Ltho] "C:\DOCUME~1\slim\APPLIC~1\WNSXS~1\arpa.exe" -vt tzt
O4 - HKCU\..\Run: [ErrorSafeFree] "C:\Program Files\ErrorSafe Free\uers.exe" /min G
O4 - HKCU\..\Run: [ErrorSafe] C:\Program Files\Error Safe\ERS.exe /min
O4 - HKCU\..\Run: [AdwareProtector] C:\Program Files\Error Safe\AdwareProtector.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Download with NetPumper - C:\Program Files\NetPumper\AddUrl.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items:
c:\program files\internet explorer\bpk.exe <<< delete that file
C:\Program Files\TBONBin\ <<< delete that folder
c:\program files\altnet\ <<< delete that folder
C:\Program Files\Kazaa\ <<< delete that folder
C:\Program Files\RXToolBar\ <<< delete that folder
C:\PROGRAM FILES~1\MYWEBSEARCH~1\ <<< delete that folder
C:\Program Files\Error Safe\ <<< delete that folder
C:\Program Files\ErrorSafe Free\ <<< delete that folder
c:\program files\zango\ <<< delete that folder
C:\Documents and Settings\All Users\Application Data\Movecreativetypehide\ <<< delete that folder
C:\Documents and Settings\All Users\Application Data\itch new regs kind\ <<< delete that folder
C:\Documents and Settings\slim\Application Data\?dobe\ <<< delete that folder
C:\DOCUMENTS AND SETTINGS~1\slim\APPLIC~1\FOURPL~1\ <<< delete that folder
C:\DOCUMEENTS AND SETTINGS~1\slim\APPLIC~1\WNSXS~1\ <<< delete that folder
8) Follow the instructions in this link, update and run AVG Anti-Spyware making sure you [B]delete or at least quarantine anything it locates. Save the scan report, I must see it.
http://forums.security-central.us/showthread.php?t=3165
9) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the contents of C:\NoLop.log, the AVG Anti-Spyware scan results and a new HJT log.
Thanks
In my c:\program files\internet explorer\ I see a bpk.dat not bpk.exe?
pskelley
2007-01-25, 01:23
Pass over that for now, when you finish and post the logs I requested, post any comments you have you think will help. If we have an issue with that item, we will tackle it at that point.
Thanks
I was not able to find the (1) following directories and (2) delete these files/folders.
1)
C:\PROGRAM FILES~1
C:\DOCUMENTS AND SETTINGS~1\slim\APPLIC~1
2)
c:\program files\internet explorer\bpk.exe <<< delete that file
C:\Program Files\TBONBin\ <<< delete that folder
c:\program files\altnet\ <<< delete that folder
C:\Program Files\RXToolBar\ <<< delete that folder
C:\PROGRAM FILES~1\MYWEBSEARCH~1\ <<< delete that folder
C:\Program Files\Error Safe\
C:\Program Files\ErrorSafe Free\
c:\program files\zango\
C:\Documents and Settings\slim\Application Data\?dobe\
C:\DOCUMENTS AND SETTINGS~1\slim\APPLIC~1\FOURPL~1\
C:\DOCUMENTS AND SETTINGS~1\slim\APPLIC~1\WNSXS~1\
3)
I did delete C:\Documents and Settings\slim\Application Data\Error Safe
pskelley
2007-01-25, 01:28
If you followed the instructions in number 2 to show all hidden files and folders, you will see them if they are there. If you did not follow the instructions you may not see them. I suggest you look at the instructions carefully, because if they are still in the next log, you will have to search for each file/folder using search companion until you find them. If they are on the computer that must go before you will have a clean computer.
Thanks
I have hidden folders shown but they were not there.
