PDA

View Full Version : winlogon.exe and malware



Tortel
2007-05-11, 04:56
My sisters laptop is having problems with winlogon.exe and some malware. The CPU useage is usually never below 40%, and its annoying me quite alot. There is also another malware thing Ill edit this and add its name in a min) but windows defender cant delete it. I tried scanning with symatec antivirus, but it gets an error before it starts. Here is the HJT log:


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:48:28 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\Jana\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jana\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\system32\opnkjgg.dll
O2 - BHO: (no name) - {56056D42-708D-48E7-870A-BA92D3A95808} - C:\WINDOWS\system32\qlhcdvds.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {86B62EC5-6553-4F26-8460-77156A94590D} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\umrajvgn.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-21-2549120338-1780426688-1109837833-1006\..\Run: [SetDefaultMIDI] MIDIDef.exe (User 'Jana Warner')
O4 - HKUS\S-1-5-21-2549120338-1780426688-1109837833-1006\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R (User 'Jana Warner')
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O20 - Winlogon Notify: geebb - C:\WINDOWS\system32\geebb.dll
O20 - Winlogon Notify: opnkjgg - C:\WINDOWS\SYSTEM32\opnkjgg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9994 bytes

---------------------------------

Ok, I apologize for second post but apparently I cant edit my first post. The name of the malware that I cant remove is "win32/virtumonde.gen", and it is some exe file in the \system32\folder starting with B. One other thing I have tried is SDFix, and that didnt help much, if at all.

"BEFORE you POST" (http://forums.spybot.info/showthread.php?t=288)
Please READ: Which HJT Version to use (http://forums.spybot.info/showthread.php?t=12274)

Angelfire777
2007-05-11, 05:48
Hi, welcome to Safer Networking forums!

Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.

_______________

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Tortel
2007-05-11, 06:52
VundoFix log (I had to run it 3 times, twice in safemode and once at bootup):


VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 11:20:39 PM 5/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\opnkjgg.dll
C:\WINDOWS\system32\umrajvgn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\bbeeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geebb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opnkjgg.dll
C:\WINDOWS\system32\opnkjgg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\umrajvgn.dll
C:\WINDOWS\system32\umrajvgn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 11:28:02 PM 5/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\opnkjgg.dll
C:\WINDOWS\system32\wnfxvvuv.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geebb.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\opnkjgg.dll
C:\WINDOWS\system32\opnkjgg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wnfxvvuv.dll
C:\WINDOWS\system32\wnfxvvuv.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 11:33:50 PM 5/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\opnkjgg.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geebb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnkjgg.dll
C:\WINDOWS\system32\opnkjgg.dll Has been deleted!

Performing Repairs to the registry.
Done!

----------------------------

HJT Log (This is the correct version now, if you want a v2 just ask):

Logfile of HijackThis v1.99.1
Scan saved at 11:52:39 PM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.56/trafc-2/rfe.php?cmp=vm_mg_ff_h&nid=ik&uid=285066b6ef9d11db9942003048895bfc&guid=802d1a5b+dff1692788e64eaaa097460b7e65289b&affid=66953&lid=&url=
O2 - BHO: (no name) - {00F59937-A1F4-4950-BA3F-4AFE88175192} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {56056D42-708D-48E7-870A-BA92D3A95808} - C:\WINDOWS\system32\qlhcdvds.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\qembgani.dll",realset
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--------------------------------

And I did notice the lack of popups now, but I havent ran windows normally yet.

Angelfire777
2007-05-11, 07:10
Next time please post a HijackThis log taken from normal mode..

Hi,

Did you install a program called WinPcap on your system?

*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!

*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune

Do not use it yet.


*Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).

If you decided to remove Viewpoint,

Please download Viewpoint Killer (http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip)

Save it to your Desktop
Create a new folder in your desktop by right clicking on the background > New > Folder > name the folder Viewpoint Killer
Unzip the contents of the zip file to the newly created folder.
Open the Viewpoint Killer folder then run ViewpointKiller, and select File > Do All Killings.
Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with.
A logfile will be created in the folder you unzipped ViewpointKiller to, please copy and paste the contents of the logfile here.

