View Full Version : Command Service Help
Any help removing this would be appreciated... :)
Logfile of HijackThis v1.99.1
Scan saved at 20:55:01, on 17/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
E:\WINDOWS\system32\vmnat.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Softwin\BitDefender8\bdmcon.exe
E:\Program Files\Softwin\BitDefender8\bdnagent.exe
E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
E:\WINDOWS\vsnpstd.exe
E:\Program Files\LClock\LClock.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
E:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
E:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\svchost.exe
E:\Documents and Settings\USER\Desktop\hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BDMCon] "E:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [snpstd] E:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LClock] E:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [Ultimate Defender] "E:\Program Files\Ultimate Defender\App.exe" hide
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [d35e4bec.exe] E:\Documents and Settings\USER\Local Settings\Application Data\d35e4bec.exe
O4 - Startup: .protected
O4 - Startup: Stardock ObjectDock.lnk = E:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: Y'z ToolBar.lnk = E:\WINDOWS\BricoPacks\Vista Inspirat\YzToolbar\YzToolBar.exe
O4 - Global Startup: .protected
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72216D7-B87B-4BB8-AFED-81F7A07CCDA6}: NameServer = 62.6.40.178 194.72.9.38
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - E:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\system32\vmnat.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
pskelley
2006-09-20, 01:56
Welcome to the forum, if you still need help:
1) I need to know what program and what exactly it is finding in reference to the
Command Service Help you posted.
2) Follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button.
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks...pskelley
Safer Networking Forums
If you would like to let your thoughts be known about the lowlifes who put that junk on your computer, you can do that here:
If you have been infected by one of the SpyAxe family
http://forums.tomcoyote.org/index.php?showtopic=58063
http://www.malwarecomplaints.info/
Thanks for your response. I have taken the steps you requested and posted the 3 logs below;
SmitFraudFix v2.94
Scan done at 2:01:40.81, 20/09/2006
Run from E:\Documents and Settings\USER\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
E:\WINDOWS\.protected Deleted
E:\WINDOWS\system32\ixt?.dll Deleted
E:\WINDOWS\system32\ot.ico Deleted
E:\DOCUME~1\USER\FAVORI~1\Antivirus Test Online.url Deleted
E:\DOCUME~1\USER\STARTM~1\Programs\Startup\.protected Deleted
E:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
E:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
E:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 03:38:16 20/09/2006
+ Scan result:
E:\WINDOWS\system32\opnkkji.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Synacast\SynaLive\EvID4226Patch.exe -> Backdoor.Virkel.A : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-2ad2754e-15688be2.zip/Matrix.class -> Downloader.OpenStream.c : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\Cache\400E58DCd01 -> Not-A-Virus.Constructor.Win32.QQRob.e : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Desktop\Desktop\ppstreamsetup.exe -> Not-A-Virus.Constructor.Win32.QQRob.e : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-78b480fc.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-28679adb-78b480fc.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-26b4e669.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bae16f0-26b4e669.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-897c2ff-3381b66f.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Ignored.
C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv698.jar-2ad2754e-15688be2.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Ignored.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDEBWTM7\getSite[1].js -> Not-A-Virus.Exploit.IframeJS : Ignored.
:mozilla.27:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.22:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.2o7 : Cleaned.
:mozilla.5:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\USER\Cookies\user@122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\USER\Cookies\user@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\USER\Cookies\user@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
E:\Documents and Settings\USER\Cookies\user@powellsbooks.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.50:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.50:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.50:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Adbrite : Cleaned.
:mozilla.51:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Adbrite : Cleaned.
E:\Documents and Settings\USER\Cookies\user@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
E:\Documents and Settings\USER\Cookies\user@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.40:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.40:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Adtech : Cleaned.
:mozilla.40:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Adtech : Cleaned.
:mozilla.41:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.41:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Adtech : Cleaned.
:mozilla.41:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Adtech : Cleaned.
:mozilla.17:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.25:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.25:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.25:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Atdmt : Cleaned.
:mozilla.6:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.89:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
E:\Documents and Settings\USER\Cookies\user@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.50:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.51:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.93:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.94:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Clickzs : Cleaned.
