View Full Version : Lingering virus removal problems
jamesmouse
2006-11-17, 12:40
I reciently removed VUNDO.H TROJAN from my computer. Still having problems with spyware and possible viruses. These are the scans I did.
Hi jamesmouse and welcome to Safer Networking Forums :)
What scans did you run ?
Please follow the following instructions -> "BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)
So follow the instructions and post a HijackThis log to here
(Step 4)
jamesmouse
2006-11-18, 07:35
Logfile of HijackThis v1.99.1
Scan saved at 8:57:07 PM, on 11/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.ex
Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please
Reg Entries that were deleted
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Searching by size/names...
»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects.
Directory of C:\WINDOWS\system32
»»»»» Misc files.
jamesmouse
2006-11-18, 08:01
StartupList report, 11/17/2006, 9:54:46 PM
StartupList version: 1.52.2
Started from : C:\DOCUME~1\Owner\LOCALS~1\Temp\QZTEMP\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
G:\ICON.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\ICON.EXE
G:\ICON.EXE
G:\ICON.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\QuickZip4\QuickZip.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\QZTEMP\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,lucnbym.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
LogitechVideoRepair = C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Program Files\Logitech\Video\LogiTray.exe
SpyCatcher Reminder = "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
PinnacleDriverCheck = C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
DW4 = "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
iolo Task Agent = C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
Yahoo! Pager = "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=Interceptor.dll
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe,
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - (no file) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB}
(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll - {0A87E45F-537A-40B4-B812-E2544C21A09F}
(no name) - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll - {1E8A6170-7264-4D0F-BEAE-D42A53123C75}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
(no name) - (no file) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6}
(no name) - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Norton Internet Security - Run Full System Scan - Owner.job
--------------------------------------------------
Enumerating Download Program Files:
[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\Java\classes\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[SupportSoft SmartIssue]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsi.dll
CODEBASE = http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
[SupportSoft RemoteControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ssrc.dll
CODEBASE = http://symantec.atgnow.com/sdccommon/download/ssrc.cab
[SupportSoft Listener Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sprtctlln.dll
CODEBASE = http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
[Controller Class]
InProcServer32 = C:\WINDOWS\System32\WINSSWEBAGENT.DLL
CODEBASE = https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
[SysData Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\SysInfo.dll
CODEBASE = http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
[WXcom Class]
CODEBASE = http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
[XML DOM Document 4.0]
InProcServer32 = %SystemRoot%\system32\msxml4.dll
CODEBASE = http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
[Java Plug-in 1.3.1_02]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\npjava131_02.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
[YahooYMailTo Class]
InProcServer32 = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
[Java Plug-in 1.3.1_02]
InProcServer32 = C:\Program Files\JavaSoft\JRE\1.3.1_02\bin\npjava131_02.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
[Java Plug-in 1.4.0_01]
InProcServer32 = C:\Program Files\Java\j2re1.4.0\bin\npjpi140_01.dll
CODEBASE = http://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9.ocx
CODEBASE = https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 18,242 bytes
Report generated in 0.078 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
jamesmouse
2006-11-18, 08:18
I think my main problem is I have a file in SystemRoot and all files and folders thats called unvise32.exe with a red circle and red line through the center of circle. I removed another file that looked just like it called [COLOR="Red"]unvise32qt which google says is a virus. I get blue screen error message when i try to use F10 System Recovery. STOP: c000021a {Fatal System Error}
jamesmouse
2006-11-18, 09:55
Hi, I've run spybot 3 times once in SAFE Mode and every time i get 2 entries of Smitfraud and spybot says restart and run again, could not remove this.
Hi again.
None of the HijackThis logs you posted were complete :(
Please post a full HijackThis log beginning from "Logfile of HijackThi...."
(If the log is too long, please use multiple answers)
:bigthumb:
jamesmouse
2006-11-18, 22:28
:oops: :oops: :oops:
jamesmouse
2006-11-19, 03:33
Logfile of HijackThis v1.99.1
Scan saved at 4:24:00 PM, on 11/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
jamesmouse
2006-11-19, 06:09
.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lucnbym.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\RunOnce: [ypagerps] cmd.exe /C del "C:\Program Files\Yahoo!\Messenger\ypagerps.dll"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
jamesmouse
2006-11-19, 06:19
Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) -
scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: Interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: netdns - C:\WINDOWS\
O20 - Winlogon Notify: vbbin - C:\WINDOWS\
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
jamesmouse
2006-11-19, 06:38
Hi, Please egnore Post 13 its a repeat. I'm new at copy and paste. Thanks for your help. James W
Hi again :)
Was that HijackThis log taken from the safe mode ? Next time you post it, do it from the normal mode...
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
jamesmouse
2006-11-19, 12:00
Hi, Thanks for the reply. Yes I believe I did that scan in safe mode. I'll do another in regular mode and post. I ran the VUNDO scan you sugested and it came up with nothing. I was last week getting Winantivirus popups and search the web and found out its a scam with vundo trojan in it. I found VUNDO just by typing in vundo in search in Windows and deleted it.