NoLop! Log by Skate_Punk_21
Fix running from: C:\Documents and Settings\slim
[1/24/2007]
[5:36:09 PM]
---Infection Files Found/Removed---
C:\WINDOWS\tasks\20571B429E30F2BA.job
C:\WINDOWS\tasks\A0B27DE1918DFCAD.job
Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**
---Listing AppData sub directories---
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\7100series
C:\Documents and Settings\Default User\Application Data\Ulead Systems
C:\Documents and Settings\Default User\Application Data\Intervideo
C:\Documents and Settings\Default User\Application Data\Leadertech
C:\Documents and Settings\Default User\Application Data\Simple Star
C:\Documents and Settings\Default User\Application Data\Adobe
C:\Documents and Settings\Default User\Application Data\Intertrust
C:\Documents and Settings\Default User\Application Data\Expensable
C:\Documents and Settings\Default User\Application Data\Macromedia
C:\Documents and Settings\Default User\Application Data\Intuit
C:\Documents and Settings\Default User\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Default User\Application Data\Mozilla
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Aol
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Netscape Internet Service -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Intuit
C:\Documents and Settings\All Users\Application Data\Individual Software
C:\Documents and Settings\All Users\Application Data\Broderbund Software
C:\Documents and Settings\All Users\Application Data\Broderbund Llc
C:\Documents and Settings\All Users\Application Data\Intervideo
C:\Documents and Settings\All Users\Application Data\Ulead Systems
C:\Documents and Settings\All Users\Application Data\Brother
C:\Documents and Settings\All Users\Application Data\Scansoft
C:\Documents and Settings\All Users\Application Data\Aol Downloads
C:\Documents and Settings\All Users\Application Data\Itch New Regs Kind
C:\Documents and Settings\All Users\Application Data\Vmware
C:\Documents and Settings\All Users\Application Data\Sectaskman
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Movecreativetypehide
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
C:\Documents and Settings\All Users\Application Data\Aol Ocp
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Vmware -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Slim\Application Data\Identities
C:\Documents and Settings\Slim\Application Data\Mozilla
C:\Documents and Settings\Slim\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Slim\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Slim\Application Data\Intuit
C:\Documents and Settings\Slim\Application Data\Macromedia
C:\Documents and Settings\Slim\Application Data\Expensable
C:\Documents and Settings\Slim\Application Data\Intertrust
C:\Documents and Settings\Slim\Application Data\Adobe
C:\Documents and Settings\Slim\Application Data\Simple Star
C:\Documents and Settings\Slim\Application Data\Leadertech
C:\Documents and Settings\Slim\Application Data\Intervideo
C:\Documents and Settings\Slim\Application Data\Ulead Systems
C:\Documents and Settings\Slim\Application Data\7100series
C:\Documents and Settings\Slim\Application Data\Microsoft
C:\Documents and Settings\Slim\Application Data\Aladdin Systems
C:\Documents and Settings\Slim\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Slim\Application Data\Acccore
C:\Documents and Settings\Slim\Application Data\Kazaa Lite
C:\Documents and Settings\Slim\Application Data\Brother
C:\Documents and Settings\Slim\Application Data\Fourplatformbait
C:\Documents and Settings\Slim\Application Data\Real
C:\Documents and Settings\Slim\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Slim\Application Data\Sun
C:\Documents and Settings\Slim\Application Data\Aim
C:\Documents and Settings\Slim\Application Data\Stupidremotefind -- EMPTY Directory
C:\Documents and Settings\Slim\Application Data\Corel
C:\Documents and Settings\Slim\Application Data\Imvu
C:\Documents and Settings\Slim\Application Data\Apple Computer
C:\Documents and Settings\Slim\Application Data\Skype
C:\Documents and Settings\Slim\Application Data\Divx
C:\Documents and Settings\Slim\Application Data\Error Safe
C:\Documents and Settings\Slim\Application Data\Viewpoint
C:\Documents and Settings\Slim\Application Data\Zangotoolbar