:mozilla.6:C:\Documents and Settings\Default User.WINNT\Application Data\Mozilla\Firefox\Profiles\7aw09qfc.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.6:C:\Documents and Settings\SYSTEM\Application Data\Mozilla\Firefox\Profiles\7aw09qfc.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.7:C:\Documents and Settings\Default User.WINNT\Application Data\Mozilla\Firefox\Profiles\7aw09qfc.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.7:C:\Documents and Settings\SYSTEM\Application Data\Mozilla\Firefox\Profiles\7aw09qfc.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned.
E:\Documents and Settings\USER\Cookies\user@com[1].txt -> TrackingCookie.Com : Cleaned.
E:\Documents and Settings\USER\Cookies\user@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.18:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.24:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.24:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.24:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.9:C:\Documents and Settings\Default User.WINNT\Application Data\Mozilla\Firefox\Profiles\7aw09qfc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.9:C:\Documents and Settings\SYSTEM\Application Data\Mozilla\Firefox\Profiles\7aw09qfc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.196:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.197:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.198:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.199:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.200:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.52:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.52:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Euroclick : Cleaned.
:mozilla.52:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Euroclick : Cleaned.
:mozilla.53:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.53:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Euroclick : Cleaned.
:mozilla.53:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Euroclick : Cleaned.
:mozilla.54:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.54:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Euroclick : Cleaned.
:mozilla.54:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
E:\Documents and Settings\USER\Cookies\user@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.10:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.6:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.7:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.8:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.9:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
E:\Documents and Settings\USER\Cookies\user@ads.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.171:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.58:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.58:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Hotlog : Cleaned.
:mozilla.58:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Hotlog : Cleaned.
E:\Documents and Settings\USER\Cookies\user@server.lon.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.169:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
E:\Documents and Settings\USER\Cookies\user@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.53:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.54:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.55:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Planetactive : Cleaned.
:mozilla.55:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Planetactive : Cleaned.
:mozilla.55:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Planetactive : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@ads.planetactive[2].txt -> TrackingCookie.Planetactive : Cleaned.
E:\Documents and Settings\USER\Cookies\user@ads.planetactive[2].txt -> TrackingCookie.Planetactive : Cleaned.
:mozilla.28:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.29:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.36:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.36:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.36:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.37:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.37:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.37:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.38:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.38:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.38:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.39:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.39:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.39:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.76:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.76:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.76:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.77:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.77:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.77:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.78:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.78:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.78:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.79:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.79:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.79:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.80:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.80:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.80:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.81:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.81:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.81:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Reliablestats : Cleaned.
E:\Documents and Settings\USER\Cookies\user@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.10:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.10:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.10:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.11:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.11:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.11:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.15:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.6:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.6:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.7:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.7:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.7:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.8:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.8:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.8:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.9:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.9:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.9:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Serving-sys : Cleaned.
E:\Documents and Settings\USER\Cookies\user@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
E:\Documents and Settings\USER\Cookies\user@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.121:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.122:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.55:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.148:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.149:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.96:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.97:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
E:\Documents and Settings\USER\Cookies\user@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
E:\Documents and Settings\USER\Cookies\user@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned.
:mozilla.68:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:E:\RECYCLER\NPROTECT\00007060.MOZ ->
TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:E:\Documents and Settings\USER\Application Data\Mozilla\Firefox\Profiles\lukryvje.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:E:\RECYCLER\NPROTECT\00007060.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.70:E:\RECYCLER\NPROTECT\00007100.MOZ -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.71:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Mozilla\Firefox\Profiles\0o1ex79q.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.97:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.98:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.99:C:\Documents and Settings\Administrator.AUDIOX.000\Application Data\Netscape\NSB\Profiles\ksv1bnuo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX.000\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator.AUDIOX\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
E:\Documents and Settings\USER\Cookies\user@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
E:\Documents and Settings\USER\Cookies\user@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 03:54:14, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
E:\WINDOWS\system32\vmnat.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
E:\WINDOWS\vsnpstd.exe
E:\Program Files\LClock\LClock.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Hijackthis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [snpstd] E:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LClock] E:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [d35e4bec.exe] E:\Documents and Settings\USER\Local Settings\Application Data\d35e4bec.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - E:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\system32\vmnat.exe
Thanks again.
pskelley
2006-09-20, 11:42
Thanks for returning your information, it is important that you read and follow all directions. The information I requested in item one is not included, please provide that information.
ewido: E:\WINDOWS\system32\opnkkji.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
This is a problem, ewido can not clean the Vundo infection. We will need to run another tool to rid you of it. You should be experiencing popups from this trojan, probably directing you to rouge products like Winfixer.