___________________

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {00F59937-A1F4-4950-BA3F-4AFE88175192} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: (no name) - {56056D42-708D-48E7-870A-BA92D3A95808} - C:\WINDOWS\system32\qlhcdvds.dll (file missing)
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\qembgani.dll",realset
O15 - Trusted Zone: *.adxgate.net (HKLM)
O15 - Trusted Zone: *.errorprotector.com (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.snipenet.net (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


*You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


*Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.


*Using Windows Explorer, find and delete these files:

C:\WINDOWS\system32\qembgani.dll
C:\WINDOWS\poolsv.exe

Empty your recycle bin.
____________________

*Important: Make sure all your browsers are closed before running ATF Cleaner..

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

*Please run AVG AntiSpyware, and run a full scan as follow:

IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.

Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.


*Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u1 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.

On your next reply, please include a fresh HijackThis log, AVG Antispyware log and a description on how is your machine running.

tashi
2007-05-18, 07:29
:scratch:

Due to lack of a response, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

Thank you Angelfire777.

tashi
2007-05-20, 20:40
Re-opened upon request. :)

Tortel
2007-05-20, 21:10
Sorry about delay. Here are the logs from AVG AS and HJT:

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:47 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\DOCUME~1\JANAWA~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mugglenet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcd_device - - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

-------------------------------------------------------------

I am updating java now, and I may remove viewpoint later. It seems to be running smoother, but I am not usre how well it runs in the first place...

Tortel
2007-05-20, 21:17
AVG Anti-Spyware - Scan Report

+ Created at: 1:18:14 PM 5/20/2007

+ Scan result:



C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0036360.dll -> Adware.BHO :
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0038739.dll -> Adware.Virtumonde :
C:\VundoFix Backups\opnkjgg.dll.bad -> Adware.Virtumonde :
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0036334.exe -> Downloader.PurityScan.eg :
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP388\A0036354.exe -> Downloader.PurityScan.eg :
C:\SDFix\backups\backups.zip/backups/xloadnet.exe -> Downloader.VB.wz :
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP391\A0037518.exe -> Downloader.VB.wz :
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP391\A0037528.exe -> Downloader.VB.wz :
:mozilla.224:cookies.txt -> TrackingCookie.247realmedia :
:mozilla.225:cookies.txt -> TrackingCookie.247realmedia :
:mozilla.226:cookies.txt -> TrackingCookie.247realmedia :
:mozilla.227:cookies.txt -> TrackingCookie.247realmedia :
:mozilla.228:cookies.txt -> TrackingCookie.247realmedia :
:mozilla.159:cookies.txt -> TrackingCookie.2o7 :
:mozilla.160:cookies.txt -> TrackingCookie.2o7 :
:mozilla.161:cookies.txt -> TrackingCookie.2o7 :
:mozilla.162:cookies.txt -> TrackingCookie.2o7 :
:mozilla.163:cookies.txt -> TrackingCookie.2o7 :
:mozilla.164:cookies.txt -> TrackingCookie.2o7 :
:mozilla.165:cookies.txt -> TrackingCookie.2o7 :
:mozilla.166:cookies.txt -> TrackingCookie.2o7 :
:mozilla.167:cookies.txt -> TrackingCookie.2o7 :
:mozilla.168:cookies.txt -> TrackingCookie.2o7 :
:mozilla.169:cookies.txt -> TrackingCookie.2o7 :
:mozilla.170:cookies.txt -> TrackingCookie.2o7 :
:mozilla.171:cookies.txt -> TrackingCookie.2o7 :
:mozilla.172:cookies.txt -> TrackingCookie.2o7 :
:mozilla.173:cookies.txt -> TrackingCookie.2o7 :
:mozilla.174:cookies.txt -> TrackingCookie.2o7 :
:mozilla.175:cookies.txt -> TrackingCookie.2o7 :
:mozilla.176:cookies.txt -> TrackingCookie.2o7 :
:mozilla.177:cookies.txt -> TrackingCookie.2o7 :
:mozilla.178:cookies.txt -> TrackingCookie.2o7 :
:mozilla.179:cookies.txt -> TrackingCookie.2o7 :
:mozilla.180:cookies.txt -> TrackingCookie.2o7 :
:mozilla.181:cookies.txt -> TrackingCookie.2o7 :
:mozilla.182:cookies.txt -> TrackingCookie.2o7 :
:mozilla.183:cookies.txt -> TrackingCookie.2o7 :
:mozilla.184:cookies.txt -> TrackingCookie.2o7 :
:mozilla.185:cookies.txt -> TrackingCookie.2o7 :
:mozilla.186:cookies.txt -> TrackingCookie.2o7 :
:mozilla.187:cookies.txt -> TrackingCookie.2o7 :
:mozilla.188:cookies.txt -> TrackingCookie.2o7 :
:mozilla.189:cookies.txt -> TrackingCookie.2o7 :
:mozilla.190:cookies.txt -> TrackingCookie.2o7 :
:mozilla.191:cookies.txt -> TrackingCookie.2o7 :
:mozilla.192:cookies.txt -> TrackingCookie.2o7 :
:mozilla.193:cookies.txt -> TrackingCookie.2o7 :
:mozilla.194:cookies.txt -> TrackingCookie.2o7 :
:mozilla.195:cookies.txt -> TrackingCookie.2o7 :
:mozilla.196:cookies.txt -> TrackingCookie.2o7 :
:mozilla.197:cookies.txt -> TrackingCookie.2o7 :
:mozilla.198:cookies.txt -> TrackingCookie.2o7 :
:mozilla.199:cookies.txt -> TrackingCookie.2o7 :
:mozilla.200:cookies.txt -> TrackingCookie.2o7 :
:mozilla.201:cookies.txt -> TrackingCookie.2o7 :
:mozilla.202:cookies.txt -> TrackingCookie.2o7 :
:mozilla.203:cookies.txt -> TrackingCookie.2o7 :
:mozilla.204:cookies.txt -> TrackingCookie.2o7 :
:mozilla.205:cookies.txt -> TrackingCookie.2o7 :
:mozilla.206:cookies.txt -> TrackingCookie.2o7 :
:mozilla.207:cookies.txt -> TrackingCookie.2o7 :
:mozilla.288:cookies.txt -> TrackingCookie.2o7 :
:mozilla.509:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.510:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.513:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.615:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.619:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.628:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.789:cookies.txt -> TrackingCookie.Adbrite :
:mozilla.131:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.132:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.133:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.134:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.135:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.136:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.137:cookies.txt -> TrackingCookie.Adrevolver :
:mozilla.725:cookies.txt -> TrackingCookie.Adtech :
:mozilla.726:cookies.txt -> TrackingCookie.Adtech :
:mozilla.35:cookies.txt -> TrackingCookie.Advertising :
:mozilla.43:cookies.txt -> TrackingCookie.Advertising :
:mozilla.44:cookies.txt -> TrackingCookie.Advertising :
:mozilla.45:cookies.txt -> TrackingCookie.Advertising :
:mozilla.46:cookies.txt -> TrackingCookie.Advertising :
C:\Documents and Settings\Jana Warner\Cookies\jana warner@advertising[2].txt -> TrackingCookie.Advertising :
:mozilla.120:cookies.txt -> TrackingCookie.Atdmt :
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hb46zsfo.default\cookies.txt -> TrackingCookie.Atdmt :
:mozilla.52:cookies.txt -> TrackingCookie.Atdmt :
C:\Documents and Settings\Jana Warner\Cookies\jana warner@atdmt[2].txt -> TrackingCookie.Atdmt :
:mozilla.485:cookies.txt -> TrackingCookie.Bfast :
:mozilla.538:cookies.txt -> TrackingCookie.Bluestreak :
