View Full Version : Popup problems
I used spybot S & D in safemode, I've also installed and use AVG free anti virus and AVG anti-malware
heres my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:04:35 PM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\octeltpop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Xfire\Xfire.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dndradio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINNT\octeltpop.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\dwdsregt.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149727753828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
I got a panda online scan, that log is here:
Incident Status Location
Spyware:Spyware/Media-motor Not disinfected c:\winnt\octeltpop.exe
Spyware:spyware/media-motor Not disinfected c:\winnt\unstall.exe
Adware:adware/pornmagpass Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt[.versiontracker.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\John Brannan\Cookies\john_brannan@mediaplex[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\John Brannan\Cookies\john_brannan@zedo[1].txt
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\b103.exe[stub_109_4_0_4_0.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\b103.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/ISearch Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\b104.exe[MTE3MTk6ODoxNg.exe]
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\b104.exe[²ÜÇ\nsRandom.dll]
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\b111.exe
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\b116.exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\GLF57GLF57.EXE
Adware:Adware/PCodec Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temp\nsz38.tmp\nsRandom.dll
Adware:Adware/YazzleSudoku Not disinfected C:\Documents and Settings\John Brannan\Local Settings\Temporary Internet Files\Content.IE5\R0KU3ZTT\116[1].net
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\em\dohancer\whCC-GIANT3.exe[whiehlpr.dll]
Adware:Adware/WebHancer Not disinfected C:\WINNT\hancerdoem.exe[whCC-GIANT3.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\WINNT\hancerdoem.exe[whCC-GIANT3.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\WINNT\hancerdoem.exe[whCC-GIANT3.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\WINNT\hancerdoem.exe[whCC-GIANT3.exe][whiehlpr.dll]
Adware:Adware/DigInk Not disinfected C:\WINNT\Setup90.exe[Sos28.exe]
Adware:Adware/DigInk Not disinfected C:\WINNT\Setup90.exe[TagASaurus.exe]
Adware:Adware/CommAd Not disinfected C:\WINNT\Sm9obiBCcmFubmFu\mA6Cv21FwAIRvAIR.vbs
Possible Virus. Not disinfected C:\WINNT\system32\efcdbxw.dll
Possible Virus. Not disinfected C:\WINNT\Temp\win4E.tmp.exe
please help me
pskelley
2006-11-06, 16:08
Welcome to the forum, you have some junk that needs to go, let's give this a try for starters:
1) TeaTimer will block the changes we must make, turn it off until you are done:
http://russelltexas.com/malware/teatimer.htm
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) AVG Anti-Spyware 7.5 >>> follow the directions in this link, do not run the program until I ask you to. You must Deactivate the Resident Shield or it will block the fix, all other instructions must be followed. You must delete what it finds or at least quarantine the junk. To ignore it would be a waste of time.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [1pop06apelt3] C:\WINNT\octeltpop.exe
O4 - Startup: TA_Start.lnk = C:\WINNT\system32\dwdsregt.exe
(remove the next advanced option if you did not set it)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINNT\octeltpop.exe <<< dlete this file
C:\WINNT\system32\dwdsregt.exe <<< delete this file
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
8) Run AVG Anti-Spyware according to the directions I posted.
9) You may have a hidden Vundo infection? Please return to here: C:\hijackthis\HijackThis.exe <<< right click on the .exe and rename it to say Thungal.exe or whatever you wish. Restart the computer and post the scan results from AVG Anti-Spyware and a new HJT log.
You have an out of date Java program, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date, please update that right away and uninstall any old versions in Add Remove programs.
Thanks
4) AVG Anti-Spyware 7.5 >>> follow the directions in this link, do not run the program until I ask you to. You must Deactivate the Resident Shield or it will block the fix, all other instructions must be followed. You must delete what it finds or at least quarantine the junk. To ignore it would be a waste of time.
Did you forget to put in a link to a tutorial here or am I just reading this statement wrong? Seems like you reference a link about the AVG program that I don't know about.
Also, I've already installed AVG free anti-virus and AVG 7.5 anti-spyware prior to finding this forum. Do I need to disable them in order for the cleaning or anything like that?
sorry if I'm misunderstanding this, and I'll wait til your next reply to continue so I can follow the proper steps
thanks again
pskelley
2006-11-07, 03:17
Please except my apology:oops: seems I did neglect to to post the link:
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
John McKenna has made a good tutorial, just use it so you will know the steps to take to get the best cleaning with the tool. If other questions come up, please do not hesitate to post them. I am in Clearwater, Fla. EST and will be down now until AM.
Do I need to disable them in order for the cleaning or anything like that?You need to follow the directions to Deactivate the Resident Shield, it will block the changes you need to make.