You have chosen to ignore numerous items in the scan, they are probably bad. an exploit does not have to be a virus to be bad. My suggestion would be to run ewido again and at least quarantine the junk. You can empty the quarantine folder after a couple of days when you are sure you don't need the junk.
E:\RECYCLER\NPROTECT\ <<< delete the contents of that Norton Recycle Bin:
http://service1.symantec.com/support/nsw.nsf/ba62122e5d142a6588256d87006b22be/831aa5c6ef0d750685256c370048ad89?OpenDocument&src=bar_sch_nam
You are storing a lot of cookies you don't need to store, here is information to help you control that if you wish:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
Thanks to Atribune and any others who helped with this fix. Follow the directions exactly, if the fix does not recognize a file, it may take several attempts to delete it. You need to see NO files that were not deleted.
1) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Hold the two logs mention above until the end of the instructions
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKCU\..\Run: [d35e4bec.exe] E:\Documents and Settings\USER\Local Settings\Application Data\d35e4bec.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be gone. just DO NOT miss it)
E:\Documents and Settings\USER\Local Settings\Application Data\d35e4bec.exe <<< delete that file
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post the C:\vundofix.txt and a new HiJackThis log Let me know how the computer is running now. Include the information about the command item I requested.
Thanks
I have taken the steps you mentioned and the system is definately better, the pop ups have stopped and my homepage has been restored.
Command Service is being found by Spybot and is unable to remove it.
occasionally the system seems to run slow as if something else is using resources.
Also as you will see from the log Vundo was unable to remove
E:\WINDOWS\system32\mljgg.dll
Thanks for your assistance.
VundoFix V6.1.5
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.8
Scan started at 12:13:24 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.bak1
E:\WINDOWS\system32\ggjlm.bak2
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Attempting to delete E:\WINDOWS\system32\ggjlm.bak1
E:\WINDOWS\system32\ggjlm.bak1 Has been deleted!
Attempting to delete E:\WINDOWS\system32\ggjlm.bak2
E:\WINDOWS\system32\ggjlm.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.8
Scan started at 12:18:55 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.8
Scan started at 12:23:40 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 17:45:10, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
E:\WINDOWS\system32\vmnat.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
E:\WINDOWS\vsnpstd.exe
E:\Program Files\LClock\LClock.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [snpstd] E:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LClock] E:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72216D7-B87B-4BB8-AFED-81F7A07CCDA6}: NameServer = 62.6.40.178 194.72.9.38
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - E:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\system32\vmnat.exe
pskelley
2006-09-20, 19:09
Thanks for the feedback, this is probably the item that is causing your problem:
E:\WINDOWS\system32\mljgg.dll <<< did you upload it so Atribune could add it to the fix?
If not, please do so, it is a very simple process: If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
You have an old version of Java, which is why you are infected by the junk in the first place, on the computer: Java version is 1.4.2.3\
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Start > Control Panel > Add Remove programs and uninstall that old version, then try the fix again, that file must be deleted. If the Vundofix will not remove it (it will once Atribune has time to add it), might take a day or so, then try this:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\mljgg.dll
and click on it once, and then click on the Open button. If you can't locate it, then just copy/paste the complete bolded pathway to the HJT tool. If it kills it, the item will appear like this (file missing) and then it can be removed with HJT.
I should mention that if you uploaded that file earlier, Atribune has probably added it, try the fix again, if it is added it will delete it.
Your HJT log is clean, just this one more nasty file and you will be on the road.
_____________________________________________________________
This will fix the command.exe issue which is a leftover from another program (probably Ad-aware?) in the registry, it is doing no harm but this script will fix it.
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.
http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
Post a new HJT log and the results of the VundoFix showing a clean log.
Thanks
Hi
I uploaded the file earlier as requested and installed the latest version of Java.
I have still been unable to remove C:\WINDOWS\SYSTEM32\mljgg.dll, when I try to use the delete on reboot tool in Hijack This the program either closes or no dialog is displayed allowing me to select the file.