:mozilla.605:cookies.txt -> TrackingCookie.Burstnet :
:mozilla.606:cookies.txt -> TrackingCookie.Burstnet :
: mozilla.607:cookies.txt -> TrackingCookie.Burstnet :
:mozilla.53:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.54:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.55:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.56:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.57:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.58:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.59:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.60:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.61:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.62:cookies.txt -> TrackingCookie.Casalemedia :
:mozilla.511:cookies.txt -> TrackingCookie.Com :
:mozilla.512:cookies.txt -> TrackingCookie.Com :
:mozilla.634:cookies.txt -> TrackingCookie.Cpvfeed :
:mozilla.637:cookies.txt -> TrackingCookie.Cpvfeed :
:mozilla.638:cookies.txt -> TrackingCookie.Cpvfeed :
:mozilla.639:cookies.txt -> TrackingCookie.Cpvfeed :
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed :
:mozilla.36:cookies.txt -> TrackingCookie.Doubleclick :
C:\Documents and Settings\Jana Warner\Cookies\jana warner@doubleclick[1].txt -> TrackingCookie.Doubleclick :
:mozilla.709:cookies.txt -> TrackingCookie.Euroclick :
:mozilla.710:cookies.txt -> TrackingCookie.Euroclick :
:mozilla.712:cookies.txt -> TrackingCookie.Euroclick :
:mozilla.800:cookies.txt -> TrackingCookie.Falkag :
:mozilla.801:cookies.txt -> TrackingCookie.Falkag :
:mozilla.802:cookies.txt -> TrackingCookie.Falkag :
:mozilla.803:cookies.txt -> TrackingCookie.Falkag :
:mozilla.26:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.27:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.28:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.29:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.30:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.31:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.32:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.33:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.34:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.37:cookies.txt -> TrackingCookie.Fastclick :
:mozilla.755:cookies.txt -> TrackingCookie.Googleadservices :
:mozilla.539:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.540:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.541:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.542:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.543:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.544:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.660:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.664:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.665:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.760:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.761:cookies.txt -> TrackingCookie.Hitbox :
:mozilla.644:cookies.txt -> TrackingCookie.Hitslink :
:mozilla.471:cookies.txt -> TrackingCookie.Imrworldwide :
:mozilla.472:cookies.txt -> TrackingCookie.Imrworldwide :
:mozilla.345:cookies.txt -> TrackingCookie.Liveperson :
:mozilla.346:cookies.txt -> TrackingCookie.Liveperson :
:mozilla.282:cookies.txt -> TrackingCookie.Mediaplex :
C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt -> TrackingCookie.Mediaplex :
:mozilla.494:cookies.txt -> TrackingCookie.Overture :
:mozilla.495:cookies.txt -> TrackingCookie.Overture :
: mozilla.496:cookies.txt -> TrackingCookie.Overture :
:mozilla.394:cookies.txt -> TrackingCookie.Paypal :
:mozilla.314:cookies.txt -> TrackingCookie.Pointroll :
:mozilla.315:cookies.txt -> TrackingCookie.Pointroll :
:mozilla.316:cookies.txt -> TrackingCookie.Pointroll :
:mozilla.317:cookies.txt -> TrackingCookie.Pointroll :
:mozilla.318:cookies.txt -> TrackingCookie.Pointroll :
:mozilla.319:cookies.txt -> TrackingCookie.Pointroll :
C:\Documents and Settings\Jana Warner\Cookies\jana warner@ads.pointroll[2].txt -> TrackingCookie.Pointroll :
:mozilla.255:cookies.txt -> TrackingCookie.Questionmarket :
:mozilla.256:cookies.txt -> TrackingCookie.Questionmarket :
:mozilla.257:cookies.txt -> TrackingCookie.Questionmarket :
:mozilla.258:cookies.txt -> TrackingCookie.Questionmarket :
:mozilla.121:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.122:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.123:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.124:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.125:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.126:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.127:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.128:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.129:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.130:cookies.txt -> TrackingCookie.Realmedia :
:mozilla.233:cookies.txt -> TrackingCookie.Revsci :
:mozilla.234:cookies.txt -> TrackingCookie.Revsci :
:mozilla.235:cookies.txt -> TrackingCookie.Revsci :
:mozilla.237:cookies.txt -> TrackingCookie.Revsci :
:mozilla.238:cookies.txt -> TrackingCookie.Revsci :
:mozilla.239:cookies.txt -> TrackingCookie.Revsci :
