MsMaverick
2007-07-14, 06:37
Hello,
I'm new to these forums. Thank you in advance for your assistance. You folks have set up a remarkable resource for help here.
A HJT log is included at the end of this post.
Here is a bit of history of first:
Computer problems started on 7/8/2007, after... <gulp, I'll be honest>... I downloaded and ran a file I shouldn't have. I have included a log of events Zone Alarm recorded at that time, which might show detail helpful for assessment. According to Zone Alarm alerts, the file RETADPU2000352.EXE attempted several suspicious actions that I at first allowed (big mistake) then blocked. I have since searched for and deleted all instances of RETADPU2000*.EXE manually. I then performed scans with the following programs, not necessarily in the order listed and after loading updates for latest definitions (...too late for immunization, darn it).
1) SPYBOT - found and fixed these four items, related to Virtumonde:
Virtumonde: Text file - C:\WINDOWS\wr.txt
Virtumonde: Settings - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
Virtumonde: Executable - C:\Documents and Settings\Owner\Local Settings\Temp\removalfile.bat
Virtumonde: Library - C:\WINDOWS\SYSTEM32\winopn32.dll
I have performed SpyBot checks a few times since, including once in SafeMode, and no problems were found.
2) AVG FREE - found and deleted
C:\Temporary Internet Files\ContentIE5\WT270927\adfcook[1]
3) Zone Alarm's anti-spyware tool (no problems found),
4) Symantec's Virtumonde Removal Tool (found nothing).
5) Attempted a system restore to a point before infection. Windows was unable to perform the restore.
6) Attempted to run Trend Micro's online scanner several times. Getting the scan to start was unsuccessful.
_______________________________________________________________________________________
7) Ran eTrust's online scanner with the following results:
eTrust Antivirus Web Scanner
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx
Scanned July 13, 2007 ~ 1:20 AM
Virus scan finished. No viruses found.
Scan Results: Scan Completed. 106470 files scanned. No viruses found.
File Infection Status Path
- No Infections
Scanned again - July 13, 2007 ~ 1:32AM
Virus scan finished. No viruses found.
Scan Results: Scan Completed. 106440 files scanned. No viruses found.
File Infection Status Path
- No Infections
________________________________________________________________________________________
The following symptoms persist:
Each time the computer is started, and without a connection to the internet, 'something' tries to load a web page in IE and cannot detect an internet connection. A dialog presents the option for connecting to the internet or staying offline. For a few day's selecting "Stay Offline" seemed to prevent 'evil' pop-ups. Now, no matter what I select, (even offline) a web page opens in IE - unless I do not respond to the dialog "Web page unavailable while offline" and leave it open. When the computer is connected to the internet, a dialog appears with a goofy "celebrity" offer (same one each time), then bogus web pages open related to web content that I have legitimately loaded. For instance, during an online virus scan, bogus security-related pages open in new windows or tabs, using whichever browser I'm using at the time. The pop-ups seem to become more frequent with increased internect connection time.