The 'command service' issue has been resolved.
Thanks.
VundoFix V6.1.5
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.8
Scan started at 12:13:24 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.bak1
E:\WINDOWS\system32\ggjlm.bak2
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Attempting to delete E:\WINDOWS\system32\ggjlm.bak1
E:\WINDOWS\system32\ggjlm.bak1 Has been deleted!
Attempting to delete E:\WINDOWS\system32\ggjlm.bak2
E:\WINDOWS\system32\ggjlm.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.8
Scan started at 12:18:55 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.8
Scan started at 12:23:40 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 20:06:36, on 20/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ewido anti-spyware 4.0\guard.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
E:\WINDOWS\system32\nvsvc32.exe
E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
E:\WINDOWS\system32\vmnat.exe
E:\WINDOWS\system32\vmnetdhcp.exe
E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
E:\WINDOWS\vsnpstd.exe
E:\Program Files\LClock\LClock.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\ewido anti-spyware 4.0\ewido.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\Program Files\MSN Messenger\MsnMsgr.Exe
E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
E:\Program Files\Messenger\msmsgs.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Conexant\AccessRunner ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [snpstd] E:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [LClock] E:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Corel Photo Downloader] E:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!ewido] "E:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] E:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "E:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game09.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C72216D7-B87B-4BB8-AFED-81F7A07CCDA6}: NameServer = 62.6.40.178 194.72.9.38
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - E:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\system32\vmnat.exe
Sorry wrong Vundo log posted, this is the correct one...
VundoFix V6.1.5
Checking Java version...
Scan started at 19:00:46 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Scan started at 19:04:48 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Scan started at 19:09:34 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.1.5
Checking Java version...
Java version is 1.5.0.6
Scan started at 19:48:05 20/09/2006
Listing files found while scanning....
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\ggjlm.ini
Beginning removal...
Attempting to delete E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\mljgg.dll Could not be deleted.
Attempting to delete E:\WINDOWS\system32\ggjlm.ini
E:\WINDOWS\system32\ggjlm.ini Has been deleted!
Performing Repairs to the registry.
Done!
pskelley
2006-09-20, 21:51
Could you boot to safe mode and see if you can delete that one file manually.
E:\WINDOWS\system32\mljgg.dll Let me know what happens, I will contact the creator and ask if he got that file.
I posted for information and will let you know as soon as I hear. If Atribune should post to your topic, I would appreciate it if you would give him your full cooperation.
Let me know what happens, thanks.
I've tried to delete the file manually with no success.
Thanks.
pskelley
2006-09-21, 01:11
Thanks for the feedback, I am interested in what you are being told when you try to delete it, are you doing this in safe mode? Let's try other tools while we wait for information from Atribune.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Thanks
Yes I have tried to remove the file in safe mode but get a prompt on screen saying that the file is in use.
Thanks
USER - 06-09-21 0:17:05.34 Service Pack 2
ComboFix 06.09.20 - Running from: "E:\Documents and Settings\USER\Desktop"
Command switches used ::
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
E:\WINDOWS\system32\components
E:\Program Files\Common Files\{937C4FB1-0919-1033-0804-04020404002c}
((((((((((((((((((((((((((((((( Files Created from 2006-08-21 to 2006-09-21 ))))))))))))))))))))))))))))))))))
2006-09-20 01:30 94,720 --a------ E:\WINDOWS\system32\CNMLM3A.DLL
2006-09-20 01:30 5,632 --a------ E:\WINDOWS\system32\CNMVS3A.DLL