I was looking around Microsoft downloads today and noticed they have a malware scan I could do. I did that and came up with a little Trojan called Win32/Mimail.gen. I looked at Microsofts asisment of it and they said it was 1st detected about 2 months ago. I looked around Symantech and they had a scan/fix for TROJAN.ALEMOD which was a few years old for Win32/Mimail.gen. It found nothing. I have Norton Internet security installed. Thanks James W
jamesmouse
2006-11-19, 12:22
Logfile of HijackThis v1.99.1
Scan saved at 2:05:55 AM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lucnbym.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: Interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: netdns - C:\WINDOWS\
O20 - Winlogon Notify: vbbin - C:\WINDOWS\
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi again :)
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
jamesmouse
2006-11-20, 02:06
Owner - 06-11-19 15:36:07.78 Service Pack 2
ComboFix 06.11.19 - Running from: "C:\Documents and Settings\Owner\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\{3C36F5A0-05FC-1033-0821-031113020001}
C:\Program Files\Common Files\{CC36F5A0-05FC-1033-0821-031113020001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\STEM32~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\FNTS~1\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
((((((((((((((((((((((((((((((( Files Created from 2006-10-19 to 2006-11-19 ))))))))))))))))))))))))))))))))))
2006-11-19 10:22 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2006-11-18 20:59 98,304 --a------ C:\WINDOWS\system32\msir3jp.dll
2006-11-18 20:59 838,144 --a------ C:\WINDOWS\system32\chtbrkr.dll
2006-11-18 20:59 70,656 --a------ C:\WINDOWS\system32\korwbrkr.dll
2006-11-18 20:59 1,677,824 --a------ C:\WINDOWS\system32\chsbrkr.dll
2006-11-18 20:58 9,216 --a------ C:\WINDOWS\system32\kbdnecAT.dll
2006-11-18 20:58 7,680 --a------ C:\WINDOWS\system32\kbdnecNT.dll
2006-11-18 20:58 7,168 --a------ C:\WINDOWS\system32\kbdnec95.dll
2006-11-18 20:58 7,168 --a------ C:\WINDOWS\system32\kbdibm02.dll
2006-11-18 20:58 7,168 --a------ C:\WINDOWS\system32\f3ahvoas.dll
2006-11-18 20:58 6,656 --a------ C:\WINDOWS\system32\kbdlk41a.dll
2006-11-18 20:58 6,144 --a------ C:\WINDOWS\system32\kbdlk41j.dll
2006-11-18 20:58 6,144 --a------ C:\WINDOWS\system32\kbdax2.dll
2006-11-18 20:58 6,144 --a------ C:\WINDOWS\system32\kbd106n.dll
2006-11-18 20:58 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2006-11-18 20:58 6,144 --a------ C:\WINDOWS\system32\kbd101.dll
2006-11-18 20:58 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2006-11-18 20:57 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-11-18 20:57 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-11-18 20:57 6,656 --a------ C:\WINDOWS\system32\c_is2022.dll
2006-11-18 20:57 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-11-18 20:57 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-11-18 20:57 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-11-18 20:57 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-11-17 21:25 <DIR> d-------- C:\WINDOWS\Application Data
2006-11-17 19:18 <DIR> d-------- C:\New Folder (2)
2006-11-17 19:17 <DIR> d-------- C:\New Folder
2006-11-17 17:04 <DIR> d-------- C:\Documents and Settings\Owner\.java
2006-11-17 03:13 <DIR> d-------- C:\VundoFix Backups
2006-11-17 02:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-17 02:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-17 01:41 <DIR> d-------- C:\fixwareout
2006-11-15 21:10 60,720 --a------ C:\WINDOWS\system32\drivers\userdump.sys
2006-11-15 21:10 <DIR> d-------- C:\WINDOWS\system32\kktools
2006-11-15 20:57 <DIR> d-------- C:\kktools
2006-11-15 17:03 12,928 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2006-11-15 14:40 <DIR> d-------- C:\WINDOWS\cache
2006-11-14 21:19 31,924 --a------ C:\WINDOWS\system32\drivers\DVC150B.sys
2006-11-14 18:52 458,112 --a------ C:\WINDOWS\system32\drivers\MarvinUsb.sys
2006-11-14 18:52 171,008 --a------ C:\WINDOWS\system32\drivers\MarvinBus.sys
2006-11-14 18:39 <DIR> d-------- C:\Program Files\Pinnacle Systems
2006-11-14 17:45 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2006-11-14 17:45 76,800 --------- C:\WINDOWS\system32\Lfwmf13n.dll
2006-11-14 17:45 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2006-11-14 17:45 73,728 --------- C:\WINDOWS\system32\lffax13n.dll
2006-11-14 17:45 65,536 --------- C:\WINDOWS\system32\Lfpct13n.dll
2006-11-14 17:45 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2006-11-14 17:45 453,120 --------- C:\WINDOWS\system32\ltkrn13n.dll
2006-11-14 17:45 40,960 --------- C:\WINDOWS\system32\langserv.dll
2006-11-14 17:45 393,216 --------- C:\WINDOWS\system32\LFCMP13n.DLL
2006-11-14 17:45 32,768 --------- C:\WINDOWS\system32\MLPagAx.dll
2006-11-14 17:45 30,208 --------- C:\WINDOWS\system32\lfbmp13n.dll
2006-11-14 17:45 294,912 --------- C:\WINDOWS\system32\pvmjpg21.dll
2006-11-14 17:45 278,016 --------- C:\WINDOWS\system32\LFJ2K13n.dll
2006-11-14 17:45 24,576 --------- C:\WINDOWS\system32\lftga13n.dll
2006-11-14 17:45 204,881 --------- C:\WINDOWS\system32\DiskIO.dll
2006-11-14 17:45 18,432 --------- C:\WINDOWS\system32\Cachex.dll
2006-11-14 17:45 155,721 --------- C:\WINDOWS\system32\RALMain.dll
2006-11-14 17:45 153,088 --------- C:\WINDOWS\system32\ltfil13n.DLL
2006-11-14 17:45 143,360 --------- C:\WINDOWS\system32\lftif13n.dll
2006-11-14 17:45 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2006-11-14 17:45 1,693,696 --------- C:\WINDOWS\system32\LTCLR13n.dll
2006-11-14 17:31 <DIR> d-------- C:\Program Files\SmartSound Software
2006-11-14 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SmartSound Software Inc
2006-11-14 17:28 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2006-11-14 17:28 <DIR> d-------- C:\Program Files\QuickTime
2006-11-14 17:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2006-11-14 17:27 14,165 --------- C:\WINDOWS\system32\drivers\Pclepci.sys
2006-11-14 17:22 90,112 --a------ C:\WINDOWS\unvise32.exe
2006-11-14 17:22 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2006-11-14 17:22 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2006-11-14 17:22 11,264 --a------ C:\WINDOWS\system32\drivers\asapiW2k.sys
2006-11-14 17:18 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-11-14 17:18 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2006-11-14 17:18 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2006-11-14 17:15 <DIR> d-------- C:\Program Files\Pinnacle
2006-11-14 17:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Pinnacle
2006-11-14 15:04 307,200 --a-s---- C:\WINDOWS\system32\InterceptHelper.dll
2006-11-14 15:04 176,128 --a-s---- C:\WINDOWS\system32\Interceptor.dll
2006-11-14 15:04 <DIR> d-------- C:\Program Files\SpyCatcher 2006
2006-11-14 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2006-11-14 13:30 <DIR> d-------- C:\Program Files\CyberLink
2006-11-14 10:36 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-11-14 10:36 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-11-14 10:36 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-11-14 10:36 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-11-14 10:36 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-11-14 10:36 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-11-14 10:35 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-11-14 10:18 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-14 09:09 913,280 -ra------ C:\WINDOWS\system32\drivers\LV302AV.SYS
2006-11-14 09:09 7,136 -ra------ C:\WINDOWS\system32\drivers\lv302af.sys
2006-11-14 09:09 372,736 -ra------ C:\WINDOWS\system32\LVUI2RC.dll
2006-11-14 09:09 22,016 -ra------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2006-11-14 09:09 204,800 -ra------ C:\WINDOWS\system32\LVUI2.dll
2006-11-14 09:09 204,800 -ra------ C:\WINDOWS\system32\lvcodec2.dll
2006-11-14 09:09 2,180,096 -ra------ C:\WINDOWS\system32\drivers\LVSVF2.sys
2006-11-14 09:09 106,496 -ra------ C:\WINDOWS\system32\lvcoinst.dll
2006-11-14 09:01 <DIR> d-------- C:\Program Files\Common Files\FotoWire
2006-11-14 09:01 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FotoWire
2006-11-14 08:58 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2006-11-14 08:56 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2006-11-14 08:56 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2006-11-14 08:56 81,920 -r------- C:\WINDOWS\bwUnin-6.1.4.68-8876480L.exe