Here is an example of the type of URL that the 'something' loads:
http://llehs.com/go//?cmp=nm_ff_ron&uid=ca3f910e2db411dc9b2af67602ffffff&nid=ba&guid=cfcdc779c8af4e8988b853f4b4efc876&url=http:%2F%2Fwww.lavasoft.com%2Fsupport%2Fsecuritycenter%2Fvirtumonde_remover.php&affid=67602&lid=http>
________________________________________________________________________________________
ZONE ALARM LOG AT SUSPECTED TIME OF INFECTION:
ZoneAlarm Logging Client v6.1.744.001
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
OSFW,2007/07/08,08:14:46 -5:00 GMT,UNKNOWN(0),Outlook Express,C:\Program Files\Outlook Express\msimn.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\AcroRd32.exe,d4a76939-ab8aad4a-fbfb4cec-cf2628fd,f625d71-3418736f
OSFW,2007/07/08,08:21:10 -5:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\AcroRd32.exe,d4a76939-ab8aad4a-fbfb4cec-cf2628fd,f625d71-3418736f
OSFW,2007/07/08,19:31:38 -5:00 GMT,UNKNOWN(0),Firefox,C:\PROGRAM FILES\MOZILLA FIREFOX\firefox.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\explorer.exe,a0732187-050030ae-399b2414-36565e64,14-36565e64,6d336-d75ff1e2-36b15833
OSFW,2007/07/08,19:35:40 -5:00 GMT,UNKNOWN(0),crack.exe,C:\INSTALL FILES, NEW\UniBlue\RB_KEYGEN\crack.exe,PROCESS,OPENPROCESS,SRC,winlogon.exe
OSFW,2007/07/08,19:36:10 -5:00 GMT,UNKNOWN(0),serial.exe,C:\INSTALL FILES, NEW\UniBlue\RB_KEYGEN\serial.exe,PROCESS,OPENPROCESS,SRC,"C:\Program Files\Mozilla Firefox\firefox.exe"
OSFW,2007/07/08,19:37:50 -5:00 GMT,UNKNOWN(0),exe12.exe,C:\Documents and Settings\Owner\Local Settings\Temp\exe12.exe,PROCESS,OPENPROCESS,SRC,C:\WINDOWS\Explorer.EXE
PE,2007/07/08,19:38:12 -5:00 GMT,Windows Command Processor,204.0.3.121:53,N/A
PE,2007/07/08,19:38:56 -5:00 GMT,installer,209.86.66.97:53,N/A
OSFW,2007/07/08,19:39:34 -5:00 GMT,UNKNOWN(0),RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,runner1
PE,2007/07/08,19:40:52 -5:00 GMT,installer,204.2.208.96:53,N/A
ACCESS,2007/07/08,19:41:00 -5:00 GMT,installer was temporarily blocked from connecting to the Internet (204.2.208.96:DNS).,N/A,N/A
PE,2007/07/08,19:41:00 -5:00 GMT,installer,192.168.0.1:53,N/A
ACCESS,2007/07/08,19:41:08 -5:00 GMT,installer was temporarily blocked from connecting to the local zone (192.168.0.1:DNS).,N/A,N/A
ACCESS,2007/07/08,19:41:10 -5:00 GMT,installer was temporarily blocked from sending data to the local zone (192.168.0.1:DNS).,N/A,N/A
OSFW,2007/07/08,19:41:30 -5:00 GMT,UNKNOWN(0),RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,runner1
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
PE,2007/07/08,19:42:58 -5:00 GMT,installer,65.243.103.50:53,N/A
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
PE,2007/07/08,19:43:30 -5:00 GMT,installer,65.243.103.50:53,N/A
ACCESS,2007/07/08,19:43:44 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (65.243.103.50:DNS).,N/A,N/A
ACCESS,2007/07/08,19:43:44 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (192.168.0.1:DNS).,N/A,N/A
OSFW,2007/07/08,19:49:02 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:49:02 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:49:02 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (88.212.196.89:DNS).,N/A,N/A
OSFW,2007/07/08,19:49:04 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:49:04 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:49:04 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (209.34.86.79:DNS).,N/A,N/A
OSFW,2007/07/08,19:54:20 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:54:20 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:54:20 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (208.67.70.27:DNS).,N/A,N/A
OSFW,2007/07/08,19:54:22 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:54:22 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:54:22 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (192.168.0.1:DNS).,N/A,N/A
PE,2007/07/08,21:09:48 -5:00 GMT,Spybot - Search & Destroy,204.0.3.121:53,N/A
PE,2007/07/08,21:09:56 -5:00 GMT,External updater,204.0.3.121:53,N/A
OSFW,2007/07/08,22:29:04 -5:00 GMT,ALLOWED,Symantec Adware.VirtuMonde Removal Tool,C:\INSTALL FILES, NEW\SECURITY SUITE\FxVMonde.exe,PROCESS,OPENTHREAD,SRC,\SystemRoot\System32\smss.exe
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
PE,2007/07/09,08:52:16 -5:00 GMT,ondwxcsb.exe,65.243.103.62:80,N/A
ACCESS,2007/07/09,08:52:30 -5:00 GMT,ondwxcsb.exe was temporarily blocked from connecting to the Internet (65.243.103.62:HTTP).,N/A,N/A