2006-09-20 01:30 36,864 --a------ E:\WINDOWS\system32\CNMCP3A.EXE
2006-09-20 01:30 306,688 --a------ E:\WINDOWS\IsUninst.exe
2006-09-19 13:59 127,208 --a------ E:\WINDOWS\system32\mucltui.dll
2006-09-18 19:11 91,904 --a------ E:\WINDOWS\system32\S32EVNT1.DLL
2006-09-17 19:27 577,588 --------- E:\WINDOWS\system32\mljgg.dll
2006-09-16 01:31 88 -r-hs---- E:\WINDOWS\system32\BD1425BDA1.sys
2006-09-16 01:31 3,766 --ahs---- E:\WINDOWS\system32\KGyGaAvL.sys
2006-08-31 14:39 2,560 --a------ E:\WINDOWS\_MSRSTRT.EXE
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-21 00:17 -------- d-------- E:\Program Files\Common Files
2006-09-21 00:14 -------- d-------- E:\Documents and Settings\USER\Application Data\MailWasherPro
2006-09-20 20:06 -------- d-------- E:\Program Files\Hijackthis
2006-09-20 19:24 -------- d-------- E:\Program Files\Java
2006-09-20 19:23 -------- d-------- E:\Program Files\Common Files\Java
2006-09-20 17:52 -------- d-------- E:\Program Files\ewido anti-spyware 4.0
2006-09-20 04:08 -------- d-------- E:\Program Files\Mozilla Firefox
2006-09-19 23:25 -------- d-------- E:\Documents and Settings\USER\Application Data\Corel
2006-09-19 19:28 -------- d-------- E:\Program Files\Microsoft Baseline Security Analyzer 2
2006-09-18 21:22 -------- d-------- E:\Program Files\Common Files\Symantec Shared
2006-09-18 19:38 -------- d-------- E:\Program Files\Norton SystemWorks
2006-09-18 19:38 -------- d-------- E:\Documents and Settings\USER\Application Data\Symantec
2006-09-18 19:25 -------- d-------- E:\Program Files\SymNetDrv
2006-09-18 19:25 -------- d-------- E:\Program Files\Symantec
2006-09-18 19:11 4608 --a------ E:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-18 19:08 -------- d-------- E:\Program Files\Common Files\Softwin
2006-09-18 15:12 -------- d-------- E:\Program Files\Outlook Express
2006-09-18 15:12 -------- d-------- E:\Program Files\Internet Explorer
2006-09-18 13:11 -------- d-------- E:\Documents and Settings\USER\Application Data\Talkback
2006-09-17 19:27 -------- d-------- E:\Documents and Settings\USER\Application Data\Lavasoft
2006-09-16 21:01 -------- d-------- E:\Documents and Settings\USER\Application Data\LimeWire
2006-09-16 20:47 -------- d-------- E:\Program Files\LimeWire
2006-09-16 01:37 -------- d-------- E:\Program Files\Corel
2006-09-16 01:36 -------- d-------- E:\Program Files\Common Files\Corel
2006-09-15 22:52 124016 --a------ E:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-14 22:43 -------- d-------- E:\Documents and Settings\USER\Application Data\Google
2006-09-14 22:38 -------- d-------- E:\Program Files\Google
2006-09-14 21:01 -------- d-------- E:\Documents and Settings\USER\Application Data\Sun
2006-09-13 01:14 -------- d-------- E:\Program Files\Windows Journal Viewer
2006-09-13 01:14 -------- d-------- E:\Program Files\Common Files\Microsoft Shared
2006-08-31 14:51 -------- d-------- E:\Program Files\Common Files\InstallShield
2006-08-31 14:39 2560 --a------ E:\WINDOWS\_MSRSTRT.EXE
2006-08-31 14:38 -------- d-------- E:\Program Files\Opera
2006-08-31 14:36 -------- d-------- E:\Program Files\Common Files\System
2006-08-30 10:25 -------- d-------- E:\Program Files\MSN Messenger
2006-08-23 08:58 -------- d-------- E:\Program Files\MailWasher
2006-08-21 13:21 16896 --a------ E:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ E:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a------ E:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 13:57 -------- d-------- E:\Documents and Settings\USER\Application Data\Real
2006-08-16 13:53 -------- d-------- E:\Program Files\Real
2006-08-16 13:53 -------- d-------- E:\Program Files\Common Files\xing shared
2006-08-16 13:53 -------- d-------- E:\Program Files\Common Files\Real
2006-08-16 13:44 -------- d-------- E:\Program Files\Windows Media Player
2006-08-02 10:36 -------- d-------- E:\Program Files\XviD
2006-08-02 10:36 -------- d-------- E:\Program Files\Webteh
2006-08-02 09:10 -------- d-------- E:\Program Files\DivX
2006-07-29 19:32 48936 --a------ E:\WINDOWS\system32\sirenacm.dll
2006-07-27 14:39 679424 --a------ E:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:26 72704 --a------ E:\WINDOWS\system32\hlink.dll
2006-07-19 00:14 520192 --a------ E:\WINDOWS\system32\DivXsm.exe
2006-07-19 00:13 3596288 --a------ E:\WINDOWS\system32\qt-dx331.dll
2006-07-19 00:13 200704 --a------ E:\WINDOWS\system32\ssldivx.dll