2006-11-14 08:56 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2006-11-14 08:56 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2006-11-14 08:56 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2006-11-14 08:56 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2006-11-14 08:56 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2006-11-14 08:56 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2006-11-14 08:56 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2006-11-14 08:56 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2006-11-14 08:56 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2006-11-14 08:56 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2006-11-14 08:56 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2006-11-14 08:56 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2006-11-14 06:57 <DIR> d-------- C:\Program Files\The Weather Channel FW
2006-11-14 06:56 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-14 04:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2006-11-13 21:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HP
2006-11-13 21:10 <DIR> d-------- C:\Program Files\Common Files\HP
2006-11-13 20:55 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2006-11-13 20:45 51,120 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys
2006-11-13 20:45 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2006-11-13 20:44 21,744 -ra------ C:\WINDOWS\system32\drivers\HPZius12.sys
2006-11-13 20:43 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-11-13 20:41 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2006-11-13 20:41 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2006-11-13 20:41 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2006-11-13 20:41 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2006-11-13 20:41 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2006-11-13 20:39 <DIR> d-------- C:\Program Files\HP
2006-11-13 16:57 <DIR> d-------- C:\Program Files\XoftSpy
2006-11-13 04:03 59,392 --------- C:\WINDOWS\system32\ltremove.exe
2006-11-13 04:03 <DIR> d-------- C:\WINDOWS\Options
2006-11-13 04:00 9,196,032 --------- C:\WINDOWS\system32\RTLCPL.exe
2006-11-13 04:00 69,632 --------- C:\WINDOWS\soundman.exe
2006-11-13 04:00 57,344 --a------ C:\WINDOWS\ALCXMNTR.EXE
2006-11-13 04:00 40,448 --------- C:\WINDOWS\system32\ChCfg.exe
2006-11-13 04:00 208,896 --------- C:\WINDOWS\alcupd.exe
2006-11-13 04:00 156,672 --------- C:\WINDOWS\system32\RtlCPAPI.dll
2006-11-13 04:00 139,264 --------- C:\WINDOWS\alcrmv.exe
2006-11-13 01:44 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Tenebril
2006-11-13 01:39 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2006-11-13 01:39 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2006-11-13 01:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2006-11-13 01:30 78,488 --a------ C:\WINDOWS\system32\XMD5.dll
2006-11-13 01:30 <DIR> d-------- C:\Program Files\SpywareBot
2006-11-13 01:06 <DIR> d-------- C:\Program Files\Symantec Technical Support
2006-11-13 00:26 <DIR> d-------- C:\Program Files\Norton Internet Security
2006-11-13 00:25 48,768 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-13 00:25 110,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-13 00:24 <DIR> d-------- C:\Program Files\Symantec
2006-11-12 23:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-11-12 23:29 <DIR> d-------- C:\Program Files\Security Task Manager
2006-11-12 20:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2006-11-12 19:11 <DIR> d-------- C:\WINDOWS\WBEM
2006-11-12 19:11 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-12 19:09 <DIR> d--h-c--- C:\WINDOWS\ie7
2006-11-12 19:07 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-11-12 15:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-11-12 15:03 309,248 --a------ C:\WINDOWS\system32\Incinerator.dll
2006-11-12 15:03 <DIR> d-------- C:\Program Files\iolo
2006-11-12 05:22 <DIR> d-------- C:\Program Files\RegistrySmart
2006-11-11 17:09 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-11 17:09 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-11-11 14:32 <DIR> d-------- C:\kav
2006-11-11 10:13 <DIR> d-------- C:\Program Files\Common Files\AOL
2006-11-11 10:13 <DIR> d-------- C:\Program Files\AOL
2006-11-11 10:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Aim
2006-11-11 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2006-11-11 10:12 <DIR> d-------- C:\Program Files\AOD
2006-11-11 10:12 <DIR> d-------- C:\Program Files\AIM
2006-11-11 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-11-10 21:02 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-11-10 21:01 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-11-10 21:01 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-11-10 21:01 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-11-10 21:01 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-11-10 21:01 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-11-10 21:00 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-11-10 21:00 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-11-10 20:59 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-11-10 20:59 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-11-10 20:41 <DIR> d-------- C:\Program Files\Common Files\Logitech
2006-11-10 20:40 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-11-10 20:40 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-11-10 20:40 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-11-10 20:40 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-11-10 20:40 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-11-10 20:40 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-11-10 20:40 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-11-10 20:40 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-11-10 20:39 <DIR> d-------- C:\Program Files\Logitech
2006-11-10 18:56 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Paltalk
2006-11-08 18:34 <DIR> d-------- C:\WINDOWS\Paltalk Messenger
2006-11-08 18:34 <DIR> d-------- C:\Program Files\Paltalk Messenger
2006-11-08 16:24 <DIR> d--h----- C:\WINDOWS\PIF
2006-11-08 16:19 <DIR> d-------- C:\WINDOWS\Minidump
2006-11-08 10:53 <DIR> d-------- C:\Program Files\QuickZip4
2006-11-08 10:46 <DIR> d-------- C:\Program Files\EndItAll
2006-11-08 06:15 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-08 06:08 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2006-11-08 01:37 <DIR> d-------- C:\WINDOWS\Prefetch
2006-11-08 00:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-08 00:38 <DIR> d-------- C:\WINDOWS\provisioning
2006-11-08 00:38 <DIR> d-------- C:\WINDOWS\peernet
2006-11-08 00:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2006-11-08 00:21 <DIR> d-------- C:\WINDOWS\EHome
2006-11-08 00:11 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-11-07 21:54 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-11-07 21:54 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-11-07 21:54 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-11-07 21:41 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-11-07 21:41 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-11-07 21:41 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-11-07 21:41 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-11-07 21:40 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-11-07 21:40 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-11-07 21:40 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-11-07 21:40 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-11-07 21:40 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-11-07 21:40 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-11-07 21:40 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-11-07 21:40 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-11-07 21:40 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-11-07 21:40 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-11-07 21:40 15,120 --
jamesmouse
2006-11-20, 02:14
2006-11-07 21:40 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-07 21:40 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-11-07 21:40 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-11-07 20:56 <DIR> d-------- C:\WINDOWS\CAVTemp
2006-11-06 21:53 <DIR> d-------- C:\WINDOWS\pss
2006-11-06 20:36 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-11-06 20:33 <DIR> drah----- C:\Documents and Settings\Owner\Application Data\yahoo!
