PDA

View Full Version : pesky popups, panda sez CDT, CommAd, Bravesentry. Help?



53bicycles
2006-10-03, 21:18
Hello all, I've been getting recurring popups that spybot and ad-aware don't seem top find.
A Panda scan led me to Vundo which got fixed. Now Panda tells me I have CDT/Mediatickets, CommAd, and Bravesentry. Spywareguard tells me about a suspicious BHO with a new random # that always loads on reboot. It comes from C;\windows\system32\tuvvv.dll , but SG can't remove it.
Here's my logs, Panda and then HJT
TIA
Mike


Incident Status Location

Adware:adware/mediatickets Not disinfected Windows Registry
Adware:Adware/CommAd Not disinfected C:\WINDOWS\UHJlZmVycmVkIEN1c3RvbWVy\oJL5tApVwAp4KHhYwalSvqpV.vbs
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\LocalService\Application Data\Install.dat
Logfile of HijackThis v1.99.1
Scan saved at 14:00, on 06-10-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\hijackthis\sihtkcajiH.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {49358033-4C81-3E2F-A7DC-6943C613A2E1} - C:\WINDOWS\System32\yykh.dll (file missing)
R3 - URLSearchHook: (no name) - {D5FAEA83-746A-53CB-1C27-56F00DBF68EC} - C:\WINDOWS\System32\plbsb.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D5DE681-BE11-4F35-805C-6381ADB9A0D4} - C:\WINDOWS\System32\tuvvv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Wallchanger] C:\COPERN32\wallchanger.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Ylghwsn] C:\WINDOWS\SYSTEM32\??mbols\m?dtc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\PHILIP~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\WINDOWS\System32\G7PS.dll
O20 - Winlogon Notify: tuvvv - C:\WINDOWS\System32\tuvvv.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\PHILIP~1\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

pskelley
2006-10-07, 14:09
Welcome to the forum, if you still need help and are not receiving it elsewhere,
you still have a Vundo infection: C:\WINDOWS\System32\tuvvv.dll on this computer and other nasty junk. Please follow these directions carefully.

1) Ad-aware has just updated their data bases and the way they remove the command.exe adware. Please update and run it removing what it locates.

2) Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

3) Thanks to sUBs and anyone who helped with this fix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Thanks

53bicycles
2006-10-10, 19:16
vundofix did not get tuvvv.dll, but virtumondebegone got it.
Popups are gone but panda says i still have mediatickets/CDT
I submitted it like you requested.
Here are my logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:10, on 06-10-10
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\highsmackdis\sihtkcajiH.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {49358033-4C81-3E2F-A7DC-6943C613A2E1} - C:\WINDOWS\System32\yykh.dll (file missing)
R3 - URLSearchHook: (no name) - {D5FAEA83-746A-53CB-1C27-56F00DBF68EC} - C:\WINDOWS\System32\plbsb.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Wallchanger] C:\COPERN32\wallchanger.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\PHILIP~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\WINDOWS\System32\G7PS.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


VUNDOFIX:

VundoFix V6.1.6
Checking Java version...
Sun Java not detected
Scan started at 21:32:21 06-09-29
Listing files found while scanning....

C:\WINDOWS\SYSTEM32\xelumrco.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\xelumrco.dll
C:\WINDOWS\SYSTEM32\xelumrco.dll Has been deleted!

Performing Repairs to the registry.
Done!


VundoFix V6.1.6
Checking Java version...
Sun Java not detected
Scan started at 18:20:51 06-10-01
Listing files found while scanning....
No infected files were found.

VundoFix V6.1.6
Checking Java version...
Sun Java not detected
Scan started at 12:21:39 06-10-03
Listing files found while scanning....
No infected files were found.

Beginning removal...

VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.9
Scan started at 23:10:18 06-10-04
Listing files found while scanning....
No infected files were found.

VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.9
Scan started at 23:25:46 06-10-04
Listing files found while scanning....
No infected files were found.


VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.9
Scan started at 23:36:13 06-10-04
Listing files found while scanning....
No infected files were found.


Beginning removal...
VundoFix V6.1.6
Checking Java version...
Java version is 1.5.0.9
Scan started at 23:53:40 06-10-04
Listing files found while scanning....
No infected files were found.


