View Full Version : Need help removing vcodec
titaniumoutbreak
2006-03-22, 05:19
I have run a virus check using mcafee and it does not pick up vcodec but it did pick up a puper but when i went to press delete the computer resets itself. I also ran spybot search and destroy and it picked up vcodec and so i pressed fix problem. Then today it reappeared. How can a permanently remove it? All help is greatly appreciated.
Hello.
Please see:
Before you post a log, and who will advise you. (http://forums.spybot.info/showthread.php?t=288)
Regards. :)
titaniumoutbreak
2006-03-22, 09:00
ok i am runnin an online scan with panda active scan. When that finishes i will post the results. Then i will run a spybot check and post the results. Then i will run the highjackthis program and post the log. The mcafee online scan doesnt seem to work for me even though i am a subscriber to the service. wierd!!:scratch:
titaniumoutbreak
2006-03-22, 09:45
Incident Status Location
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Owner\Favorites\Antivirus Test Online.url
Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\1024
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@atwola[1].txt
Virus:Trj/Agent.BBN Not disinfected C:\Documents and Settings\Owner\My Documents\Stephanie's\install.exe
titaniumoutbreak
2006-03-22, 09:48
--- Search result list ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-03-19 Includes\Cookies.sbi (*)
2006-03-19 Includes\Dialer.sbi (*)
2006-03-19 Includes\Hijackers.sbi (*)
2006-03-19 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-03-19 Includes\Malware.sbi (*)
2006-03-19 Includes\PUPS.sbi (*)
2006-03-19 Includes\Revision.sbi (*)
2006-03-19 Includes\Security.sbi (*)
2006-03-19 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-03-19 Includes\Trojans.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Media Center 2005 / SP3: Windows XP Media Center Edition 2005 KB888316
/ Media Center 2005 / SP3: Update Rollup 1 for Windows XP Media Center Edition 2005 with HDTV Support (KB873369)
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885295
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB887797
/ Windows XP / SP3: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888240
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Hotfix for Windows XP (KB888795)
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB896344)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Update for Windows XP (KB900930)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913446)
--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
Located: HK_LM:Run, AOLDialer
command: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
file: C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
size: 34904
MD5: 25d2aa5a7ca01db369a39149a1ab2f30
Located: HK_LM:Run, CHotkey
command: zHotkey.exe
file: C:\WINDOWS\zHotkey.exe
size: 543232
MD5: 91e1b0577d9662aa0a83c75418f6f6f8
Located: HK_LM:Run, ehTray
command: C:\WINDOWS\ehome\ehtray.exe
file: C:\WINDOWS\ehome\ehtray.exe
size: 59392
MD5: f90137a9897071ede961a5aba4ea524f
Located: HK_LM:Run, Emurayden PSX Emulator
command: c:\Program Files\Emurayden PSX Emulator v2.1\Emurayden PSX AutoLauncher.exe
file:
Located: HK_LM:Run, HostManager
command: C:\Program Files\Common Files\AOL\1142646706\ee\AOLSoftware.exe
file: C:\Program Files\Common Files\AOL\1142646706\ee\AOLSoftware.exe
size: 50792
MD5: d88962ada17e876554bf03d977139148
Located: HK_LM:Run, MCAgentExe
command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
file: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 303104
MD5: e8d2dcece015f4558aa3853514664f15
Located: HK_LM:Run, MCUpdateExe
command: c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
file: c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
size: 212992
MD5: dec79e9887924b82837b9b7730ecaa1f
Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 50688
MD5: 5046f135bb97a68bfe485ab039e605c0
Located: HK_LM:Run, MPFEXE
command: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
file: C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1005096
MD5: d76dcba1bce72093e00a4efa114a4e98
Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90
Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff
Located: HK_LM:Run, NvMediaCenter
command: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff
Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINDOWS\system32\nwiz.exe
size: 921600
MD5: 96880791e6dde3fac08342c1d5b045ac
Located: HK_LM:Run, OASClnt
