View Full Version : So much spyware
thetimfactor
2006-09-09, 10:20
I keep getting virus alerts and spyware no matter how much I run spybot. Can anyone help?
Here is the online scan
Incident Status Location
Adware:adware/safetybar Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.revenue.net/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Golden Palace Online Casino Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[www.goldenpalace.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.com.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Rosey\Application Data\Mozilla\Firefox\Profiles\khhlt5tb.default\cookies.txt[.serving-sys.com/]
I then did as the "before you post" post suggests and ran spybot but I could not open safe mode as it freezes befoire I can open it. So I ran it it normal windows mode.
hjt in the next post...
thetimfactor
2006-09-09, 10:21
Here is the Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 6:12:09 PM, on 9/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\{F8292BE4-0AFE-3081-0214-03041003003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153320235156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153322467781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I do not know the name of whatever the program is that it doing it, but there seems to be many of them as Spybot keeps finding them even after it deletes them all.
Did I miss anything I needed to post?
Thanks for helping
-Tim
pskelley
2006-09-12, 11:47
Hello Tim and welcome to the forum, sorry for the wait, logs are many and volunteers are few. If you still need help and are not receiving it at another forum, please do this.
1) This is probably bad: C:\Program Files\Common Files\{F8292BE4-0AFE-3081-0214-03041003003d}\Update.exe
Use one or more of these free online scans to be sure and post that information for me to view.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
2) Follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks...pskelley
Safer Networking Forums
If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/
thetimfactor
2006-09-16, 11:09
Thankyou for replying. Sorry my reply took so long. Especially since you guys gto to such effort to do all this voluntarily
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Tim\FAVORI~1
C:\DOCUME~1\Tim\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\Safety Bar\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
thetimfactor
2006-09-16, 11:14
I did the jotti scan on from the folder you told me to do it on. Update.exe.was not in there, but services.dll was and that was what I did it on:
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Downloader.Generic2.JVP
BitDefender
Found nothing
ClamAV
Found Trojan.Downloader.Small-1743
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.AEMV
UNA
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing
pskelley
2006-09-16, 12:26
These hackers are not going to make it easy for us. They have done their dirty work with someone who uses the computer's help (probably downloaded a fake codec file: http://forums.spybot.info/showthread.php?t=7344 )
now we are left to undo the damage, and it is never as easy to undo as it is to prevent.
Here is that item in your HJT log: C:\Program Files\Common Files\{F8292BE4-0AFE-3081-0214-03041003003d}\Update.exe
It is there and I am about 99% sure it is an installer that will continue to put back the trash we are trying to remove. What I need from you is to validate the 1% I am not sure of. Use search companion, make sure you do this first:
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
and please let me know the results.
You also need to continue with the fix, you can see SmitfraudFix did locate the infection. Post the information about the questionable file: Update.exe unless you just want to delete it once you have it located, that is what I would do but it is your computer.
Post the three logs and I will have a look to see what is left to do.
Thanks
thetimfactor
2006-09-16, 14:11
As you were posting that last post I was following instructions from url you sent and here is the logs (I have not yet done anything about the second post you wrote though, but I thought these might be important too):
Rapport Log after clean in Safe Mode:
SmitFraudFix v2.87
Scan done at 19:46:21.39, Sat 16/09/2006
Run from C:\Documents and Settings\Tim\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url Deleted
C:\DOCUME~1\Tim\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Safety Bar\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
thetimfactor
2006-09-16, 14:12
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 9:50:43 PM 16/09/2006
+ Scan result:
HKU\S-1-5-21-2052111302-1767777339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\system32\efcayyw.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win13FE.tmp.exe -> Downloader.Small.dod : Cleaned with backup (quarantined).
C:\WINDOWS\system32\urroxtl.dll_tobedeleted -> Not-A-Virus.Hoax.Win32.Renos.ds : Ignored.
:mozilla.150:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.101:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.102:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.103:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.104:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.111:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.112:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.113:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.114:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.115:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.116:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.117:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.118:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.119:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.120:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.121:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.122:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.123:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.124:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.125:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.126:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.127:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.128:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.129:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.130:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.131:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.132:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.133:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.134:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.230:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
thetimfactor
2006-09-16, 14:13
:mozilla.32:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.380:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.427:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.15:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.35:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.36:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.37:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.19:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.588:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.589:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.171:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.172:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.100:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.101:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.102:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.103:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.83:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.84:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.61:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.75:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.216:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.16:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.17:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.18:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.19:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.20:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\gdcy7apd.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.23:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.24:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.31:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.32:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.33:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.20:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.21:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.114:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.234:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Com : Cleaned.