OSFW,2007/07/09,08:52:32 -5:00 GMT,UNKNOWN(0),ondwxcsb.exe,C:\WINDOWS\SYSTEM32\ondwxcsb.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\SYSTEM32\cmd.exe,eeb024f2-c81f0d55-936fb825-d21a91d6,21a91d6,9aab67-f160988a
OSFW,2007/07/09,14:08:06 -5:00 GMT,UNKNOWN(0),Trend Micro Damage Cleanup Engine (32-Bit),C:\DOCUMENTS AND SETTINGS\Owner\.HOUSECALL6.6\tsc.exe,PROCESS,OPENPROCESS,SRC,"C:\Program Files\Mozilla Firefox\firefox.exe"
PE,2007/07/09,14:20:48 -5:00 GMT,Microsoft Help Center Service,207.46.192.254:80,N/A
OSFW,2007/07/09,14:27:48 -5:00 GMT,UNKNOWN(0),System Restore Application,C:\WINDOWS\SYSTEM32\Restore\rstrui.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\SYSTEM32\control.exe,4c6785e3-d2e45ee8-7cb99519-0a0c7737,737,4e3953f
________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:42 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 8169 bytes
___________________________________________________________________________________________
I'm new to these forums. Thank you in advance for your assistance. You folks have set up a remarkable resource for help here.
A HJT log is included at the end of this post.
Here is a bit of history of first:
Computer problems started on 7/8/2007, after... <gulp, I'll be honest>... I downloaded and ran a file I shouldn't have. I have included a log of events Zone Alarm recorded at that time, which might show detail helpful for assessment. According to Zone Alarm alerts, the file RETADPU2000352.EXE attempted several suspicious actions that I at first allowed (big mistake) then blocked. I have since searched for and deleted all instances of RETADPU2000*.EXE manually. I then performed scans with the following programs, not necessarily in the order listed and after loading updates for latest definitions (...too late for immunization, darn it).
1) SPYBOT - found and fixed these four items, related to Virtumonde:
Virtumonde: Text file - C:\WINDOWS\wr.txt
Virtumonde: Settings - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
Virtumonde: Executable - C:\Documents and Settings\Owner\Local Settings\Temp\removalfile.bat
Virtumonde: Library - C:\WINDOWS\SYSTEM32\winopn32.dll
I have performed SpyBot checks a few times since, including once in SafeMode, and no problems were found.
2) AVG FREE - found and deleted
C:\Temporary Internet Files\ContentIE5\WT270927\adfcook[1]
3) Zone Alarm's anti-spyware tool (no problems found),
4) Symantec's Virtumonde Removal Tool (found nothing).
5) Attempted a system restore to a point before infection. Windows was unable to perform the restore.
6) Attempted to run Trend Micro's online scanner several times. Getting the scan to start was unsuccessful.
_______________________________________________________________________________________
7) Ran eTrust's online scanner with the following results:
eTrust Antivirus Web Scanner
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx
Scanned July 13, 2007 ~ 1:20 AM
Virus scan finished. No viruses found.
Scan Results: Scan Completed. 106470 files scanned. No viruses found.
File Infection Status Path
- No Infections
Scanned again - July 13, 2007 ~ 1:32AM
Virus scan finished. No viruses found.
Scan Results: Scan Completed. 106440 files scanned. No viruses found.
File Infection Status Path
- No Infections
________________________________________________________________________________________
The following symptoms persist:
Each time the computer is started, and without a connection to the internet, 'something' tries to load a web page in IE and cannot detect an internet connection. A dialog presents the option for connecting to the internet or staying offline. For a few day's selecting "Stay Offline" seemed to prevent 'evil' pop-ups. Now, no matter what I select, (even offline) a web page opens in IE - unless I do not respond to the dialog "Web page unavailable while offline" and leave it open. When the computer is connected to the internet, a dialog appears with a goofy "celebrity" offer (same one each time), then bogus web pages open related to web content that I have legitimately loaded. For instance, during an online virus scan, bogus security-related pages open in new windows or tabs, using whichever browser I'm using at the time. The pop-ups seem to become more frequent with increased internect connection time.