command: C:\Program Files\McAfee.com\VSO\oasclnt.exe
file: C:\Program Files\McAfee.com\VSO\oasclnt.exe
size: 53248
MD5: 76e033f33912bfaca4a05be8d1f3a740
Located: HK_LM:Run, Pure Networks Port Magic
command: "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
file: C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
size: 99480
MD5: ba99c608a075c44026720d5383f3d75b
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: c341ccfbe98bc7df6e0b856bb9fc265a
Located: HK_LM:Run, Recguard
command: C:\WINDOWS\SMINST\RECGUARD.EXE
file: C:\WINDOWS\SMINST\RECGUARD.EXE
size: 212992
MD5: d3cc7a3813123e955b3a497c04b404e2
Located: HK_LM:Run, RemoteControl
command: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
file: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 7a011702c0aa86ad79efa86e66f411dc
Located: HK_LM:Run, ShowWnd
command: ShowWnd.exe
file:
Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 67584
MD5: e0584ee5e7f07f04a879b19a37465588
Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61a3a9d5d98bf0331df5b716144a8100
Located: HK_LM:Run, SunKistEM
command: C:\Program Files\Digital Media Reader\shwiconem.exe
file: C:\Program Files\Digital Media Reader\shwiconem.exe
size: 135168
MD5: 06a6145cddf7db1efbe6280a57880111
Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: f9b47f830dd55fedd6ef27d063c29a42
Located: HK_LM:Run, VirusScan Online
command: C:\Program Files\McAfee.com\VSO\mcvsshld.exe
file: C:\Program Files\McAfee.com\VSO\mcvsshld.exe
size: 163840
MD5: b154ac6dbd82f96476003e58e1625bd8
Located: HK_LM:Run, VSOCheckTask
command: "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
file: C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe
size: 151552
MD5: 3c943ceb913520f9981d82db93ba7a8a
Located: HK_LM:RunOnceEx,
command:
file:
Located: HK_CU:Run, AOL Fast Start
command: "C:\Program Files\America Online 9.0\AOL.EXE" -b
file: C:\Program Files\America Online 9.0\AOL.EXE
size: 50776
MD5: 9c4239915e23d7df1ddfb88512c08249
Located: Startup (common), Adobe Gamma Loader.lnk
command: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
file: C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
size: 113664
MD5: c2ff17734176cd15221c10044ef0ba1a
Located: Startup (common), BigFix.lnk
command: C:\Program Files\BigFix\BigFix.exe
file: C:\Program Files\BigFix\BigFix.exe
size: 1742384
MD5: 3802278fed9e3594b4bc3377ff0cff3b
Located: Startup (common), Kodak EasyShare software.lnk
command: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
file: C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
size: 757760
MD5: 5849e088d0318421376e633018abe6f9
Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll
Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll
Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll
Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll
Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll
Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll
titaniumoutbreak
2006-03-22, 09:49
--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 5/15/2003 9:47:54 AM
Date (last access): 3/22/2006 2:35:10 AM
Date (last write): 5/15/2003 9:47:54 AM
Filesize: 50376
Attributes: archive
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
CRC32: 1D771322
Version: 6.0.0.878
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000} (McAfee Anti-Phishing Filter)
BHO name:
CLSID name: McAfee Anti-Phishing Filter
Path: C:\Program Files\McAfee\Anti-Phishing Filter\
Long name: McAfeeAntiPhishingBHO.dll
Short name: MCAFEE~1.DLL
Date (created): 1/20/2005 10:22:58 AM
Date (last access): 3/22/2006 2:35:10 AM
Date (last write): 1/20/2005 10:22:58 AM
Filesize: 245867
Attributes: archive
MD5: 57F9E33078C0F59D232D46DE276BA946
CRC32: 4ED481FF
Version: 1.0.123.0
{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 6/21/2005 12:16:50 AM
Date (last access): 3/22/2006 2:35:10 AM
Date (last write): 5/31/2005 12:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0
{549B5CA7-4A86-11D7-A4DF-000874180BB3} ()
BHO name:
CLSID name:
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 3/22/2006 2:35:10 AM
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5
{FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
BHO name:
CLSID name:
description: Microsoft Money
classification: Open for discussion
known filename: mnyviewer.dll
info link: http://www.microsoft.com/money/default.asp
info source: TonyKlein
--- ActiveX list ---
{0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility)
DPF name:
CLSID name: PCPitstop Utility