2006-11-06 19:42 <DIR> d--hs---- C:\Documents and Settings\Owner\UserData
2006-11-06 17:59 243,824 --a------ C:\WINDOWS\unicows.dll
2006-11-06 17:58 <DIR> d-------- C:\Program Files\Common Files\Scanner
2006-11-06 17:53 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2006-11-06 17:52 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2006-11-06 17:51 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2006-11-06 17:51 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2006-11-06 17:51 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-11-06 17:51 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-11-06 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2006-11-06 17:42 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2006-11-06 16:03 275,576 --a------ C:\WINDOWS\system32\drivers\srtspl.sys
2006-11-06 16:03 245,880 --a------ C:\WINDOWS\system32\drivers\srtsp.sys
2006-11-06 16:03 24,184 --a------ C:\WINDOWS\system32\drivers\srtspx.sys
2006-11-05 22:31 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MSN6
2006-11-05 22:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2006-11-05 19:04 <DIR> d-------- C:\WINDOWS\system32\bits
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 10:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-02 12:34 <DIR> d-------- C:\Program Files\Common Files\ozzz
2006-11-02 12:29 <DIR> d-------- C:\WINDOWS\ozzz
2006-11-02 08:04 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-11-02 08:04 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-11-02 08:04 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-11-02 03:33 <DIR> d-------- C:\Program Files\àdobe
2006-11-02 03:33 <DIR> d-------- C:\Program Files\Common Files\àdobe
2006-11-01 18:10 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-11-01 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2006-11-01 18:04 <DIR> d-------- C:\WINDOWS\EDCD4CE3DE9249A987F9FE09B2FBA16C.TMP
2006-11-01 11:40 <DIR> dr-h----- C:\Documents and Settings\Owner\Recent
2006-11-01 11:40 <DIR> d--hs---- C:\WINDOWS\SmFtZXMgV2FzaGJ1cm4
2006-11-01 11:40 <DIR> d--h----- C:\Config.Msi
2006-11-01 11:40 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-10-31 11:20 969 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-31 11:11 1,259 --a------ C:\WINDOWS\system32\kca8d05e.sys
2006-10-31 10:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-10-31 10:29 <DIR> d--hs---- C:\RECYCLER
2006-10-31 08:44 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-10-31 08:44 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-10-31 08:44 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-31 08:44 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-31 08:40 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-31 08:40 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-31 08:40 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-31 08:40 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-10-31 08:40 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-31 08:40 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-31 08:40 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-10-31 08:32 <DIR> d-------- C:\6in1ico
2006-10-31 08:31 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2006-10-31 08:31 24,576 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys
2006-10-31 08:30 40,960 --a------ C:\WINDOWS\AolCInUn.exe
2006-10-31 08:17 <DIR> d--hs---- C:\System Volume Information
2006-10-31 08:16 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-10-31 08:16 7,552 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2006-10-31 08:16 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-10-31 08:16 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-10-31 08:16 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-10-31 08:16 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2006-10-31 08:16 5,376 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2006-10-31 08:16 4,992 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2006-10-31 08:16 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-10-31 08:16 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-10-31 08:16 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-10-31 08:15 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-10-31 08:15 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-10-31 08:15 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-10-31 07:10 <DIR> d-------- C:\i386
2006-10-31 07:02 <DIR> drah----- C:\Documents and Settings\Owner\SendTo
2006-10-31 07:02 <DIR> dra-s---- C:\WINDOWS\assembly
2006-10-31 07:02 <DIR> dra------ C:\WINDOWS\Offline Web Pages
2006-10-31 07:02 <DIR> dra------ C:\Documents and Settings\Owner\My Documents
2006-10-31 07:02 <DIR> dra------ C:\Documents and Settings\Owner\Favorites
2006-10-31 07:02 <DIR> dra------ C:\Documents and Settings\All Users\Documents
2006-10-31 07:02 <DIR> d-ahs---- C:\Program Files\..
2006-10-31 07:02 <DIR> d-ah----- C:\Documents and Settings\Owner\Application Data\.
2006-10-31 07:02 <DIR> d-ah----- C:\Documents and Settings\Owner\Application Data
2006-10-31 07:02 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data\.
2006-10-31 07:02 <DIR> d-ah----- C:\Documents and Settings\All Users\Application Data
2006-10-31 07:02 <DIR> d-a------ C:\Program Files\.
2006-10-31 07:02 <DIR> d-a------ C:\Program Files
2006-10-31 07:02 <DIR> d-a------ C:\Documents and Settings\Owner\Start Menu
2006-10-31 07:02 <DIR> d-a------ C:\Documents and Settings\All Users\Start Menu
2006-10-31 07:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\..
2006-10-31 07:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\..