D:\Pre Mission\Tim\Cookies\tim@download.com[2].txt -> TrackingCookie.Com : Cleaned.
:mozilla.34:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.267:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.268:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.269:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.270:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.271:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.90:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.196:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.197:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.198:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.199:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.200:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.78:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.79:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.80:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.81:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.23:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.24:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.25:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.26:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.27:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.28:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.29:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\6ayospo1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.317:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.325:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Hypertracker : Cleaned.
:mozilla.650:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.651:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.652:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.657:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.658:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.112:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.65:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.66:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.119:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.120:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.121:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.122:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.167:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.168:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.169:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.170:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.442:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.443:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.444:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.445:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.70:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.71:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.72:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.26:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.462:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.478:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.479:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.480:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.481:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.482:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.503:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.28:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.29:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.506:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.507:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.508:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.509:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.510:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.511:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.41:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.42:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.43:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.520:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.521:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Robert\Cookies\robert@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.534:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.82:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.115:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.540:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.617:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.10:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.11:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.12:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.14:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.30:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.31:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.9:C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\aa448k56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.590:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.591:C:\Documents and Settings\Tim\Application Data\Mozilla\Firefox\Profiles\psf0rnoc.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
::Report end
thetimfactor
2006-09-16, 14:13
Logfile of HijackThis v1.99.1
Scan saved at 10:12:58 PM, on 16/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153320235156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153322467781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
thetimfactor
2006-09-16, 14:15
Really its awesome help. So grateful
pskelley
2006-09-16, 14:27
Thanks for that information, you are sure storing a lot of junk cookies?
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
That information will help you stop if you wish.
Looks like you have a Vundo infection also:
C:\WINDOWS\system32\efcayyw.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
ewido can show it but cannot clean it.
Don't worry about that update.exe, seems it is gone, so the fix must have removed it. Is this a valid program?
C:\PROGRA~1\PRINTV~1\pvmodule.exe if you don't know, check it here:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Let me know about Vundo, I suppose it could be left from an old infection. If you have the trojan, you will know it, it is a great popup creator, especially for the Winfixer junk.
Thanks
pskelley
2006-09-16, 14:37
I just noticed Siri updated and you ran a version of SmitfraudFix before he did.
Changelog:
Version 2.89 (September 16, 2006)
Update: Option 4 Check for Updates added
Version 2.88 (September 14, 2006)
I suggest you delete the old version, download and Search with the new:
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php
If nothing is located, good...if it is, run Clean with the new version to be sure.
I will be away from the computer for several hours at this point.
Thanks
thetimfactor
2006-09-16, 16:49
I did the new SmitFraud Scan and I think what is shows means there is no infection. I included it just in case I am wrong.
I also did a scan on pvmodule.exe and it came up as clean so I did nothing about it. So I don't know where that leaves me. I just got another pop up for "anti virus software"....
SmitFraudFix v2.90
Scan done at 0:35:42.85, Sun 17/09/2006
Run from C:\Documents and Settings\Tim\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tim\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Tim\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
pskelley
2006-09-16, 17:03
Leaves you with a very probable Vundo infection, if I posted this link before, I apologize, many logs at many sites confuses even me at times.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
I am not going to rename HJT to see the infection, no doubt it is there.
Notice how often Siri has to update, by the time I looked and you got to the download, it was updated again, hard to stay ahead of these hackers. I encourage you to complain in the links I provided earlier, these hackers need to find themselves behind bars for a while.
Please follow the directions carefully, sometimes it takes several runs to delete the junk. If it is a new file, you will see it can't kill it the first time, but usually will the second. I also encourage you to take the time to upload the file to Atribune so it can be added to the fix. Here we go:
Thanks to Atribune and any others who helped with this fix.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Thanks...let's hope this is the last infection
thetimfactor
2006-09-18, 05:19
Juat about to do those thigns but a quick question: what is Siri and what do you mean that he updated before I downloaded? Thanks again
-Tim
pskelley
2006-09-18, 12:00
We should be done with his software, but Siri is the creator of Smitfraudfix that is widely in use just now around the world as a tool to remove that infection. I have little information about the creator other than my personal knowledge that his tool has helped countless folks with this junk. I posted a link in these instructions: 2006-09-16, 08:37
The hackers constantly change the junk to stay ahead of the tools we use, it is all about $$, they care only for the checks in their mailboxes, not about you, your computer or your privacy and Siri must constantly update the fix as they do to cleanly remove the junk.