Installer: C:\WINDOWS\Downloaded Program Files\PCPitstop.inf
Codebase: http://support.gateway.com/support/profiler/PCPitStop.CAB
description: Gateway tools
classification: Open for discussion
known filename: PCPITSTOP.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\Downloaded Program Files\
Long name: PCPitstop.dll
Short name: PCPITS~1.DLL
Date (created): 1/5/2005 7:02:56 PM
Date (last access): 3/22/2006 2:37:14 AM
Date (last write): 1/5/2005 7:02:56 PM
Filesize: 252416
Attributes: archive
MD5: 09B759CF3836A19F761BFC5033B01509
CRC32: AE04C3FC
Version: 1.0.0.134
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 6/23/2005 6:47:08 PM
Date (last access): 3/22/2006 1:38:20 AM
Date (last write): 5/19/2005 1:58:34 PM
Filesize: 54488
Attributes: archive
MD5: 2B75B8197F3BCBB199EAA3AFE3FB3CA3
CRC32: ED72FE89
Version: 10.1.0.11
{26098EA2-C95D-48EA-89B4-63C5A63BD42F} ()
DPF name:
CLSID name:
Installer:
Codebase: http://www.pacimedia.com/install/pcs_0031.exe
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
DPF name:
CLSID name: YInstStarter Class
Installer: C:\Program Files\Yahoo!\Common\yinst.inf
Codebase: C:\Program Files\Yahoo!\Common\yinsthelper.dll
description: Yahoo! Installation helper
classification: Legitimate
known filename: %SystemRoot%\Downloaded Program Files\yinsthelper.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Yahoo!\Common\
Long name: yinsthelper.dll
Short name: YINSTH~1.DLL
Date (created): 9/26/2005 8:40:56 PM
Date (last access): 3/22/2006 1:38:20 AM
Date (last write): 11/7/2004 3:29:46 PM
Filesize: 173168
Attributes: archive
MD5: 4C0658E518FA9D08E884DB717A7087AE
CRC32: FFDA1549
Version: 2004.11.7.1
{37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update)
DPF name:
CLSID name: AOL Content Update
Installer: C:\WINDOWS\Downloaded Program Files\aolcoach_core.inf
Codebase: http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Common Files\AolCoach\en_en\
Long name: GTDownAO_106.ocx
Short name: GTDOWN~1.OCX
Date (created): 3/17/2006 8:52:20 PM
Date (last access): 3/22/2006 1:13:12 AM
Date (last write): 10/26/2004 6:17:36 PM
Filesize: 184320
Attributes: archive
MD5: 052168A978489FCC8F16C99F53F63ACD
CRC32: CF0E84EB
Version: 1.0.0.106
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class)
DPF name:
CLSID name: FilePlanet Download Control Class
Installer:
Codebase: http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
description:
classification: Open for discussion
known filename: FilePlanetDownloadCtrl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: FilePlanetDownloadCtrl.dll
Short name: FILEPL~1.DLL
Date (created): 6/21/2004 6:11:18 PM
Date (last access): 3/22/2006 2:22:32 AM
Date (last write): 6/21/2004 6:11:18 PM
Filesize: 294912
Attributes: archive
MD5: E6B0A532DC0404BCB678CB0F6757008D
CRC32: AE97F52E
Version: 1.0.0.44
{3A7FE611-1994-4EF1-A09F-99456752289D} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\ActiveLauncherCabSetup.inf
Codebase: http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{4B48D5DF-9021-45F7-A240-60304302A215} (Malicious Software Removal Tool)
DPF name:
CLSID name: Malicious Software Removal Tool
Installer: C:\WINDOWS\Downloaded Program Files\WebCleaner.inf
Codebase: http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
description:
classification: Legitimate
known filename: WebCleaner.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: WebCleaner.dll
Short name: WEBCLE~1.DLL
Date (created): 8/18/2005 12:10:08 PM
Date (last access): 3/22/2006 2:37:14 AM
Date (last write): 8/18/2005 12:10:08 PM
Filesize: 1432928
Attributes: archive
MD5: E4F1669C45EDE23BE8FD039319E3FA63
CRC32: A8DB43B3
Version: 1.7.758.0
{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class)
DPF name:
CLSID name: McAfee.com Operating System Class
Installer: C:\WINDOWS\Downloaded Program Files\mcinsctl.inf
Codebase: http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
description:
classification: Open for discussion
known filename: mcinsctl.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: mcinsctl.dll
Short name:
Date (created): 6/21/2005 12:52:54 AM
Date (last access): 3/22/2006 1:42:10 AM
Date (last write): 10/18/2005 10:08:04 AM
Filesize: 349760
Attributes: archive
MD5: 4BCCCA6CBD89CE29DD7FE0BB1E0DCDD3
CRC32: FF5BF715
Version: 4.0.0.101
{58172624-85DD-4482-9E64-02ADCA637E96} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\webmoo.inf
Codebase: http://www.shizmoo.com/activex/web665.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.