C:\Documents and Settings\Slim\Application Data\Avg7
C:\Documents and Settings\Owner\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Moo\Application Data\Identities
C:\Documents and Settings\Moo\Application Data\Mozilla
C:\Documents and Settings\Moo\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Moo\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Moo\Application Data\Intuit
C:\Documents and Settings\Moo\Application Data\Macromedia
C:\Documents and Settings\Moo\Application Data\Expensable
C:\Documents and Settings\Moo\Application Data\Intertrust
C:\Documents and Settings\Moo\Application Data\Adobe
C:\Documents and Settings\Moo\Application Data\Simple Star
C:\Documents and Settings\Moo\Application Data\Leadertech
C:\Documents and Settings\Moo\Application Data\Intervideo
C:\Documents and Settings\Moo\Application Data\Ulead Systems
C:\Documents and Settings\Moo\Application Data\7100series
C:\Documents and Settings\Moo\Application Data\Microsoft
C:\Documents and Settings\Moo\Application Data\Aladdin Systems
C:\Documents and Settings\Moo\Application Data\Zylom
C:\Documents and Settings\Moo\Application Data\Brother
C:\Documents and Settings\Moo\Application Data\Real
C:\Documents and Settings\Moo\Application Data\Vmware
C:\Documents and Settings\Moo\Application Data\Help
C:\Documents and Settings\Moo\Application Data\Fourplatformbait
C:\Documents and Settings\Moo\Application Data\Sun
C:\Documents and Settings\Moo\Application Data\Paradoxlost
C:\Documents and Settings\Moo\Application Data\Novatix
C:\Documents and Settings\Moo\Application Data\Lavasoft
C:\Documents and Settings\Moo\Application Data\Aim
C:\Documents and Settings\Moo\Application Data\Folder Guard
C:\Documents and Settings\Dee\Application Data\Identities
C:\Documents and Settings\Dee\Application Data\Mozilla
C:\Documents and Settings\Dee\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Dee\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Dee\Application Data\Intuit
C:\Documents and Settings\Dee\Application Data\Macromedia
C:\Documents and Settings\Dee\Application Data\Expensable
C:\Documents and Settings\Dee\Application Data\Intertrust
C:\Documents and Settings\Dee\Application Data\Adobe
C:\Documents and Settings\Dee\Application Data\Simple Star
C:\Documents and Settings\Dee\Application Data\Leadertech
C:\Documents and Settings\Dee\Application Data\Intervideo
C:\Documents and Settings\Dee\Application Data\Ulead Systems
C:\Documents and Settings\Dee\Application Data\7100series
C:\Documents and Settings\Dee\Application Data\Microsoft
C:\Documents and Settings\Dee\Application Data\Real
C:\Documents and Settings\Dee\Application Data\Aim
C:\Documents and Settings\Dee\Application Data\Acccore
C:\Documents and Settings\Dee\Application Data\Fourplatformbait
C:\Documents and Settings\Dee\Application Data\Stupidremotefind -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Mozilla
C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
C:\Documents and Settings\Administrator\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Intuit
C:\Documents and Settings\Administrator\Application Data\Macromedia
C:\Documents and Settings\Administrator\Application Data\Expensable
C:\Documents and Settings\Administrator\Application Data\Intertrust
C:\Documents and Settings\Administrator\Application Data\Adobe
C:\Documents and Settings\Administrator\Application Data\Simple Star
C:\Documents and Settings\Administrator\Application Data\Leadertech
C:\Documents and Settings\Administrator\Application Data\Intervideo
C:\Documents and Settings\Administrator\Application Data\Ulead Systems
C:\Documents and Settings\Administrator\Application Data\7100series
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Real
C:\Documents and Settings\Administrator\Application Data\Sun
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:32:41 PM 1/24/2007
+ Scan result:
C:\Documents and Settings\slim\My Documents\download\Setup.exe -> Adware.180Solutions : Cleaned.
HKU\S-1-5-21-2326369520-2387590086-153489426-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-2326369520-2387590086-153489426-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} -> Adware.Generic : Cleaned.
C:\WINDOWS\system32\P2P Networking v126.cpl -> Adware.P2PNet : Cleaned.