Here is an example of the type of URL that the 'something' loads:
http://llehs.com/go//?cmp=nm_ff_ron&uid=ca3f910e2db411dc9b2af67602ffffff&nid=ba&guid=cfcdc779c8af4e8988b853f4b4efc876&url=http:%2F%2Fwww.lavasoft.com%2Fsupport%2Fsecuritycenter%2Fvirtumonde_remover.php&affid=67602&lid=http>
________________________________________________________________________________________
ZONE ALARM LOG AT SUSPECTED TIME OF INFECTION:
ZoneAlarm Logging Client v6.1.744.001
Windows XP-5.1.2600-Service Pack 2-SP
type,date,time,source,destination,transport (Security)
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
OSFW,2007/07/08,08:14:46 -5:00 GMT,UNKNOWN(0),Outlook Express,C:\Program Files\Outlook Express\msimn.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\AcroRd32.exe,d4a76939-ab8aad4a-fbfb4cec-cf2628fd,f625d71-3418736f
OSFW,2007/07/08,08:21:10 -5:00 GMT,UNKNOWN(0),Internet Explorer,C:\Program Files\Internet Explorer\iexplore.exe,PROCESS,SPAWNPROCESS,SRC,C:\PROGRAM FILES\Adobe\ACROBAT 7.0\Reader\AcroRd32.exe,d4a76939-ab8aad4a-fbfb4cec-cf2628fd,f625d71-3418736f
OSFW,2007/07/08,19:31:38 -5:00 GMT,UNKNOWN(0),Firefox,C:\PROGRAM FILES\MOZILLA FIREFOX\firefox.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\explorer.exe,a0732187-050030ae-399b2414-36565e64,14-36565e64,6d336-d75ff1e2-36b15833
OSFW,2007/07/08,19:35:40 -5:00 GMT,UNKNOWN(0),crack.exe,C:\INSTALL FILES, NEW\UniBlue\RB_KEYGEN\crack.exe,PROCESS,OPENPROCESS,SRC,winlogon.exe
OSFW,2007/07/08,19:36:10 -5:00 GMT,UNKNOWN(0),serial.exe,C:\INSTALL FILES, NEW\UniBlue\RB_KEYGEN\serial.exe,PROCESS,OPENPROCESS,SRC,"C:\Program Files\Mozilla Firefox\firefox.exe"
OSFW,2007/07/08,19:37:50 -5:00 GMT,UNKNOWN(0),exe12.exe,C:\Documents and Settings\Owner\Local Settings\Temp\exe12.exe,PROCESS,OPENPROCESS,SRC,C:\WINDOWS\Explorer.EXE
PE,2007/07/08,19:38:12 -5:00 GMT,Windows Command Processor,204.0.3.121:53,N/A
PE,2007/07/08,19:38:56 -5:00 GMT,installer,209.86.66.97:53,N/A
OSFW,2007/07/08,19:39:34 -5:00 GMT,UNKNOWN(0),RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,runner1
PE,2007/07/08,19:40:52 -5:00 GMT,installer,204.2.208.96:53,N/A
ACCESS,2007/07/08,19:41:00 -5:00 GMT,installer was temporarily blocked from connecting to the Internet (204.2.208.96:DNS).,N/A,N/A
PE,2007/07/08,19:41:00 -5:00 GMT,installer,192.168.0.1:53,N/A
ACCESS,2007/07/08,19:41:08 -5:00 GMT,installer was temporarily blocked from connecting to the local zone (192.168.0.1:DNS).,N/A,N/A
ACCESS,2007/07/08,19:41:10 -5:00 GMT,installer was temporarily blocked from sending data to the local zone (192.168.0.1:DNS).,N/A,N/A
OSFW,2007/07/08,19:41:30 -5:00 GMT,UNKNOWN(0),RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,REGISTRY,SETVALUE,SRC,HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN,runner1
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:42:58 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
PE,2007/07/08,19:42:58 -5:00 GMT,installer,65.243.103.50:53,N/A
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:43:30 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
PE,2007/07/08,19:43:30 -5:00 GMT,installer,65.243.103.50:53,N/A
ACCESS,2007/07/08,19:43:44 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (65.243.103.50:DNS).,N/A,N/A
ACCESS,2007/07/08,19:43:44 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (192.168.0.1:DNS).,N/A,N/A
OSFW,2007/07/08,19:49:02 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:49:02 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:49:02 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (88.212.196.89:DNS).,N/A,N/A