{5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class)
DPF name:
CLSID name: McUpdatePortalFactory Class
Installer: C:\WINDOWS\Downloaded Program Files\McMysec.inf
Codebase: http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
description:
classification: Open for discussion
known filename: McUpdatePortal.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: McUpdatePortal.dll
Short name: MCUPDA~1.DLL
Date (created): 4/6/2005 10:59:38 AM
Date (last access): 3/22/2006 2:22:34 AM
Date (last write): 4/6/2005 10:59:38 AM
Filesize: 117248
Attributes: archive
MD5: B523E1F1FBFDD97E5AC90ADF233AFD4E
CRC32: 652A4AED
Version: 1.0.0.8
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\muweb.inf
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125966544547
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 5/26/2005 3:19:32 AM
Date (last access): 3/22/2006 1:38:20 AM
Date (last write): 5/26/2005 3:19:32 AM
Filesize: 178408
Attributes: archive
MD5: EE37AA2C0700221CD8B02FADCD4C7FB5
CRC32: F5494B06
Version: 5.8.0.2469
{745395C8-D0E1-4227-8586-624CA9A10A8D} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://129.15.200.151/activex/AMC.cab
{77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control)
DPF name:
CLSID name: Groove Control
Installer:
Codebase: http://download.shockwave.com/pub/otoy/OTOYAX.cab
description:
classification: Open for discussion
known filename: GROOVEAX.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: OTOYAX.dll
Short name:
Date (created): 6/1/2004 1:30:56 AM
Date (last access): 3/22/2006 2:37:14 AM
Date (last write): 6/1/2004 1:30:56 AM
Filesize: 509680
Attributes: archive
MD5: 52C67EDA5F6DEDC4AB523B9E59A5393C
CRC32: 158BED35
Version: 1.0.29.0
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 3/22/2006 1:38:20 AM
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class)
DPF name:
CLSID name: CamImage Class
Installer: C:\WINDOWS\Downloaded Program Files\AxisCamControl.inf
Codebase: http://129.57.20.46:1497/activex/AxisCamControl.cab
description:
classification: Legitimate
known filename: AxisCamControl.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: AxisCamControl.ocx
Short name: AXISCA~1.OCX
Date (created): 11/15/2001 4:40:14 PM
Date (last access): 3/22/2006 2:22:32 AM
Date (last write): 5/17/2004 2:37:10 PM
Filesize: 204800
Attributes: archive
MD5: 00C3B7ECC099316430B86E3C84E3C51D
CRC32: 5D44B381
Version: 2.20.0.21
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Open for discussion
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 12/19/2005 1:35:32 PM
Date (last access): 3/22/2006 2:02:00 AM
Date (last write): 12/19/2005 1:35:32 PM
Filesize: 135168
Attributes: archive
MD5: 20C07B231040B49AFCE82397BFC35F9C
CRC32: 9301377D
Version: 58.4.0.0
{A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control)
DPF name:
CLSID name: Aurigma Image Uploader 3.5 Control
Installer: C:\WINDOWS\Downloaded Program Files\ImageUploader3.inf
Codebase: http://babiiphatox.slide.com/uploader/ImageUploader3.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ImageUploader3.ocx
Short name: IMAGEU~1.OCX
Date (created): 11/15/2005 4:10:02 PM
Date (last access): 3/22/2006 1:38:20 AM
Date (last write): 11/15/2005 4:10:02 PM
Filesize: 1914656
Attributes: archive
MD5: CECB4AB5CDA1F44DEF82D7D12271968D
CRC32: 7F838F19
Version: 3.5.133.0
titaniumoutbreak
2006-03-22, 09:50
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 3/17/2005 1:48:34 PM
Date (last access): 3/22/2006 2:22:34 AM
Date (last write): 3/17/2005 1:48:34 PM
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 1.0.0.2
{BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class)
DPF name:
CLSID name: DwnldGroupMgr Class
Installer: C:\WINDOWS\Downloaded Program Files\McGDMgr.inf
Codebase: http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
description:
classification: Open for discussion
known filename: McGDMgr.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: McGDMgr.dll
Short name:
Date (created): 6/21/2005 12:52:54 AM
Date (last access): 3/22/2006 1:38:22 AM
Date (last write): 5/24/2005 6:23:32 PM
Filesize: 288320
Attributes: archive
MD5: DAD85986ECE72BC56A535FCC116AA6DD
CRC32: 6B1048D3
Version: 1.0.0.26
{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_05
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_05\bin\
Long name: NPJPI150_05.dll
Short name: NPJPI1~1.DLL
Date (created): 8/26/2005 6:14:48 PM
Date (last access): 3/22/2006 1:38:22 AM
Date (last write): 8/26/2005 6:33:54 PM
Filesize: 69746
Attributes: archive
MD5: 52A85771BE18C9C00732F475A2C192AE
CRC32: 525AE3AD
Version: 5.0.50.5
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 11/10/2005 1:03:56 PM
Date (last access): 3/22/2006 2:41:08 AM
Date (last write): 11/10/2005 1:22:10 PM
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 10/27/2004 8:16:40 PM
Date (last access): 3/22/2006 2:02:00 AM