Sorry again...Phil
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINNT\octeltpop.exe <<< dlete this file
C:\WINNT\system32\dwdsregt.exe <<< delete this file
Ok, So after I check all those and hit fix in HJT I went searching for these two files you tell me to delete. I have deleted octeltpop.exe but I looked and looked for the other file where it's supposed to be and found nothing. :sad:
Does this mean it has been hidden elsewhere or did HJT delete it for me?
Sorry if I seem slow, but I'm just trying to make sure I follow the steps exactly correct heh.
I'll check back here when I get up in the morning
pskelley
2006-11-07, 13:11
It is no problem that you are checking, but please remember I can not check without seeing a HJT log. I need this information:
results from AVG Anti-Spyware and a new HJT log.
Unfortunately the hackers do all they can to keep the junk on your computer and there is no "exact" way to remove it, and it often requires multiple tools and attempts. I will know more once you have followed all of the directions and posted thse reports.
Thanks
Ok, I've completed all the steps given.
Heres my avg report scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:27:34 AM 11/7/2006
+ Scan result:
C:\Program Files\VSAdd-in\VSAdd-in.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP166\A0017981.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP169\A0021951.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP160\A0016149.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP160\A0016193.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP163\A0016383.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP165\A0016485.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP165\A0016550.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP165\A0016612.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP166\A0016667.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP166\A0016722.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP166\A0016810.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5321BDF0-1861-466C-903C-2E6BE9B61F4A}\RP166\A0016895.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
C:\WINNT\system32\ismini.exe -> Downloader.Zlob.auv : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.35:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.36:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.37:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.29:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.20:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.53:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.27:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.41:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.32:C:\Documents and Settings\John Brannan\Application Data\Mozilla\Firefox\Profiles\triyqsl4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINNT\system32\tgvxfawo.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
::Report end
And here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:34:34 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Xfire\Xfire.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\Thungal.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dndradio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A619B9A-9EFB-4051-B1AB-5F501F772C9F} - C:\WINNT\system32\mlljg.dll
O2 - BHO: (no name) - {2B9DA7D2-4552-4767-BB31-055B8D4868B4} - (no file)
O2 - BHO: (no name) - {46F93E08-EF9D-6877-10F2-0B01E0A9F5A8} - C:\WINNT\system32\cpmkrxm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {78B7F77B-334F-4478-99E9-5239DBC28CA4} - (no file)
O2 - BHO: (no name) - {DA81857D-CE11-46E3-913E-A16CFD494C68} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\tgvxfawo.dll (file missing)
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINNT\system32\rqrpmjk.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149727753828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O20 - Winlogon Notify: mlljg - C:\WINNT\system32\mlljg.dll
O20 - Winlogon Notify: rqrpmjk - C:\WINNT\SYSTEM32\rqrpmjk.dll
O20 - Winlogon Notify: wincsg32 - wincsg32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
whats next?
pskelley
2006-11-07, 18:58
OK and thanks, now you can see the Vundo infection:
O2 - BHO: (no name) - {1A619B9A-9EFB-4051-B1AB-5F501F772C9F} - C:\WINNT\system32\mlljg.dll
O20 - Winlogon Notify: mlljg - C:\WINNT\system32\mlljg.dll
and a bunch of other junk the hacker was hiding from us. So you will understand, Atribunes fix may not know the name of the file the first time (hackers keep changing the junk) but it will learn. Look at the report it creates, you want all of the files Vundofix locates to show they were "Deleted". Then move on the the next instructions.
1) Before you start, please make sure to Deactivate the Resident Shield, it will block the changes you must make.
http://www.virusvault.co.uk/fusionbb/showtopic.php?tid/33/
Thanks to Atribune and any others who helped with this fix.
2) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(Hold the logs until you finish the instructions)
3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {1A619B9A-9EFB-4051-B1AB-5F501F772C9F} - C:\WINNT\system32\mlljg.dll
(should say (file missing)
O2 - BHO: (no name) - {2B9DA7D2-4552-4767-BB31-055B8D4868B4} - (no file)
O2 - BHO: (no name) - {46F93E08-EF9D-6877-10F2-0B01E0A9F5A8} - C:\WINNT\system32\cpmkrxm.dll
O2 - BHO: (no name) - {78B7F77B-334F-4478-99E9-5239DBC28CA4} - (no file)
O2 - BHO: (no name) - {DA81857D-CE11-46E3-913E-A16CFD494C68} - (no file)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINNT\system32\tgvxfawo.dll (file missing)
O2 - BHO: (no name) - {F7999166-FDE6-49DA-9AFC-1F6A79E9D1F2} - C:\WINNT\system32\rqrpmjk.dll
(next three may be gone?)