COMBOFIX:

P B - 06-10-10 9:11:23.33 Service Pack 1
ComboFix 06.09.27 - Running from: "C:\Documents and Settings\Phil Bin\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-10 to 2006-10-10 ))))))))))))))))))))))))))))))))))


2006-09-27 21:51 21,312 --a------ C:\WINDOWS\choice.exe
2006-09-26 14:27 577,588 --a------ C:\WINDOWS\SYSTEM32\tuvvv.dll.vir


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-05 00:16 -------- d-------- C:\Documents and Settings\Philip Boivin\Application Data\Mozilla
2006-09-28 09:52 -------- d-------- C:\Program Files\Zone Labs
2006-09-28 08:52 778656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-09-28 08:52 4992 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys
2006-09-28 08:52 4288 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys
2006-09-28 08:52 27904 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-09-28 08:52 23104 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avgmfrs.sys
2006-09-28 08:52 -------- d-------- C:\Program Files\Grisoft
2006-09-27 22:05 -------- d-------- C:\Program Files\SpywareGuard
2006-09-27 21:48 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-29 21:31 -------- d-------- C:\Program Files\Lavasoft
2006-08-29 14:37 -------- d-------- C:\Program Files\Conexant Systems, Inc
2006-08-28 23:46 -------- d-------- C:\Program Files\ewido anti-spyware 4.0


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb08.exe"
"DeviceDiscovery"="C:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpotdd01.exe"
"Wallchanger"="C:\\COPERN32\\wallchanger.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\SMARTB~1\\MotiveSB.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,c0,00,00,00,00,00,00,00,00,03,00,00,b2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"Btn_Back"=dword:00000000
"Btn_Forward"=dword:00000000
"Btn_Stop"=dword:00000000
"Btn_Refresh"=dword:00000000
"Btn_Home"=dword:00000000
"Btn_Search"=dword:00000000
"Btn_History"=dword:00000000
"Btn_Favorites"=dword:00000000
"Btn_Folders"=dword:00000000
"Btn_Fullscreen"=dword:00000000
"Btn_Tools"=dword:00000000
"Btn_MailNews"=dword:00000000
"Btn_Size"=dword:00000000
"Btn_Print"=dword:00000000
"Btn_Edit"=dword:00000000
"Btn_Discussions"=dword:00000000
"Btn_Cut"=dword:00000000
"Btn_Copy"=dword:00000000
"Btn_Paste"=dword:00000000
"Btn_Encoding"=dword:00000000
"SYS004"=dword:00000040
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoUserNameInStartMenu"=dword:00000001
"ClearRecentDocsOnExit"=dword:00000001
"NoDriveAutoRun"=hex:ff,ff,ff,03
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"Btn_Back"=dword:00000000
"Btn_Forward"=dword:00000000
"Btn_Stop"=dword:00000000
"Btn_Refresh"=dword:00000000
"Btn_Home"=dword:00000000
"Btn_Search"=dword:00000000
"Btn_History"=dword:00000000
"Btn_Favorites"=dword:00000000
"Btn_Folders"=dword:00000000
"Btn_Fullscreen"=dword:00000000
"Btn_Tools"=dword:00000000
"Btn_MailNews"=dword:00000000
"Btn_Size"=dword:00000000
"Btn_Print"=dword:00000000
"Btn_Edit"=dword:00000000
"Btn_Discussions"=dword:00000000
"Btn_Cut"=dword:00000000
"Btn_Copy"=dword:00000000
"Btn_Paste"=dword:00000000
"Btn_Encoding"=dword:00000000
"SYS004"=dword:00000040
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"Btn_Back"=dword:00000000
"Btn_Forward"=dword:00000000
"Btn_Stop"=dword:00000000
"Btn_Refresh"=dword:00000000
"Btn_Home"=dword:00000000
"Btn_Search"=dword:00000000
"Btn_History"=dword:00000000
"Btn_Favorites"=dword:00000000
"Btn_Folders"=dword:00000000
"Btn_Fullscreen"=dword:00000000
"Btn_Tools"=dword:00000000
"Btn_MailNews"=dword:00000000
"Btn_Size"=dword:00000000
"Btn_Print"=dword:00000000
"Btn_Edit"=dword:00000000
"Btn_Discussions"=dword:00000000
"Btn_Cut"=dword:00000000
"Btn_Copy"=dword:00000000
"Btn_Paste"=dword:00000000
"Btn_Encoding"=dword:00000000
"SYS004"=dword:00000040
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiCwd32"="Aticwd32.exe"
"HPScanPatch"="C:\\WINDOWS\\SYSTEM32\\HPScanFix.exe"
"Primax 3-D Mouse"="3dmoused.exe"
"hpsysdrv"="C:\\WINDOWS\\SYSTEM32\\hpsysdrv.exe"
"ATIGART"="c:\\ati\\gart\\atigart.exe"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM32\\STIMON.EXE"
"QAGENT"="C:\\Program Files\\Intuit\\QAgent\\QAGENT.EXE"
"WinampAgent"="\"C:\\PROGRAM FILES\\WINAMP\\WINAMPa.exe\""
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"
"CC2KUI"="C:\\WINDOWS\\SYSTEM\\Comet\\Bin\\comet.exe"
"mdac_runonce"="C:\\WINDOWS\\SYSTEM32\\RUNONCE.EXE"
"WORKFLO"="M:\\BRDJMP\\WORKFLOW.EXE"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"Omnipage"="c:\\Program Files\\ScanSoft\\OmniPagePro11.0\\opware32.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ADUserMon"="C:\\Program Files\\Iomega\\AutoDisk\\ADUserMon.exe"
"Iomega Drive Icons"="C:\\Program Files\\Iomega\\DriveIcons\\ImgIcon.exe"
"Deskup"="C:\\Program Files\\Iomega\\DriveIcons\\deskup.exe /IMGSTART"
"Logitech Utility"="LOGI_MWX.EXE"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Maintenance-Defragment programs.job
C:\WINDOWS\tasks\Maintenance-Disk cleanup.job
C:\WINDOWS\tasks\Symantec Drmc.job