Date (last write): 12/8/2003 2:01:58 PM
Filesize: 933888
Attributes: archive
MD5: F7E435D02F7A48120B746E33254A70BC
CRC32: 02AF493D
Version: 7.0.19.0
{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Installer: C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Codebase: http://aolsvc.aol.com/onlinegames/heavyweapon/popcaploader_v7.cab
description:
classification: Open for discussion
known filename: POPCAPLOADER.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: popcaploader.dll
Short name: POPCAP~1.DLL
Date (created): 11/9/2004 3:24:28 PM
Date (last access): 3/22/2006 2:22:34 AM
Date (last write): 11/9/2004 3:24:28 PM
Filesize: 126976
Attributes: archive
MD5: 649F3D5D8A982DD55CA4DBA5C0726C70
CRC32: 4510A062
Version: 1.0.0.7
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)
DPF name:
CLSID name: McFreeScan Class
Installer: C:\WINDOWS\Downloaded Program Files\mcfscan.inf
Codebase: http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4719/mcfscan.cab
description:
classification: Legitimate
known filename: mcfscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\McAfee.com\FreeScan\
Long name: mcfscan.dll
Short name:
Date (created): 6/29/2005 11:12:26 AM
Date (last access): 3/22/2006 1:38:22 AM
Date (last write): 3/15/2006 9:44:24 AM
Filesize: 116288
Attributes: archive
MD5: F41A2CEDEF964F1EAED76754AAF3D152
CRC32: C95933B6
Version: 2.1.0.4719
--- Process list ---
PID: 0 ( 0) [System]
PID: 624 ( 4) \SystemRoot\System32\smss.exe
PID: 684 ( 624) \??\C:\WINDOWS\system32\csrss.exe
PID: 708 ( 624) \??\C:\WINDOWS\system32\winlogon.exe
PID: 756 ( 708) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 768 ( 708) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 924 ( 756) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 992 ( 756) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1120 ( 756) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1208 ( 756) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1312 ( 756) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1568 ( 756) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1684 (1656) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 1936 ( 756) C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
size: 10328
MD5: AA2770FD967DAB91A597619C4EADC0C9
PID: 1952 ( 756) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
size: 100016
MD5: 7FB54900AA9792AB6307C699EC1859D4
PID: 1976 ( 756) C:\WINDOWS\eHome\ehRecvr.exe
size: 195584
MD5: 63F371F0248E3732A4821F86E6D0E370
PID: 1992 (1952) C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
size: 46768
MD5: CAF7C2FDDADF73A02AC84C6FB6030BBF
PID: 2024 ( 756) C:\WINDOWS\eHome\ehSched.exe
size: 102912
MD5: 16910F8B482919BB6035ED053B691692
PID: 244 ( 756) c:\program files\mcafee.com\agent\mcdetect.exe
size: 126976
MD5: F73B0F3EBD90B1C87A3B93BE94E831C7
PID: 276 ( 756) c:\PROGRA~1\mcafee.com\vso\mcshield.exe
size: 221184
MD5: FAE84A2F9C11B7C532950BF0AE1EC26A
PID: 368 ( 756) c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
size: 122368
MD5: A214E217784D1002411DCA8E9793D4A4
PID: 488 ( 276) c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
size: 53248
MD5: 76E033F33912BFACA4A05BE8D1F3A740
PID: 492 ( 756) C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
size: 548864
MD5: 316535E69181703D4CE4623DEA29FECB
PID: 536 ( 756) C:\WINDOWS\system32\nvsvc32.exe
size: 127043
MD5: 190BF982638E4A0C98B334A39E50FB9F
PID: 556 ( 924) c:\program files\mcafee.com\vso\mcvsshld.exe
size: 163840
MD5: B154AC6DBD82F96476003E58E1625BD8
PID: 404 ( 756) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
size: 172032
MD5: 33D7285F12D934268A34206DFC4AD1B3
PID: 584 ( 556) c:\progra~1\mcafee.com\vso\mcvsescn.exe
size: 483328
MD5: 3B1A1BAA8D7444DEFCE4093611212ED6
PID: 672 ( 756) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 172 ( 756) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2200 ( 756) C:\WINDOWS\system32\dllhost.exe
size: 5120
MD5: DD87DB7387B9EB441C5674888A0D840C
PID: 2280 ( 756) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 3304 (1684) C:\WINDOWS\ehome\ehtray.exe
size: 59392
MD5: F90137A9897071EDE961A5ABA4EA524F
PID: 3320 (1684) C:\WINDOWS\zHotkey.exe
size: 543232
MD5: 91E1B0577D9662AA0A83C75418F6F6F8
PID: 3372 (1684) C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 7A011702C0AA86AD79EFA86E66F411DC
PID: 3388 (1684) C:\WINDOWS\SOUNDMAN.EXE
size: 67584
titaniumoutbreak
2006-03-22, 09:51
MD5: E0584EE5E7F07F04A879B19A37465588
PID: 3396 (1684) C:\Program Files\Digital Media Reader\shwiconem.exe
size: 135168
MD5: 06A6145CDDF7DB1EFBE6280A57880111
PID: 3404 (1684) C:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 303104
MD5: E8D2DCECE015F4558AA3853514664F15
PID: 3428 (1684) C:\Program Files\QuickTime\qttask.exe
size: 98304
MD5: C341CCFBE98BC7DF6E0B856BB9FC265A