2006-10-31 07:00 <DIR> drahsc--- C:\WINDOWS\system32\dllcache
2006-10-27 15:09 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-27 15:09 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-27 15:09 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-27 15:09 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-27 02:44 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-27 15:09 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-27 15:09 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-27 15:09 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-27 02:44 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-27 02:44 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-27 02:44 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-27 02:44 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-27 02:44 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-27 02:44 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system
jamesmouse
2006-11-20, 02:29
2006-10-27 02:44 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-27 02:44 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-27 02:42 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 04:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-09-21 16:42 618328 --a------ C:\WINDOWS\system32\WINSSWEBAGENT.DLL
2006-09-12 21:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-02 11:35 613056 --a------ C:\WINDOWS\system32\SymNeti.dll
2006-09-02 11:35 239808 --a------ C:\WINDOWS\system32\SymRedir.dll
2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"iolo Task Agent"="C:\\Program Files\\iolo\\Common\\Task Agent\\Task_Agent.exe"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"SpyCatcher Reminder"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe -CheckReg"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,f0,00,00,00,00,00,00,00,30,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,f0,00,00,00,00,00,00,00,30,02,00,00,3a,02,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceClassicControlPanel"=dword:00000001
"NoSaveSettings"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aaaaaaca.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aaaaaaca.t"
"backup"="C:\\WINDOWS\\pss\\aaaaaaca.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aaaaaaca.t"
"item"="aaaaaaca"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aaaaaepa.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aaaaaepa.t"
"backup"="C:\\WINDOWS\\pss\\aaaaaepa.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aaaaaepa.t"
"item"="aaaaaepa"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aaaaaiox.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aaaaaiox.t"
"backup"="C:\\WINDOWS\\pss\\aaaaaiox.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\aaaaaiox.t"
"item"="aaaaaiox"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dgyrwefr.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\dgyrwefr.t"
"backup"="C:\\WINDOWS\\pss\\dgyrwefr.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\dgyrwefr.t"
"item"="dgyrwefr"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gmxjtily.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gmxjtily.t"
"backup"="C:\\WINDOWS\\pss\\gmxjtily.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gmxjtily.t"
"item"="gmxjtily"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gmxjtimw.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gmxjtimw.t"
"backup"="C:\\WINDOWS\\pss\\gmxjtimw.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gmxjtimw.t"
"item"="gmxjtimw"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gmxjtuyk.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gmxjtuyk.t"
"backup"="C:\\WINDOWS\\pss\\gmxjtuyk.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gmxjtuyk.t"
"item"="gmxjtuyk"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Image Zone Fast Start.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Image Zone Fast Start.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqthb08.exe -s"
"item"="HP Image Zone Fast Start"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqhir.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqhir.t"
"backup"="C:\\WINDOWS\\pss\\jswbqhir.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqhir.t"
"item"="jswbqhir"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqmfs.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqmfs.t"
"backup"="C:\\WINDOWS\\pss\\jswbqmfs.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqmfs.t"
"item"="jswbqmfs"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqaf.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqaf.t"
"backup"="C:\\WINDOWS\\pss\\jswbqqaf.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqaf.t"
"item"="jswbqqaf"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqed.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqed.t"
"backup"="C:\\WINDOWS\\pss\\jswbqqed.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqed.t"
"item"="jswbqqed"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqeg.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqeg.t"
"backup"="C:\\WINDOWS\\pss\\jswbqqeg.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqeg.t"
"item"="jswbqqeg"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqil.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqil.t"
"backup"="C:\\WINDOWS\\pss\\jswbqqil.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqqil.t"
"item"="jswbqqil"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqulf.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqulf.t"
"backup"="C:\\WINDOWS\\pss\\jswbqulf.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jswbqulf.t"
"item"="jswbqulf"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^myvsnqte.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnqte.t"
"backup"="C:\\WINDOWS\\pss\\myvsnqte.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnqte.t"
"item"="myvsnqte"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^myvsnsvp.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnsvp.t"
"backup"="C:\\WINDOWS\\pss\\myvsnsvp.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnsvp.t"
"item"="myvsnsvp"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^myvsnuoq.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnuoq.t"
"backup"="C:\\WINDOWS\\pss\\myvsnuoq.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnuoq.t"
"item"="myvsnuoq"
jamesmouse
2006-11-20, 02:32
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\myvsnuoq.t"
"item"="myvsnuoq"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalStart.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PalStart.lnk"
"backup"="C:\\WINDOWS\\pss\\PalStart.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\PALTAL~1\\palstart.exe "
"item"="PalStart"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkupw.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkupw.t"
"backup"="C:\\WINDOWS\\pss\\pfukkupw.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkupw.t"
"item"="pfukkupw"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkurp.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkurp.t"
"backup"="C:\\WINDOWS\\pss\\pfukkurp.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkurp.t"
"item"="pfukkurp"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkyjd.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkyjd.t"
"backup"="C:\\WINDOWS\\pss\\pfukkyjd.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkyjd.t"
"item"="pfukkyjd"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkyxx.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkyxx.t"
"backup"="C:\\WINDOWS\\pss\\pfukkyxx.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pfukkyxx.t"
"item"="pfukkyxx"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchddd.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchddd.t"
"backup"="C:\\WINDOWS\\pss\\sltchddd.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchddd.t"
"item"="sltchddd"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchdkf.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchdkf.t"
"backup"="C:\\WINDOWS\\pss\\sltchdkf.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchdkf.t"
"item"="sltchdkf"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchhfg.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchhfg.t"
"backup"="C:\\WINDOWS\\pss\\sltchhfg.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchhfg.t"
"item"="sltchhfg"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchybw.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchybw.t"
"backup"="C:\\WINDOWS\\pss\\sltchybw.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\sltchybw.t"
"item"="sltchybw"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpyCatcher Protector.lnk"
"backup"="C:\\WINDOWS\\pss\\SpyCatcher Protector.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SPYCAT~1\\PROTEC~1.EXE "
"item"="SpyCatcher Protector"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^vrstedhy.t]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\vrstedhy.t"
"backup"="C:\\WINDOWS\\pss\\vrstedhy.tCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\vrstedhy.t"
"item"="vrstedhy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Scheduler.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Scheduler.lnk"
"backup"="C:\\WINDOWS\\pss\\Scheduler.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SPYCAT~1\\SCHEDU~1.EXE "
"item"="Scheduler"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\dsreg.exe SED001"
"item"="TA_Start"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\owinqoem.exe SED001"
"item"="Think-Adz"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1pop06apelt3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="octeltpop"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\anotherap2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmpopoct"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CFD"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaAvTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVTray"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CAVRID]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CAVRID"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
jamesmouse
2006-11-20, 02:37
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Explorer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iexplore"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="owinqoem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\owinqoem.exe SED001"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\geoxr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kpefqt"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\kpefqt.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPWuSchd2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iolo Task Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Task_Agent"
"hkey"="HKCU"
"command"="C:\\Program Files\\iolo\\Common\\Task Agent\\Task_Agent.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KBD"
"hkey"="HKLM"
"command"="C:\\HP\\KBD\\KBD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Cfgwiz"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="osCheck"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ps2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\ps2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwtl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="t?skmgr"
"hkey"="HKCU"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RECGUARD"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RecoverFromReboot"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Temp\\RecoverFromReboot.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3tray2"
"hkey"="HKLM"
"command"="S3tray2.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpywareBot"
"hkey"="HKLM"
"command"="C:\\Program Files\\SpywareBot\\SpywareBot.exe -boot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskdir]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="taskdir"
"hkey"="HKCU"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="coloreal"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\COMPAQ\\Coloreal\\coloreal.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ybrwicon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yop"
"hkey"="HKLM"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6F-F5-5A-A0-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="npdsregq"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\npdsregq.exe SED001"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\netdns
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vbbin
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Owner.job
Completion time: 06-11-19 15:52:40.62
C:\ComboFix.txt ... 06-11-19 15:52
jamesmouse
2006-11-20, 04:12
;) Hi, I just wanted to let you know on 1 of the scans I did i found the Adware, Trojan: click spring.purity
Hi, I'm afraid my Norton Internet Security is not picking up Trojans and such I'm getting. I'have
Type: Registry [NewDotNet, Trojan.Xorpia,Wild Tanget]
Several WinActive files such as:education.url,Personals.url,Photos.url
I think the main problem is this Smitfraud-C
I really apreaciate your help. James W
Spyhunter log not required....