Completion time: 06-10-10 9:19:33.43
ComboFix.txt

53bicycles
2006-10-10, 19:17
VIRTUMONDEBEGONE:

[10/06/2006, 23:04:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Phil Bin\Desktop\VirtumundoBeGone.exe" )
[10/06/2006, 23:04:56] - Detected System Information:
[10/06/2006, 23:04:56] - Windows Version: 5.1.2600, Service Pack 1
[10/06/2006, 23:04:56] - Current Username: Philip Boivin (Admin)
[10/06/2006, 23:04:56] - Windows is in NORMAL mode.
[10/06/2006, 23:04:56] - Searching for Browser Helper Objects:
[10/06/2006, 23:04:56] - BHO 1: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[10/06/2006, 23:04:56] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/06/2006, 23:04:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/06/2006, 23:04:56] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/06/2006, 23:04:56] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/06/2006, 23:04:56] - BHO 3: {6B9A9081-1F41-4366-9D55-9E98CE7462C7} ()
[10/06/2006, 23:04:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/06/2006, 23:04:56] - Checking for HKLM\...\Winlogon\Notify\tuvvv
[10/06/2006, 23:04:56] - Found: HKLM\...\Winlogon\Notify\tuvvv - This is probably Virtumundo.
[10/06/2006, 23:04:56] - Assigning {6B9A9081-1F41-4366-9D55-9E98CE7462C7} MSEvents Object
[10/06/2006, 23:04:56] - BHO list has been changed! Starting over...
[10/06/2006, 23:04:56] - BHO 1: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[10/06/2006, 23:04:56] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/06/2006, 23:04:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/06/2006, 23:04:56] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/06/2006, 23:04:56] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/06/2006, 23:04:56] - BHO 3: {6B9A9081-1F41-4366-9D55-9E98CE7462C7} (MSEvents Object)
[10/06/2006, 23:04:56] - ALERT: Found MSEvents Object!
[10/06/2006, 23:04:56] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/06/2006, 23:04:57] - Finished Searching Browser Helper Objects
[10/06/2006, 23:04:57] - *** Detected MSEvents Object
[10/06/2006, 23:04:57] - Trying to remove MSEvents Object...
[10/06/2006, 23:04:58] - Terminating Process: IEXPLORE.EXE
[10/06/2006, 23:04:59] - Terminating Process: RUNDLL32.EXE
[10/06/2006, 23:05:00] - Disabling Automatic Shell Restart
[10/06/2006, 23:05:00] - Terminating Process: EXPLORER.EXE
[10/06/2006, 23:05:02] - Suspending the NT Session Manager System Service
[10/06/2006, 23:05:03] - Terminating Windows NT Logon/Logoff Manager
[10/06/2006, 23:05:05] - Re-enabling Automatic Shell Restart
[10/06/2006, 23:05:05] - File to disable: C:\WINDOWS\System32\tuvvv.dll
[10/06/2006, 23:05:05] - Renaming C:\WINDOWS\System32\tuvvv.dll -> C:\WINDOWS\System32\tuvvv.dll.vir
[10/06/2006, 23:05:05] - File successfully renamed!
[10/06/2006, 23:05:05] - Removing HKLM\...\Browser Helper Objects\{6B9A9081-1F41-4366-9D55-9E98CE7462C7}
[10/06/2006, 23:05:05] - Removing HKCR\CLSID\{6B9A9081-1F41-4366-9D55-9E98CE7462C7}
[10/06/2006, 23:05:05] - Adding Kill Bit for ActiveX for GUID: {6B9A9081-1F41-4366-9D55-9E98CE7462C7}
[10/06/2006, 23:05:05] - Deleting ATLEvents/MSEvents Registry entries
[10/06/2006, 23:05:05] - Removing HKLM\...\Winlogon\Notify\tuvvv
[10/06/2006, 23:05:05] - Searching for Browser Helper Objects:
[10/06/2006, 23:05:05] - BHO 1: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
[10/06/2006, 23:05:05] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[10/06/2006, 23:05:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/06/2006, 23:05:05] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[10/06/2006, 23:05:05] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[10/06/2006, 23:05:05] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[10/06/2006, 23:05:05] - Finished Searching Browser Helper Objects
[10/06/2006, 23:05:05] - Finishing up...
[10/06/2006, 23:05:05] - A restart is needed.
[10/06/2006, 23:05:17] - Attempting to Restart via STOP error (Blue Screen!)