PID: 3436 (1684) C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61A3A9D5D98BF0331DF5B716144A8100
PID: 3444 (1684) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 50688
MD5: 5046F135BB97A68BFE485AB039E605C0
PID: 3496 (1684) C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: F9B47F830DD55FEDD6EF27D063C29A42
PID: 3504 (1684) C:\Program Files\Common Files\AOL\1142646706\ee\AOLSoftware.exe
size: 50792
MD5: D88962ADA17E876554BF03D977139148
PID: 3516 (1684) C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
size: 34904
MD5: 25D2AA5A7CA01DB369A39149A1AB2F30
PID: 3556 (1684) C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
size: 1005096
MD5: D76DCBA1BCE72093E00A4EFA114A4E98
PID: 3852 ( 924) C:\WINDOWS\eHome\ehmsas.exe
size: 45568
MD5: 04F893509C03C84F717A83189ED51336
PID: 3884 (3600) C:\Program Files\America Online 9.0\waol.exe
size: 37464
MD5: 7FAB3C273C8214D517BDD0CBD2BA1815
PID: 832 ( 924) C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
size: 524288
MD5: EFFC4B0F270FC1A6EDF49A274BF5CDF8
PID: 972 ( 924) C:\WINDOWS\system32\wbem\wmiprvse.exe
size: 218112
MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 1716 (3884) C:\Program Files\America Online 9.0\shellmon.exe
size: 54872
MD5: F093707C39B3B38653CDB94C85A80772
PID: 3796 (1684) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 3/22/2006 2:41:08 AM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://g.msn.com/0SEENUS/SAOS01
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.gateway.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.yahoo.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.gatewaybiz.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8579F34B-AC5C-4067-85C4-22EEB5E5E5CF}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8579F34B-AC5C-4067-85C4-22EEB5E5E5CF}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{69DF2CE1-12A7-4650-A247-5ABC5F6B625A}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{69DF2CE1-12A7-4650-A247-5ABC5F6B625A}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BC99A0E8-80F2-422F-AD16-432B3D3C008C}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{BC99A0E8-80F2-422F-AD16-432B3D3C008C}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D7B7C946-7F2A-4EB5-9E61-44BF7B4B2F97}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D7B7C946-7F2A-4EB5-9E61-44BF7B4B2F97}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B67E2199-1DCE-4049-8400-A96E6B8AD6F0}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B67E2199-1DCE-4049-8400-A96E6B8AD6F0}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E91C1E4A-E761-4460-9BC9-41F7A1A78BF5}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E91C1E4A-E761-4460-9BC9-41F7A1A78BF5}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D41D0814-D1A6-4915-97C1-FB5A269BBE4D}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D41D0814-D1A6-4915-97C1-FB5A269BBE4D}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
titaniumoutbreak
2006-03-22, 09:53
Logfile of HijackThis v1.99.1
Scan saved at 2:42:42 AM, on 3/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1142646706\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - C:\Program Files\McAfee\Anti-Phishing Filter\McAfeeAntiPhishingBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Emurayden PSX Emulator] c:\Program Files\Emurayden PSX Emulator v2.1\Emurayden PSX AutoLauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142646706\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\Program Files\McAfee\Anti-Phishing Filter\McAfeeAntiPhishingBHO.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - C:\Program Files\McAfee\Anti-Phishing Filter\McAfeeAntiPhishingBHO.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.shizmoo.com/activex/web665.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,8/McUpdatePortal.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125966544547
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} - http://129.15.200.151/activex/AMC.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://download.shockwave.com/pub/otoy/OTOYAX.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.57.20.46:1497/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://babiiphatox.slide.com/uploader/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/heavyweapon/popcaploader_v7.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4719/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D41D0814-D1A6-4915-97C1-FB5A269BBE4D}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbucoms.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
titaniumoutbreak
2006-03-22, 09:56
Ok, i ran the spybot, the mcafee virus scan, the panda active scan, and the highjackthis program. Mcafee did not find a virus but panda active scan did. It also found more spyware than the spybot but since i do not have a sunscription to pandascan i cannot delete the trojan puper and the spyware.