OSFW,2007/07/08,19:49:04 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:49:04 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:49:04 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (209.34.86.79:DNS).,N/A,N/A
OSFW,2007/07/08,19:54:20 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:54:20 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:54:20 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (208.67.70.27:DNS).,N/A,N/A
OSFW,2007/07/08,19:54:22 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
OSFW,2007/07/08,19:54:22 -5:00 GMT,BLOCKED,RETADPU2000352.EXE,C:\WINDOWS\RETADPU2000352.EXE,DRIVER,CONNECT,SRC
ACCESS,2007/07/08,19:54:22 -5:00 GMT,installer not allowed to use retadpu2000352.exe to connect to (192.168.0.1:DNS).,N/A,N/A
PE,2007/07/08,21:09:48 -5:00 GMT,Spybot - Search & Destroy,204.0.3.121:53,N/A
PE,2007/07/08,21:09:56 -5:00 GMT,External updater,204.0.3.121:53,N/A
OSFW,2007/07/08,22:29:04 -5:00 GMT,ALLOWED,Symantec Adware.VirtuMonde Removal Tool,C:\INSTALL FILES, NEW\SECURITY SUITE\FxVMonde.exe,PROCESS,OPENTHREAD,SRC,\SystemRoot\System32\smss.exe
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent,class,data,data,... (OSFirewall)
type,date,time,name,type,mode (Anti-Spyware)
PE,2007/07/09,08:52:16 -5:00 GMT,ondwxcsb.exe,65.243.103.62:80,N/A
ACCESS,2007/07/09,08:52:30 -5:00 GMT,ondwxcsb.exe was temporarily blocked from connecting to the Internet (65.243.103.62:HTTP).,N/A,N/A
OSFW,2007/07/09,08:52:32 -5:00 GMT,UNKNOWN(0),ondwxcsb.exe,C:\WINDOWS\SYSTEM32\ondwxcsb.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\SYSTEM32\cmd.exe,eeb024f2-c81f0d55-936fb825-d21a91d6,21a91d6,9aab67-f160988a
OSFW,2007/07/09,14:08:06 -5:00 GMT,UNKNOWN(0),Trend Micro Damage Cleanup Engine (32-Bit),C:\DOCUMENTS AND SETTINGS\Owner\.HOUSECALL6.6\tsc.exe,PROCESS,OPENPROCESS,SRC,"C:\Program Files\Mozilla Firefox\firefox.exe"
PE,2007/07/09,14:20:48 -5:00 GMT,Microsoft Help Center Service,207.46.192.254:80,N/A
OSFW,2007/07/09,14:27:48 -5:00 GMT,UNKNOWN(0),System Restore Application,C:\WINDOWS\SYSTEM32\Restore\rstrui.exe,PROCESS,SPAWNPROCESS,SRC,C:\WINDOWS\SYSTEM32\control.exe,4c6785e3-d2e45ee8-7cb99519-0a0c7737,737,4e3953f
________________________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:42 PM, on 7/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://srch-us4.hpwis.com/
O3 - Toolbar: (no name) - {FA91B828-F937-4568-82C1-843627E63ED7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath2\sdstat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AdsGone - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra 'Tools' menuitem: &AdsGone Settings - {ECC5777A-6E88-BFCE-13CE-81F134789E7B} - C:\Program Files\AdsGone\adsgone (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: HPVC component - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/component34011.cab
O16 - DPF: HPVC resources - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/resources3403.cab
O16 - DPF: HPVC signed - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/signed3402.cab
O16 - DPF: HPVC support - http://vrm02.win2000.hpe-learning.com/hpvcpw/lib/hp/dc/lib/support3401.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScanner.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131239801859
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/071aa0953338b9/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {8395DA35-1EE7-43A0-8515-287490D4BA35} (StoreButton Class) - http://www.freedom.net/analyzer/franalyzer.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 8169 bytes
___________________________________________________________________________________________