LATEST PANDA SCAN



Incident Status Location

Adware:adware/mediatickets
Not disinfected
Windows Registry
Adware:Adware/CommAd
Not disinfected
C:\KillBox\oJL5tApVwAp4KHhYwalSvqpV.vbs
Adware:Adware/BraveSentry
Not disinfected
C:\KillBox\Install.dat
Potentially unwanted tool:Application/Processor
Not disinfected
C:\Documents and Settings\Phil Bin\Desktop\VirtumundoBeGone.exe[²ƒÇ]

pskelley
2006-10-11, 13:46
Thanks for that feedback, Vundofix often needs several runs to remove all, but VirtumundoBeGone is the next tool I use if VundoFix can't get it all...thanks.

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

SpywareGuard will block changes we must make, Right click the running icon of Spywareguard in the system tray to open the program. Then go to Menu, File, and choose Exit. It will automatically restart at next boot.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {49358033-4C81-3E2F-A7DC-6943C613A2E1} - C:\WINDOWS\System32\yykh.dll (file missing)
R3 - URLSearchHook: (no name) - {D5FAEA83-746A-53CB-1C27-56F00DBF68EC} - C:\WINDOWS\System32\plbsb.dll (file missing)
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\PHILIP~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
Identified as MediaMotor.n by Spywareblaster

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart your computer and post a new HJT log, let me know about any malware issue.

Thanks

53bicycles
2006-10-12, 03:52
Here's the HJT log.
All seems to be well.
:D:

Logfile of HijackThis v1.99.1
Scan saved at 20:49, on 06-10-11
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\highsmackdis\sihtkcajiH.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Wallchanger] C:\COPERN32\wallchanger.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\WINDOWS\System32\G7PS.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

pskelley
2006-10-13, 13:13
Let me first apologize for the delay in responding. Safer Networking is moving to new servers and all notifications are not working properly during the move. I found your post during a routine check of my open commitments this morning and will respond now...thanks

Thanks for the feedback:bigthumb: and the HJT log clean of malware I would say you are good to go.

Having recently purchase ewido, AVG has updated the scanner and is offering those updates free to folks who have 4.0. This is optional and your call. Be sure to turn it off to save resources if you keep it.

AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Safe surfing...tashi:) will close your topic in a few day.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

53bicycles
2006-10-14, 03:54
Thank you very much for your help!
It is a very valuable service you provide here.
you guys are the heroes of the internet
:bigthumb:

LonnyRJones
2006-10-19, 10:31
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).