O20 - Winlogon Notify: mlljg - C:\WINNT\system32\mlljg.dll
O20 - Winlogon Notify: rqrpmjk - C:\WINNT\SYSTEM32\rqrpmjk.dll
O20 - Winlogon Notify: wincsg32 - wincsg32.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINNT\SYSTEM32\rqrpmjk.dll <<< delete that file if there
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post the C:\vundofix.txt and a new HiJackThis log and let me know how the computer is running now.
Thanks
ok, heres the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:42:41 AM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\Thungal.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dndradio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {402C1B91-4DBC-4708-9524-7753DC629ECF} - C:\WINNT\system32\sstts.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149727753828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
and heres the vundofix log:
VundoFix V6.2.7
Checking Java version...
Java version is 1.5.0.9
Scan started at 11:10:25 AM 11/7/2006
Listing files found while scanning....
C:\WINNT\system32\cpmkrxm.dll
C:\WINNT\system32\nrmyram.dll
C:\WINNT\system32\mlljg.dll
C:\WINNT\system32\gjllm.ini
C:\WINNT\system32\gjllm.bak1
C:\WINNT\system32\gjllm.bak2
Beginning removal...
Attempting to delete C:\WINNT\system32\cpmkrxm.dll
C:\WINNT\system32\cpmkrxm.dll Has been deleted!
Attempting to delete C:\WINNT\system32\nrmyram.dll
C:\WINNT\system32\nrmyram.dll Has been deleted!
Attempting to delete C:\WINNT\system32\mlljg.dll
C:\WINNT\system32\mlljg.dll Could not be deleted.
Attempting to delete C:\WINNT\system32\gjllm.ini
C:\WINNT\system32\gjllm.ini Has been deleted!
Attempting to delete C:\WINNT\system32\gjllm.bak1
C:\WINNT\system32\gjllm.bak1 Has been deleted!
Attempting to delete C:\WINNT\system32\gjllm.bak2
C:\WINNT\system32\gjllm.bak2 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.7
Checking Java version...
Java version is 1.5.0.9
Scan started at 11:16:51 AM 11/7/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.2.7
Checking Java version...
Java version is 1.5.0.9
Scan started at 11:20:56 AM 11/7/2006
Listing files found while scanning....
C:\WINNT\system32\sstts.dll
C:\WINNT\system32\sttss.ini
C:\WINNT\system32\sttss.bak1
Beginning removal...
Attempting to delete C:\WINNT\system32\sstts.dll
C:\WINNT\system32\sstts.dll Has been deleted!
Attempting to delete C:\WINNT\system32\sttss.ini
C:\WINNT\system32\sttss.ini Has been deleted!
Attempting to delete C:\WINNT\system32\sttss.bak1
C:\WINNT\system32\sttss.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.7
Checking Java version...
Java version is 1.5.0.9
Scan started at 11:26:59 AM 11/7/2006
Listing files found while scanning....
C:\WINNT\system32\mlljg.dll
C:\WINNT\system32\gjllm.ini
C:\WINNT\system32\gjllm.bak1
Beginning removal...
Attempting to delete C:\WINNT\system32\mlljg.dll
C:\WINNT\system32\mlljg.dll Has been deleted!
Attempting to delete C:\WINNT\system32\gjllm.ini
C:\WINNT\system32\gjllm.ini Has been deleted!
Attempting to delete C:\WINNT\system32\gjllm.bak1
C:\WINNT\system32\gjllm.bak1 Has been deleted!
Performing Repairs to the registry.
Done!
pskelley
2006-11-07, 20:03
Thanks for returning the information, we missed one:
Turn off the Guard function in ASVG Anti-Spyware or it may block the change.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {402C1B91-4DBC-4708-9524-7753DC629ECF} - C:\WINNT\system32\sstts.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Let me see a last HJT log and please tell me how the computer is running now. Then you can do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
If your computer is back to normal, I will wish you safe surfing and ask tashi:) to close your topic when time permits.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
heres my HJT log that you requested:
Logfile of HijackThis v1.99.1
Scan saved at 1:41:41 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\Thungal.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dndradio.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149727753828
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/teleport/MaxisSimCity4LotTeleX.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINNT\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
And, my computer seems to be back to normal and running well. I haven't seen a popup at all, Thanks for the help. :bigthumb:
Let me know if it looks all clean before I ask for the post to be closed, thanks again
pskelley
2006-11-07, 21:47
Looks good:bigthumb: thanks. Be careful...it is a cyber-jungle out there. tashi:) will close you in a few days.