Hi again, we'll continue :)
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
You seem to have this Spycatcher program installed. It has a suspicious reputation and I recomend that you uninstall it via Control Panel -> Add/Remove programs
More info HERE (http://www.spywarewarrior.com/rogue_anti-spyware.htm)
You seem to have this Spyhunter program installed. It has a suspicious reputation and I recomend that you uninstall it via Control Panel -> Add/Remove programs
More info HERE (http://www.spywarewarrior.com/rogue_anti-spyware.htm)
SAVE THESE TO A TEXT FILE ON YOUR DESKTOP! Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aaaaaaca.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aaaaaepa.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^aaaaaiox.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dgyrwefr.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gmxjtily.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gmxjtimw.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gmxjtuyk.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqhir.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqmfs.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqaf.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqed.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqeg.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqqil.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jswbqulf.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^myvsnqte.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^myvsnsvp.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^myvsnuoq.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkupw.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkurp.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkyjd.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pfukkyxx.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchddd.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchdkf.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchhfg.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^sltchybw.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^vrstedhy.t]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TA_Start.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1pop06apelt3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\anotherap2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\geoxr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pwtl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskdir]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{6F-F5-5A-A0-ZN}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\netdns]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vbbin]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entry too if you haven't blocked Internet Explorer settings.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe,
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lucnbym.exe
O2 - BHO: (no name) - {0676CC61-CDC5-447e-AAFC-9D886EC820EB} - (no file)
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: netdns - C:\WINDOWS\
O20 - Winlogon Notify: vbbin - C:\WINDOWS\
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
Continue with HijackThis:
Config
Delete an NT service
Copy the following line to the box and press OK; aspi113210
Answer Yes
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\ozzz
C:\WINDOWS\ozzz
C:\WINDOWS\SmFtZXMgV2FzaGJ1cm4
Please run Killbox.
Select "Delete on Reboot".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\pss\aaaaaaca.tCommon Startup
C:\WINDOWS\pss\aaaaaepa.tCommon Startup
C:\WINDOWS\pss\aaaaaiox.tCommon Startup
C:\WINDOWS\pss\dgyrwefr.tCommon Startup
C:\WINDOWS\pss\gmxjtily.tCommon Startup
C:\WINDOWS\pss\gmxjtimw.tCommon Startup
C:\WINDOWS\pss\gmxjtuyk.tCommon Startup
C:\WINDOWS\pss\jswbqhir.tCommon Startup
C:\WINDOWS\pss\jswbqmfs.tCommon Startup
C:\WINDOWS\pss\jswbqqaf.tCommon Startup
C:\WINDOWS\pss\jswbqqed.tCommon Startup
C:\WINDOWS\pss\jswbqqil.tCommon Startup
C:\WINDOWS\pss\jswbqulf.tCommon Startup
C:\WINDOWS\pss\myvsnqte.tCommon Startup
C:\WINDOWS\pss\myvsnsvp.tCommon Startup
C:\WINDOWS\pss\myvsnuoq.tCommon Startup
C:\WINDOWS\pss\pfukkupw.tCommon Startup
C:\WINDOWS\pss\pfukkurp.tCommon Startup
C:\WINDOWS\pss\pfukkyjd.tCommon Startup
C:\WINDOWS\pss\pfukkyxx.tCommon Startup
C:\WINDOWS\pss\sltchddd.tCommon Startup
C:\WINDOWS\pss\sltchdkf.tCommon Startup
C:\WINDOWS\pss\sltchhfg.tCommon Startup
C:\WINDOWS\pss\sltchybw.tCommon Startup
C:\WINDOWS\pss\vrstedhy.tCommon Startup
C:\WINDOWS\system32\dsreg.exe
C:\WINDOWS\system32\owinqoem.exe
C:\WINDOWS\System32\kpefqt.exe
C:\windows\system32\npdsregq.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\kca8d05e.sys
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\lucnbym.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Select "All Files".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
jamesmouse
2006-11-21, 00:41
Hi, Thankyou so much for your help and directions. I ran into a problem after doing Fix checked, the next direction was to press Config - Delete an NT service. I typed in aspi113210 and get this error.
"The service aspi113210 is enabled or running. Disable it 1st by using HijackThisitself from scan results or the Services.msc window". I can't figure how to do this. James W
jamesmouse
2006-11-21, 05:30
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 19:13 06-11-20
+ Scan result:
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP3\A0001238.reg -> Hijacker.StartPage : Cleaned with backup (quarantined).