It may be Vundo was bundled with the same infection, I do not know, but Smitfraudfix does not remove it.
I hope this helps.
thetimfactor
2006-09-19, 13:04
VundoFix V6.1.5
Checking Java version...
Java version is 1.5.0.3
Scan started at 7:59:57 PM 19/09/2006
Listing files found while scanning....
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.tmp
C:\WINDOWS\system32\winmfu32.dll
VundoFix V6.1.5
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 8:41:34 PM 19/09/2006
Listing files found while scanning....
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.tmp
C:\WINDOWS\system32\winmfu32.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\ssttt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\tttss.bak1
C:\WINDOWS\system32\tttss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\tttss.bak2
C:\WINDOWS\system32\tttss.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\tttss.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\tttss.tmp
C:\WINDOWS\system32\tttss.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\winmfu32.dll
C:\WINDOWS\system32\winmfu32.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Java version is 1.5.0.6
Java version is 1.5.0.8
Scan started at 8:50:01 PM 19/09/2006
Listing files found while scanning....
C:\WINDOWS\system32\ssttt.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\ssttt.dll Has been deleted!
Performing Repairs to the registry.
Done!
thetimfactor
2006-09-19, 13:05
Logfile of HijackThis v1.99.1
Scan saved at 9:03:24 PM, on 19/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {145C1296-2E74-4BE7-983E-3BC9E7B85E9D} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ephosedp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153320235156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153322467781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
pskelley
2006-09-19, 13:59
As you can see, the Vundo trojan was there and the tool removed it.
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {145C1296-2E74-4BE7-983E-3BC9E7B85E9D} - C:\WINDOWS\system32\ssttt.dll (file missing)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt1.dll (file missing)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ephosedp.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\PROGRAM FILES~1\PRINTV~1\ <<< delete that folder
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log and please let me know how the computer is running now.
Thanks
thetimfactor
2006-09-22, 11:20
I could not delete the folder C:\PROGRA~1\PRINTV~1\ as it told me I could not. I don't know why. Any ideas?
Heres the log though
Logfile of HijackThis v1.99.1
Scan saved at 7:18:59 PM, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ephosedp.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153320235156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153322467781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
pskelley
2006-09-22, 11:42
Yeah, lot's of them, don't know what one will work though. Work with me here, I am on my first cup of coffee and want to be sure you checked and the item is bad. I asked you to scan the item here: 2006-09-16, 08:27 and may be overlooking it but can't find a response. Could be me, it's a long log. I have asked several folks for info about this program, but it seems I never got it. Since it is running from C:\Program Files\ right click it and give me all the information on the properties so I can see what it is again. Not much information when I Google it. Once you are sure you want it gone, start by looking in Add Remmove programs, if it is there, use the uninstaller. If not, open HJT > Misc tool section > Open process manager > Locate the item and Kill Process, then navigate to the C:\Program Files\ folder and delete it.
If that does not work, then download, read the tutorial, and use this tool:
http://forum.malwareremoval.com/viewtopic.php?t=320
You also have this dead line, remove it with HJT:
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\ephosedp.dll (file missing)
You are getting close so I am going to post this information for you now so you can benefit from the feedback from these experts.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Keep me posted...thanks
thetimfactor
2006-09-22, 13:39
Yes I did do a scan on that file and posted that none of the programs said it was harmful. However, it is not something I installed, so deleting it is not a problem.
I was actually able to delete it after using Hijack This to turn if off via the Process Manager.
Other than that the computer is working much better now. Norton Anti Virus actually detected another Vundo Virus and deleted it yesterday (even after I used the Vundo Fix) but I think that is gone too. Here is the Hijack this log just in case I am missing something.
Alo, thankyou for those links on keeping the system clean too.
Logfile of HijackThis v1.99.1
Scan saved at 9:36:02 PM, on 22/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Anvshell.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Anvshell] C:\WINDOWS\Anvshell.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1153320235156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153322467781
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
pskelley
2006-09-22, 14:09
OK and thanks for the feedback, your log looks clean, do you remember any specific about the Vundo Norton caught? It could have been coming in and Norton stopped it, hard to believe is on the computer. You may want to discuss reinstalling Norton with Tech Support. You had some nasty infections and they can and will corrupt antivirues and firewalls. I'll let tashi:) know she can close the topic. Be careful, it is a cyber-jungle out there.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
thetimfactor
2006-09-23, 04:30
Great. I'll let you know if I have anymore problems but thanks for the help. Seems to be good again.
pskelley
2006-09-23, 10:45
tashi:) this topic can be closed when time permits.
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Cheers