2006-07-19 00:13 1044480 --a------ E:\WINDOWS\system32\libdivx.dll
2006-07-19 00:09 90112 --a------ E:\WINDOWS\system32\dpl100.dll
2006-07-19 00:09 778240 --a------ E:\WINDOWS\system32\divx_xx0c.dll
2006-07-19 00:09 778240 --a------ E:\WINDOWS\system32\divx_xx07.dll
2006-07-19 00:09 761856 --a------ E:\WINDOWS\system32\divx_xx11.dll
2006-07-19 00:09 620180 --a------ E:\WINDOWS\system32\DivX.dll
2006-07-19 00:09 593920 --a------ E:\WINDOWS\system32\dpuGUI11.dll
2006-07-19 00:09 57344 --a------ E:\WINDOWS\system32\dpv11.dll
2006-07-19 00:09 53248 --a------ E:\WINDOWS\system32\dpuGUI10.dll
2006-07-19 00:09 344064 --a------ E:\WINDOWS\system32\dpus11.dll
2006-07-19 00:09 294912 --a------ E:\WINDOWS\system32\dpu11.dll
2006-07-19 00:09 294912 --a------ E:\WINDOWS\system32\dpu10.dll
2006-07-19 00:09 200704 --a------ E:\WINDOWS\system32\dtu100.dll
2006-07-19 00:09 12288 --a------ E:\WINDOWS\system32\DivXWMPExtType.dll
2006-07-19 00:09 118784 --a------ E:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-06-22 06:06 69120 --a------ E:\WINDOWS\system32\ciodm.dll
2006-06-22 06:06 1435648 --a------ E:\WINDOWS\system32\query.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"swg"="E:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"Norton SystemWorks"="\"E:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CnxDslTaskBar"="E:\\Program Files\\Conexant\\AccessRunner ADSL\\CnxDslTb.exe"
"snpstd"="E:\\WINDOWS\\vsnpstd.exe"
"LClock"="E:\\Program Files\\LClock\\LClock.exe"
"NvCplDaemon"="RUNDLL32.EXE E:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE E:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"E:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Corel Photo Downloader"="E:\\Program Files\\Corel\\Corel Snapfire\\Corel Photo Downloader.exe"
"ccApp"="\"E:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="E:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"!ewido"="\"E:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"SunJavaUpdateSched"="E:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"nlsf"=hex(2):63,6d,64,2e,65,78,65,20,2f,43,20,6d,6f,76,65,20,2f,59,20,22,25,\
53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,79,73,73,\
65,74,75,62,2e,64,6c,6c,22,20,22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,\
79,73,74,65,6d,33,32,5c,73,79,73,73,65,74,75,70,2e,64,6c,6c,22,00
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"nlsf"=hex(2):63,6d,64,2e,65,78,65,20,2f,43,20,6d,6f,76,65,20,2f,59,20,22,25,\
53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,79,73,73,\
65,74,75,62,2e,64,6c,6c,22,20,22,25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,\
79,73,74,65,6d,33,32,5c,73,79,73,73,65,74,75,70,2e,64,6c,6c,22,00
"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\
33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoInstrumentation"=dword:00000001
"NoSMHelp"=dword:00000001
"StartMenuLogoff"=dword:00000001
"ForceStartMenuLogoff"=dword:00000000
"NoSMMyDocs"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDesktopCleanupWizard"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoInstrumentation"=dword:00000001
"NoSMHelp"=dword:00000001
"StartMenuLogoff"=dword:00000001
"ForceStartMenuLogoff"=dword:00000000
"NoSMMyDocs"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoInstrumentation"=dword:00000001
"NoSMHelp"=dword:00000001
"StartMenuLogoff"=dword:00000001
"ForceStartMenuLogoff"=dword:00000000
"NoSMMyDocs"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"NoUserNameInStartMenu"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgg
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjyg32
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - USER.job
E:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
E:\WINDOWS\tasks\Symantec Drmc.job
Completion time: 21/09/2006 0:18:11.46
ComboFix.txt
pskelley
2006-09-21, 01:52
Thanks for that feedback, this tool did not delete anything and I can see the item in the list of recently installed. I checked a few with Google and get little or no information. I would like you to use the free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
Use one or more to find out if the file is bad, you can delete anything it says is bad though you will probably need to do it in safe mode. I am surprised the Vundo file will not let you remove it in Safe Mode, nothing should be running?