Maybe its possible to delete all of this manually? Thanks for the help and sorry the logs are so long.
LonnyRJones
2006-03-22, 15:11
Hi There
Start Hijackthis and place a check next to these items If there.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0031.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
====================================
Hit fix checked and close Hijackthis.
Install SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html
Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it.
Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
Post a report from this tool if any FILES show
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them.....legitimate files can be listed.
titaniumoutbreak
2006-03-22, 23:20
"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"AOL Fast Start" = ""C:\Program Files\America Online 9.0\AOL.EXE" -b" ["America Online, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"wininet.dll" = "dfrgsrv.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
"CHotkey" = "zHotkey.exe" [empty string]
"ShowWnd" = "ShowWnd.exe" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SunKistEM" = "C:\Program Files\Digital Media Reader\shwiconem.exe" ["Alcor Micro, Corp."]
"(Default)" = (empty string)
"MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\mcagent.exe" ["McAfee, Inc"]
"MCUpdateExe" = "c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" ["McAfee, Inc"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"Emurayden PSX Emulator" = "c:\Program Files\Emurayden PSX Emulator v2.1\Emurayden PSX AutoLauncher.exe" [file not found]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"HostManager" = "C:\Program Files\Common Files\AOL\1142646706\ee\AOLSoftware.exe" ["America Online, Inc."]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online"]
"Pure Networks Port Magic" = ""C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run" ["Pure Networks, Inc."]
"MPFEXE" = "C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe" ["McAfee Security"]
"VSOCheckTask" = ""C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask" ["McAfee, Inc."]
"VirusScan Online" = "C:\Program Files\McAfee.com\VSO\mcvsshld.exe" ["McAfee, Inc."]
"OASClnt" = "C:\Program Files\McAfee.com\VSO\oasclnt.exe" ["McAfee, Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{41D68ED8-4CFF-4115-88A6-6EBB8AF19000}\(Default) = (no title provided)
-> {HKLM...CLSID} = "McAfee Anti-Phishing Filter"
\InProcServer32\(Default) = "C:\Program Files\McAfee\Anti-Phishing Filter\McAfeeAntiPhishingBHO.dll" ["McAfee, Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {HKLM...CLSID} = "SampleView"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {HKLM...CLSID} = "KodakShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
DESKTOP.INI DLL launch in local fixed drive directories:
--------------------------------------------------------
D:\MiniNT\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
D:\PRELOAD\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
D:\i386\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
D:\updgoi\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
D:\System Restore\DESKTOP.INI
[.ShellClassInfo]
CLSID={7f67036b-66f1-411a-ad85-759fb9c5b0db}
-> {HKLM...CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ShellvRTF.dll" ["XSS"]
Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"BigFix" -> shortcut to: "C:\Program Files\BigFix\BigFix.exe /atstartup" ["BigFix Inc."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
Enabled Scheduled Tasks:
------------------------
"McAfee.com Scan for Viruses - My Computer (OLIVER-Owner)" -> launches: "c:\program files\mcafee.com\vso\mcmnhdlr.exe /runtask:0" ["McAfee, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
-> {HKLM...CLSID} = "McAfee VirusScan"
\InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["McAfee, Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{39FD89BF-D3F1-45B6-BB56-3582CCF489E1}\
"MenuText" = "McAfee Anti-Phishing Filter"
"CLSIDExtension" = "{7DD73374-7187-4103-8F29-622AA25E7C40}"
-> {HKLM...CLSID} = "MyCfgDlgCmdTarget Class"
\InProcServer32\(Default) = "C:\Program Files\McAfee\Anti-Phishing Filter\McAfeeAntiPhishingBHO.dll" ["McAfee, Inc."]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AOL Connectivity Service, AOL ACS, ""C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"" ["America Online"]
AOL TopSpeed Monitor, AOL TopSpeedMonitor, "C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe" ["America Online, Inc"]
McAfee Personal Firewall Service, MpfService, "C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe" ["McAfee Corporation"]
McAfee Task Scheduler, McTskshd.exe, "c:\PROGRA~1\mcafee.com\agent\mctskshd.exe" ["McAfee, Inc"]
McAfee WSC Integration, McDetect.exe, "c:\program files\mcafee.com\agent\mcdetect.exe" ["McAfee, Inc"]
McAfee.com McShield, McShield, "c:\PROGRA~1\mcafee.com\vso\mcshield.exe" ["McAfee Inc."]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
PrismXL, PrismXL, "C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS" ["New Boundary Technologies, Inc."]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 7 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 6 seconds.