:mozilla.240:cookies.txt -> TrackingCookie.Revsci :
:mozilla.241:cookies.txt -> TrackingCookie.Revsci :
:mozilla.242:cookies.txt -> TrackingCookie.Revsci :
:mozilla.243:cookies.txt -> TrackingCookie.Revsci :
:mozilla.244:cookies.txt -> TrackingCookie.Revsci :
:mozilla.245:cookies.txt -> TrackingCookie.Revsci :
:mozilla.246:cookies.txt -> TrackingCookie.Revsci :
:mozilla.247:cookies.txt -> TrackingCookie.Revsci :
:mozilla.248:cookies.txt -> TrackingCookie.Revsci :
:mozilla.249:cookies.txt -> TrackingCookie.Revsci :
:mozilla.250:cookies.txt -> TrackingCookie.Revsci :
:mozilla.251:cookies.txt -> TrackingCookie.Revsci :
:mozilla.285:cookies.txt -> TrackingCookie.Revsci :
C:\Documents and Settings\Jana Warner\Cookies\jana warner@revsci[2].txt -> TrackingCookie.Revsci :
:mozilla.580:cookies.txt -> TrackingCookie.Ru4 :
:mozilla.582:cookies.txt -> TrackingCookie.Ru4 :
:mozilla.694:cookies.txt -> TrackingCookie.Serving-sys :
:mozilla.695:cookies.txt -> TrackingCookie.Serving-sys :
:mozilla.696:cookies.txt -> TrackingCookie.Serving-sys :
:mozilla.697:cookies.txt -> TrackingCookie.Serving-sys :
:mozilla.698:cookies.txt -> TrackingCookie.Serving-sys :
:mozilla.699:cookies.txt -> TrackingCookie.Serving-sys :
:mozilla.291:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.292:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.293:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.294:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.295:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.296:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.297:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.298:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.299:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.300:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.301:cookies.txt -> TrackingCookie.Specificclick :
:mozilla.10:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.11:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.12:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.13:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.14:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.15:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.16:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.17:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.18:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.19:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.20:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.21:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.6:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.7:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.8:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.9:cookies.txt -> TrackingCookie.Statcounter :
:mozilla.272:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.273:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.274:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.276:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.277:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.278:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.552:cookies.txt -> TrackingCookie.Tacoda :
:mozilla.302:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.303:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.304:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.305:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.306:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.307:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.308:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.309:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.310:cookies.txt -> TrackingCookie.Trafficmp :
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hb46zsfo.default\cookies.txt -> TrackingCookie.Tribalfusion :
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\hb46zsfo.default\cookies.txt -> TrackingCookie.Tribalfusion :
:mozilla.290:cookies.txt -> TrackingCookie.Tribalfusion :
:mozilla.629:cookies.txt -> TrackingCookie.Valuead :
:mozilla.630:cookies.txt -> TrackingCookie.Valuead :
:mozilla.631:cookies.txt -> TrackingCookie.Valuead :
:mozilla.632:cookies.txt -> TrackingCookie.Valuead :
:mozilla.633:cookies.txt -> TrackingCookie.Valuead :
:mozilla.636:cookies.txt -> TrackingCookie.Valuead :
:mozilla.729:cookies.txt -> TrackingCookie.Yadro :
:mozilla.259:cookies.txt -> TrackingCookie.Yieldmanager :
:mozilla.260:cookies.txt -> TrackingCookie.Yieldmanager :
:mozilla.261:cookies.txt -> TrackingCookie.Yieldmanager :
:mozilla.262:cookies.txt -> TrackingCookie.Yieldmanager :
:mozilla.311:cookies.txt -> TrackingCookie.Zedo :
:mozilla.312:cookies.txt -> TrackingCookie.Zedo :
:mozilla.313:cookies.txt -> TrackingCookie.Zedo :


::Report end

I had to cut out the path to the firefox profile and the 'No action taken', it was 2-3 times too long. All cookies were deleted, others quarentined (sp?)
If you want a full log, it will have to be by email or pastebin

Shaba
2007-05-29, 19:36
Hi Tortel

Please post next a fresh HijackThis log :)

Shaba
2007-06-05, 07:52
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.