Here are the files to check, check them carefully. I havbe no way of knowing from here if they are good or bad.
E:\WINDOWS\system32\CNMLM3A.DLL
E:\WINDOWS\system32\CNMVS3A.DLL
E:\WINDOWS\system32\CNMCP3A.EXE
E:\WINDOWS\IsUninst.exe
E:\WINDOWS\system32\mucltui.dll
E:\WINDOWS\system32\S32EVNT1.DLL
E:\WINDOWS\system32\mljgg.dll
E:\WINDOWS\system32\BD1425BDA1.sys
E:\WINDOWS\system32\KGyGaAvL.sys
E:\WINDOWS\_MSRSTRT.EXE
When you are finished, give me a list of the BAD files that you could not delete. If you are undecided if a file is bad, post the results of the scan for me to look.
Thanks
I scanned the files you requested and the only one which comes up as bad is:
E:\WINDOWS\system32\mljgg.dll
AntiVir reports it as Trojan/Vundo.Gen
Norman Virus Control reports it as W32/Vundo.gen1
As I mentioned I have tried to remove it in safe mode with no luck.
Thanks again.
pskelley
2006-09-21, 11:40
Thanks for that information, wish I was setting in front of the computer, but I am not. I am interested in the message you receive when you try to delete it. I have never had a Vundo file this resistant.
I have not heard from the creator of Vundofix yet, so let's try another Vundo removal program:
Please download VirtumundoBeGone:
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
* Save it to the Desktop
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the Desktop
* Follow the directions as indicated
This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process.
Do not be concerned.
Just reboot if your system "jams".
To confirm successful deletion, and determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It is found on the Desktop.
Let me know how it goes...thanks
I think we may have had some success this time but i'll let you interpret the scan results
thanks again
[09/21/2006, 12:12:41] - VirtumundoBeGone v1.5 ( "E:\Documents and Settings\USER\Desktop\VirtumundoBeGone.exe" )
[09/21/2006, 12:12:45] - Detected System Information:
[09/21/2006, 12:12:45] - Windows Version: 5.1.2600, Service Pack 2
[09/21/2006, 12:12:45] - Current Username: USER (Admin)
[09/21/2006, 12:12:45] - Windows is in NORMAL mode.
[09/21/2006, 12:12:45] - Searching for Browser Helper Objects:
[09/21/2006, 12:12:45] - BHO 1: {022A9F22-B4A8-4593-801D-A7A60277705E} ()
[09/21/2006, 12:12:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:12:45] - Checking for HKLM\...\Winlogon\Notify\mljgg
[09/21/2006, 12:12:45] - Found: HKLM\...\Winlogon\Notify\mljgg - This is probably Virtumundo.
[09/21/2006, 12:12:45] - Assigning {022A9F22-B4A8-4593-801D-A7A60277705E} MSEvents Object
[09/21/2006, 12:12:45] - BHO list has been changed! Starting over...
[09/21/2006, 12:12:45] - BHO 1: {022A9F22-B4A8-4593-801D-A7A60277705E} (MSEvents Object)
[09/21/2006, 12:12:45] - ALERT: Found MSEvents Object!
[09/21/2006, 12:12:45] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2006, 12:12:45] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2006, 12:12:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:12:45] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2006, 12:12:45] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2006, 12:12:45] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2006, 12:12:45] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[09/21/2006, 12:12:45] - BHO 6: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/21/2006, 12:12:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:12:45] - Checking for HKLM\...\Winlogon\Notify\ixt1
[09/21/2006, 12:12:45] - Key not found: HKLM\...\Winlogon\Notify\ixt1, continuing.
[09/21/2006, 12:12:45] - BHO 7: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2006, 12:12:45] - BHO 8: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/21/2006, 12:12:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:12:45] - Checking for HKLM\...\Winlogon\Notify\amkrevvq
[09/21/2006, 12:12:45] - Key not found: HKLM\...\Winlogon\Notify\amkrevvq, continuing.