---------- (total run time: 29 seconds)
titaniumoutbreak
2006-03-22, 23:24
03/22/06 16:23:25 [Info]: BlackLight Engine 1.0.33 initialized
03/22/06 16:23:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/22/06 16:23:25 [Note]: 7019 4
03/22/06 16:23:25 [Note]: 7005 0
03/22/06 16:23:28 [Note]: 7006 0
03/22/06 16:23:28 [Note]: 7011 1708
03/22/06 16:23:28 [Note]: FSRAW library version 1.7.1015
03/22/06 16:24:13 [Note]: 7007 0
LonnyRJones
2006-03-22, 23:38
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Restart your PC.
Is this file present anywhere on your pc ? "dfrgsrv.exe"
titaniumoutbreak
2006-03-23, 04:09
yes the file dfrgsrv.exe is present in C:\windows\Prefetch 14kb pf file and in
C:windows\system32 16kb application.
Also the pupper trojan has come back and is disabling my mcafee firewall and virus scan and adding disable code to the registryedit32 and adding files ncompat.tlb and a file which changes name but starts with ld***.tmp and when mcafee finds the tojan it automatically restarts teh computer but it never deletes it. how can i fix this?
LonnyRJones
2006-03-23, 09:09
Did the above registry file merge successfully ?
Reboot the PC into safe mode and delete the files mentioned here under the
"Files Added " section
http://vil.mcafeesecurity.com/vil/content/v_129769.htm
c:\program files\emedia codec\uninst.exe ( 24143 bytes )
c:\program files\emedia codec\ecodec.exe
c:\windows\system32\ld1D1E.tmp ( 28173 bytes )
c:\windows\system32\dfrgsrv.exe ( 15577 bytes )
dont delete any except at those loactions, also do not edit the registry other than what we did with that reg file, unless you are very familur using regedit alrready.
"adding disable code" explain ?
titaniumoutbreak
2006-03-23, 10:18
ok i went to delete the files but they were no longer there. Also by "disable code" i mean when i go to the registry editor under hkey_local_machine\software\microsoft\securitycenter\there are these disable codes:
default reg_sz (value not set)
Antivirus disablenotify REG_DWORD 0x00000000(0)
Antivirusoverride REG_DWORD 0x00000000(0)
firewall disabelnotify REG_DWORD 0x00000000(0)
firewall override REG_DWORD 0x00000000(0)
updates disablenotify REG_DWORD 0x00000000(0)
and under hkey_local_machine\software\microsoft\securitycenter\monitoring\mcafeeantivirus
its says disable monitoring REG_DWORD 0x00000001 (1)
hkey_local_machine\software\microsoft\securitycenter\monitoring\mcafeefirewall
it says disable monitoring REG_DWORD 0x00000001 (1)
when all this is there my aol cannot detect an antivirus program or firewall but when i delete these keys aol detects all the mcafeeprograms. Also after i delete these "disable codes" when i restart or turn off and turn back on the computer they reappear.
LonnyRJones
2006-03-23, 10:33
AOL what ? antispyware ?
I think its confused
hkey_local_machine\software\microsoft\securitycenter
Antivirus disablenotify REG_DWORD 0x00000000(0)
Antivirusoverride REG_DWORD 0x00000000(0)
firewall disabelnotify REG_DWORD 0x00000000(0)
firewall override REG_DWORD 0x00000000(0)
updates disablenotify REG_DWORD 0x00000000(0)
Those are there by default
hkey_local_machine\software\microsoft\securitycenter\monitoring\mcafeeantivirus
its says disable monitoring REG_DWORD 0x00000001 (1)
hkey_local_machine\software\microsoft\securitycenter\monitoring\mcafeefirewall
it says disable monitoring REG_DWORD 0x00000001 (1)
Are you using Mcafees cecurty senter, if so it probaly disabled windows security center becouse it has its own
titaniumoutbreak
2006-03-23, 10:47
my American Online sign on screen says it cannot detect a firewall and antivirus even though i have the mcafee program for all those things. my security center is not disabled. maybe your right and its just confused. anyway i have to go to sleep i have class from 10am to 10pm tomorrow. I'll be back at night and hopefully everything is fixed. Thanks so much, you guys rock!!lol
-nite
LonnyRJones
2006-03-28, 02:10
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.
Best regards
Lonny