::Report end
jamesmouse
2006-11-21, 05:34
Logfile of HijackThis v1.99.1
Scan saved at 19:31, on 06-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SPYWAREfighter\spftray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SPYWAREfighter\spfprc.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spftray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program Files\SPYWAREfighter\spfprc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi again, looks better :)
Open Notepad and copy the following lines into a new document:
@echo off
sc stop "Microsoft ASPI Manager"
sc delete "Microsoft ASPI Manager"
Save the document to your desktop as Remove.bat and filetype: All Files
Go to your desktop and run the file Remove.bat and allow to run it if prompted
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
Reboot the computer.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log
:bigthumb:
jamesmouse
2006-11-21, 16:01
KASPERSKY ONLINE SCANNER REPORT
06-11-21 5:52:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/11/2006
Kaspersky Anti-Virus database records: 243445
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics
Total number of scanned objects 67673
Number of viruses found 4
Number of infected objects 108 / 0
Number of suspicious objects 0
Duration of the scan process 01:14:24
Infected Object Name Virus Name Last Action
C:\!KillBox\sltchddd.tCommon Startup Infected: Email-Worm.Win32.Glowa.g skipped
C:\!KillBox\sltchddd.tCommon Startup( 3) Infected: Email-Worm.Win32.Glowa.g skipped
C:\aaaaaefm.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Compaq\cpqOfferZone\msCMT\vrstehby.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-11-21_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\6B3AC1D0.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\aaaaaeaj.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\aaaaaeam.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\aaaaaeap.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\dgyrwiga.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\dgyrwigl.t
jamesmouse
2006-11-21, 16:06
C:\Documents and Settings\LocalService\Local Settings\Temp\aaaaaeap.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\dgyrwiga.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\dgyrwigl.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\dgyrwigp.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\gmxjtmmd.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\jswbqqsj.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\pfukkyfr.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\vrstehre.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\vrstehrs.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD8E7.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFD900.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\jswbqqca.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\Provblob.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\Service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\prov\user.xml Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\SPYWAREfighter\spf.dat Object is locked skipped
C:\sltchduk.t Infected: Email-Worm.Win32.Glowa.g skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP2\A0000048.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.q skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP2\A0000048.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.q skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP2\A0000048.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP5\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\cmdcons\system32\aaaaaewd.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\cmdcons\jswbqqll.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\cmdcons\aaaaaesa.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\gmxjtmjg.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\sltchdil.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\dgyrwidy.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\dgyrwidj.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\gmxjtmne.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\aaaaaebr.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\pfukkygl.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\gmxjtmnl.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\vrstehsf.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\sltchdmy.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\aaaaaeby.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\gmxjtmns.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\vrstehsm.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\jswbqqtg.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\pfukkyga.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\vrstehsp.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\sltchdmj.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\jswbqqtj.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\aaaaaebj.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\vrstehsw.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\myvsnuaw.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\jswbqqtq.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\vrstehse.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\vrstehsl.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\dgyrwihl.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\aaaaaebf.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\gmxjtmny.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\myvsnuas.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\MiniNT\system32\sltchdmm.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\DIST\SYSTEM32\pfukkygq.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP00041\aaaaaebe.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP02995\myvsnuar.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP06334\sltchdml.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP09961\pfukkygf.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP18467\vrstehsy.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP23281\myvsnuay.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP26500\jswbqqts.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP26962\vrstehsg.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP28145\sltchdma.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\Drv\APP32391\gmxjtmnp.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnuep.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\dgyrwile.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnuel.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\dgyrwill.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnues.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\gmxjtmrg.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnuea.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\sltchdqp.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\jswbqqxe.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\pfukkykx.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\vrstehwr.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnuer.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\sltchdql.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\dgyrwily.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\jswbqqxs.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\aaaaaefa.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\pfukkykp.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\gmxjtmrp.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnuej.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\jswbqqxd.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\pfukkykw.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\myvsnueq.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\SYSTEM32\dgyrwilq.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\apps\APP04827\sltchdum.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\apps\APP05436\jswbqqcp.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\apps\APP11942\vrstehbd.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\gmxjtmnj.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\vrstehsd.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\aaaaaebd.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\aaaaaefk.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\myvsnuex.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\jswbqqxr.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\myvsnuef.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\aaaaaejk.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\aaaaaejy.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\dgyrwipm.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\i386\sltchduj.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\hp\patches\31NA0RED\6_in_1\dgyrwigd.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\hp\patches\31NA0RED\6_in_1\sltchdlw.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\hp\patches\31NA0RED\HPSysInfo\myvsnuyk.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\hp\patches\31NA0RED\QFE330638\jswbqqse.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\hp\patches\31NA0RED\Realtek\vrstehrr.t Infected: Email-Worm.Win32.Glowa.g skipped
E:\hp\patches\31NA0RED\VIA_NIC\jswbqqsl.t Infected: Email-Worm.Win32.Glowa.g skipped
Scan process completed.
jamesmouse
2006-11-21, 16:37
Logfile of HijackThis v1.99.1
Scan saved at 6:32:09 AM, on 06-11-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SPYWAREfighter\spftray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SPYWAREfighter\spfprc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spftray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program Files\SPYWAREfighter\spfprc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Hi again :)
You have a nasty infection there...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a can with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run PandaActiveScan...
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with the Cure-it report and a fresh HijackThis log.
:bigthumb:
jamesmouse
2006-11-22, 06:16
Process.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix;Tool.ShutDown.11;Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
EN_CA-ie.reg;C:\hp\region;Trojan.StartPage.1505;Deleted.;
A0002381.exe;C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP8;Trojan.KillApp.30208;Deleted.;
A0002382.reg;C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP8;Trojan.StartPage.1505;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Moved.;
jamesmouse
2006-11-22, 06:30
Hi, Before your reply on Nov 21 I uninstalled Norton Internet security and downloaded Kapersky to removed many intances of Email-Worm.Win32.Glowa.g as I searched Symantec web site and its not listed there. I didnt trust Norton so I used Kapersky 30 day free trial version. It worked. Thankyou so much for your help. James W
Hi again :)
Thanks for letting me know that you used Kaspersky. I really recommend that we check whether the infection is removed completely or not.
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run PandaActiveScan...
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.