[09/21/2006, 12:12:45] - BHO 9: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[09/21/2006, 12:12:45] - Finished Searching Browser Helper Objects
[09/21/2006, 12:12:45] - *** Detected MSEvents Object
[09/21/2006, 12:12:45] - Trying to remove MSEvents Object...
[09/21/2006, 12:12:46] - Terminating Process: IEXPLORE.EXE
[09/21/2006, 12:12:46] - Terminating Process: RUNDLL32.EXE
[09/21/2006, 12:12:46] - Disabling Automatic Shell Restart
[09/21/2006, 12:12:46] - Terminating Process: EXPLORER.EXE
[09/21/2006, 12:12:47] - Suspending the NT Session Manager System Service
[09/21/2006, 12:12:47] - Terminating Windows NT Logon/Logoff Manager
[09/21/2006, 12:18:15] - Re-enabling Automatic Shell Restart
[09/21/2006, 12:18:15] - File to disable: E:\WINDOWS\system32\mljgg.dll
[09/21/2006, 12:18:15] - Renaming E:\WINDOWS\system32\mljgg.dll -> E:\WINDOWS\system32\mljgg.dll.vir
[09/21/2006, 12:18:15] - File successfully renamed!
[09/21/2006, 12:18:15] - Removing HKLM\...\Browser Helper Objects\{022A9F22-B4A8-4593-801D-A7A60277705E}
[09/21/2006, 12:18:15] - Removing HKCR\CLSID\{022A9F22-B4A8-4593-801D-A7A60277705E}
[09/21/2006, 12:18:15] - Adding Kill Bit for ActiveX for GUID: {022A9F22-B4A8-4593-801D-A7A60277705E}
[09/21/2006, 12:18:15] - Deleting ATLEvents/MSEvents Registry entries
[09/21/2006, 12:18:15] - Removing HKLM\...\Winlogon\Notify\mljgg
[09/21/2006, 12:18:15] - Searching for Browser Helper Objects:
[09/21/2006, 12:18:15] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[09/21/2006, 12:18:15] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/21/2006, 12:18:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:18:15] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/21/2006, 12:18:15] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/21/2006, 12:18:15] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/21/2006, 12:18:15] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[09/21/2006, 12:18:15] - BHO 5: {a43385f0-7113-496d-96d7-b9b550e3fcca} ()
[09/21/2006, 12:18:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:18:15] - Checking for HKLM\...\Winlogon\Notify\ixt1
[09/21/2006, 12:18:15] - Key not found: HKLM\...\Winlogon\Notify\ixt1, continuing.
[09/21/2006, 12:18:15] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/21/2006, 12:18:15] - BHO 7: {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} ()
[09/21/2006, 12:18:15] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/21/2006, 12:18:15] - Checking for HKLM\...\Winlogon\Notify\amkrevvq
[09/21/2006, 12:18:15] - Key not found: HKLM\...\Winlogon\Notify\amkrevvq, continuing.
[09/21/2006, 12:18:15] - BHO 8: {BDF3E430-B101-42AD-A544-FADC6B084872} (CNavExtBho Class)
[09/21/2006, 12:18:15] - Finished Searching Browser Helper Objects
[09/21/2006, 12:18:15] - Finishing up...
[09/21/2006, 12:18:15] - A restart is needed.
[09/21/2006, 12:19:11] - Attempting to Restart via STOP error (Blue Screen!)
pskelley
2006-09-21, 13:47
I don't use this fix as often, but it appears to have been able to rename the file and then delete it. Are you having any malware prblems with the computer? You can run the Vundofix if you wish for a check. It should not find that file anymore. I will post this information for you now.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
If all is well, let me know and I will ask tashi to close the topic.
Thanks...Phil:)
I've been using the pc for most of the day now and i'm glad to say there are no problems. I did run VundoFix again just to confirm the file had been removed.
Thanks again for taking the time to help me fix all the issues with my pc,
Alan :bigthumb:
pskelley
2006-09-21, 21:57
You are sure welcome, glad to hear all is running well again. tashi:) will close the topic in a day or so.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic has been archived. :bigthumb:
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.