HKLM\SOFTWARE\Classes\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22} -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422} -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422} -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier.1 -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier.1\CLSID -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier\CLSID -> Adware.WinAntiSpyware : Cleaned.
HKLM\SOFTWARE\Classes\wasfsd.CreationNotifier\CurVer -> Adware.WinAntiSpyware : Cleaned.
HKLM\SYSTEM\CurrentControlSet\Services\wasfsd -> Adware.WinAntiSpyware : Cleaned.
HKLM\SYSTEM\CurrentControlSet\Services\wasfsd\Enum -> Adware.WinAntiSpyware : Cleaned.
HKLM\SYSTEM\CurrentControlSet\Services\wasfsd\Security -> Adware.WinAntiSpyware : Cleaned.
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll -> Adware.Zango : Cleaned.
C:\QooBox\Purity\DOCUME~1\slim\Application Data\WNSXS~1\WіnSxS\!update-4300.0000 -> Downloader.PurityScan.dx : Cleaned.
C:\WINDOWS\system32\wapisvit.exe -> Trojan.Small : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 7:47:57 PM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\shicoxp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.shopnbc.com"); (C:\Documents and Settings\slim\Application Data\Mozilla\Profiles\default\raq4smzi.slt\prefs.js)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Metamail IEPlugin - {C09C9904-FD44-11D6-A711-00105AC8F168} - C:\PROGRA~1\METAMA~1\METAMA~1\IEPlugIn.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWSPowerS.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [NetPumper] "C:\Program Files\NetPumper\NetPumperIEProxy.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141366775\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AIMPro] "C:\Program Files\AIM\AIM Pro\aimpro.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Remote.lnk = C:\Program Files\TV Station\PlayTV MPEG2\PVRemote.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\slim\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095850444328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162429477000
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.tricksteronline.com/control/KALogoutComponent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E4FB635-06D6-4C91-9883-61EE971506C4}: NameServer = 192.168.1.1
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
pskelley
2007-01-25, 03:11
You may use HJT to remove this line if you wish:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
That's optional, it is not malware.
Your Java program is out of date and a security risk, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date, download the newest version and uninstall all old versions in Add Remove programs.
I see you run SpywareGuard, here is a link to another excellant program from the same folks that I run, and tutorials for it and SG:
SpywareBlaster
http://www.bleepingcomputer.com/forums/tutorial49.html
SpywareGuard:
http://www.bleepingcomputer.com/forums/tutorial50.html
You may keep ATF-Cleaner if you wish, but please delete from your computer all other tools we used during the cleanup. The other exception is AVG Anti-Spyware and I will cover it in a moment.
This HJT log appears clean of malware, how is the computer running now? You had severe infections, we need to clean your System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thanks, everything is working much better now, running faster.
Two more things. Is Windows Defender active when I X it out?
I have two computers hooked up to share internet. I'm not sure if router has a firewall, We couldn't figure out how to set the firewalls we tried so that it was up without blocking net. Thanks
pskelley
2007-01-25, 13:19
I do not see Windows Defender in the last HJT log you posted. You will need to read the information frem experts I posted and choose something before the AVG Anti-Spyware trial ends when it will no longer offer any realtime protection and should be turned off or uninstalled (I suggest you turn it off and keep the free scanner, updates are free and you can scan on demand) SpywareGuard will help but you need an a good spyware program. At least Windows Defender was free. Read the links I provided for expert opinions.
You will need to look at the specifications of your router to see if it has a firewall, some do and some don't depending on the price, here are some faq's: http://www.firewallguide.com/faq.htm If it does not, choose and install something, I personally do not believe the WindowsXP SP2 firewall is enough protection. This is just one opinion, Google for more if you need them: http://www.tech-recipes.com/rx/561/xp_sp2_firewall_zone_alarm
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=configure+shared+connection+firewalls
Hope that helps
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.
Cheers.