jamesmouse
2006-11-22, 21:09
Panda Internet Security 2007 incident report
Filter selected:Virus detected, Suspicious file, Dangerous file, Script execution, Phone connection, Connection attempt, Port scan attack, Denial of service attack, Spoofing, Attacking IP address blocked, Enabled, Disabled, Update, Scan started, Scan complete, Date: All
INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Connection attempt Firewall protection 11/22/06 10:56:06 Blocked Source IP address: 201.74.195.200
Connection attempt Firewall protection 11/22/06 10:53:55 Blocked Source IP address: 204.16.208.69
Virus detected: Trj/Qhost.gen On-demand antivirus scan 11/22/06 10:50:47 Disinfected Path: C:\WINDOWS\system32\drivers\etc\hosts.20061117-041748.backup
Virus detected: Trj/Qhost.gen On-demand antivirus scan 11/22/06 10:50:47 Disinfected Path: C:\WINDOWS\system32\drivers\etc\hosts.20061117-041747.backup
Spyware detected: Cookie/Diglnk On-demand antivirus scan 11/22/06 10:50:04 Disinfected Path: C:\WINDOWS\system32\config\systemprofile\Cookies\system@mbop[1].txt
Connection attempt Firewall protection 11/22/06 10:43:01 Blocked Source IP address: 66.114.57.81
Potentially unwanted program detecte... On-demand antivirus scan 11/22/06 10:38:32 Deleted Path: C:\RECYCLER\S-1-5-21-760953927-71859624-3576181368-1003\Dc62\Process.exe
Potentially unwanted program detecte... On-demand antivirus scan 11/22/06 10:38:32 Deleted Path: C:\RECYCLER\S-1-5-21-760953927-71859624-3576181368-1003\Dc61.exe
Connection attempt Firewall protection 11/22/06 10:37:46 Blocked Source IP address: 204.16.209.20
Potentially unwanted program detecte... On-demand antivirus scan 11/22/06 10:27:57 Deleted Path: C:\hp\bin\KillIt.exe
Potentially unwanted program detecte... On-demand antivirus scan 11/22/06 10:27:56 Deleted Path: C:\hp\bin\FondleWindow.exe
Connection attempt Firewall protection 11/22/06 10:27:41 Blocked Source IP address: 204.16.210.42
Potentially unwanted program detecte... On-demand antivirus scan 11/22/06 10:27:17 Deleted Path: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0L75EFQ6\SmitfraudFix[1].zip[Process.exe]
Potentially unwanted program detecte... On-demand antivirus scan 11/22/06 10:26:11 Deleted Path: C:\Documents and Settings\Owner\DoctorWeb\Quarantine\Process.exe
Adware detected: adware/block-checker On-demand antivirus scan 11/22/06 10:21:17 Disinfected Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\commission-junction.com\
Update Update system 11/22/06 10:19:57 Correct Total threat signatures: 182250
Connection attempt Firewall protection 11/22/06 10:17:00 Blocked Source IP address: 192.168.0.1
jamesmouse
2006-11-22, 21:40
I've been talking to Microsoft's virus removal department also. Last night I was working with an Microsoft technician about these problems. He had me go through a process of giving control of my computer to him. He removed several files that were suspicios or bad. I couldn't get Panda Scan Now to work I think because I kept getting an icon of error on this page and had Kaspersky installed. So I uninstalled Kaspersky and used Panda Internet security 30 day trial to to scan my computer.
jamesmouse
2006-11-22, 21:47
ogfile of HijackThis v1.99.1
Scan saved at 11:45:01 AM, on 06-11-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\Program Files\Panda Software\Panda Internet Security 2007\apvxdwin.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\SRVLOAD.EXE
c:\program files\panda software\panda internet security 2007\WebProxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Owner\LOCALS~1\Temp\{FA9811B3-DB4C-449F-BB25-8DEDD686EAA2}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\pavsrv51.exe
O23 - Service: Panda Antispam Engine (pmshellsrv) - Panda Software International - C:\Program Files\Panda Software\Panda Internet Security 2007\AntiSpam\pskmssvc.exe
O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda internet security 2007\firewall\PNMSRV.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Internet Security 2007\PsImSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hijac
Hi again :)
It is looking quite good now...
How is the computer running ?
You should print these instructions or save these to a text file. Follow these instructions carefully.
Disable bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to Microsoft ASPI Manager (aspi113210)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; aspi113210
Answer Yes
Close HIjackThis
Restart your computer normally.
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
Scan again with HijackThis and post the logfile to here.
jamesmouse
2006-11-24, 07:35
Hi Jak, Thankyou alot for your help. My computer is working pretty good now. I still get popups of intrusion attemps and Web pages changing sometimes. I sent a letter to the local police dept. about how someone who i thought was a friend and let use my computer while i wasn't looking crashed my computer and when I finally got it partly working I recieved many popups advertising WinAntivirus and research told me its association with VUNDO TROJAN. I Emailed a letter and every page of our work together to them. I feel he's the one who coused this by downloadinng WinAntivirus on purpose to damage my computer. I also emailed them web pages of my research on it with Google and Yahoo. I believe this is a serious criminal matter. I will now follow your last instructions. Thanks again, James W.
jamesmouse
2006-11-24, 12:07
Find AWF report by noahdfear ©2006
21504 byte files found
~~~~~~~~~~~~~
21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
25600 byte files found
~~~~~~~~~~~~~
25600 "C:\WINDOWS\Installer\159d14.mst"
25600 "C:\WINDOWS\Installer\MSI72.tmp"
25600 "C:\WINDOWS\Installer\MSI76.tmp"
25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
26450 byte files found
~~~~~~~~~~~~~
26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
jamesmouse
2006-11-24, 12:18
Logfile of HijackThis v1.99.1
Scan saved at 2:12:00 AM, on 06-11-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Owner\LOCALS~1\Temp\{FA9811B3-DB4C-449F-BB25-8DEDD686EAA2}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
Hi again :)
Looks like the last HijackThis log wasn't complete.
Please post the end of the log to here :bigthumb:
jamesmouse
2006-11-24, 22:35
Hi,I had talked to microsoft about my case and the lady in there virus and security dept. had me delete all prefetch files. I did a scan with Hijacker and the last entry on scan is the same as the last entry on the Post. I will repost the scan if different from original. Thanks, James W
Hi again :)
Is the following entry still visible if you run a scan with HijackThis ?
O23 - Service: Microsoft ASPI Manager (aspi113210) - Pinnacle Systems GmbH - (no file)
Let me know if it is....
If it is not and everything is running fine, then please follow these steps...
You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
You don't have an antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) on your computer, you must install one antivirus. Otherwise you'll get infected again.
These are good (free) antiviruses: AVG (http://free.grisoft.com)
Antivir (http://www.free-av.com)
Avast (http://www.avast.com)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
jamesmouse
2006-11-24, 23:54
Logfile of HijackThis v1.99.1
Scan saved at 12:56:40 PM, on 06-11-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\kktools\userdump.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.1.1067.8/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_current.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163388269875
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
:) :)
Hi again :)
You don't seem to have an antivirus or a firewall running....
Please see my last message for that.
You have these leftovers from Panda, you can fix the following with HijackThis:
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
Then The end of the HijackThis log didn't paste correctly, the O23 lines are missing...
jamesmouse
2006-11-26, 03:24
Hi, I did almost everything or I've also noticed sometimes some of the settings I make seem to change or i was in the process of removing it. I removed panda and reinstalled Norton Internet Security 2007 that I purchased, its all running including firewall.
I will check on o23 and see how many are there and repost another Hijackthis log & fix the 2 o4s. Thanks alot. James W
:) :)
jamesmouse
2006-11-26, 04:36
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
Ok great :)
It looks good now, the computer is running fine ?
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: