Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: Small variation on a theme

  1. #1
    Member
    Join Date
    Nov 2006
    Posts
    40

    Default Small variation on a theme

    Hello again,

    Original problem on this link.... http://forums.spybot.info/showthread.php?t=9374

    Google links and favorites are still working okay, however, any 404 page not found errors are automatically redirected to a dubious search engine site.

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hello

    Do post a fresh hijackthis log

    Also: Post a combofix log
    1. Download this file - combofix.exe
    http://download.bleepingcomputer.com...h/combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    If the log is large You might need to post half in one reply half in another.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  3. #3
    Member
    Join Date
    Nov 2006
    Posts
    40

    Default

    Hi Lonny,

    Thanks for the reply.

    Logs are as follows....

    Logfile of HijackThis v1.99.1
    Scan saved at 21:29:23, on 04/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\GSICON.EXE
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AceGain\LiveUpdate\aceagent.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
    O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    "Sean Debling" - 07-01-04 21:31:13.71 Service Pack 2
    ComboFix 07-01-04W-BetaE2 - Running from: "C:\Documents and Settings\Sean Debling\Desktop\Security"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    d:\autorun.inf" . . . . failed to delete
    e:\autorun.inf" . . . . failed to delete


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-04 to 2007-01-04 ))))))))))))))))))))))))))))))))))


    2006-12-27 13:25 <DIR> d-------- C:\Program Files\NovaLogic
    2006-12-25 09:06 <DIR> d-------- C:\Program Files\Call of Duty
    2006-12-21 21:50 92,728 --------- C:\WINDOWS\system32\bass.dll
    2006-12-21 21:50 <DIR> d-------- C:\Program Files\You Ripper
    2006-12-20 19:44 <DIR> d-------- C:\Program Files\Electronic Arts
    2006-12-13 18:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
    2006-12-13 18:10 <DIR> d-------- C:\WINDOWS\Internet Logs
    2006-12-11 23:27 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\OfficeUpdate12
    2006-12-11 21:39 <DIR> d--h-c--- C:\WINDOWS\ie7
    2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\WBEM
    2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\system32\en-US
    2006-12-11 21:38 121,856 --------- C:\WINDOWS\system32\xmllite.dll
    2006-12-11 21:37 <DIR> d-------- C:\WINDOWS\network diagnostic
    2006-12-11 21:33 <DIR> d-------- C:\Program Files\MSXML 4.0
    2006-12-11 21:33 <DIR> d-------- C:\e17da79eb306db570881
    2006-12-05 21:08 <DIR> d-------- C:\Themes


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-04 13:38 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\adobe
    2007-01-02 13:45 -------- d-------- C:\Program Files\java
    2006-12-29 16:11 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
    2006-12-27 13:32 -------- d--h----- C:\Program Files\installshield installation information
    2006-12-11 23:47 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\officeupdate12
    2006-12-11 23:39 -------- d-------- C:\Program Files\microsoft works
    2006-12-10 13:33 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
    2006-12-10 13:33 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
    2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
    2006-12-05 21:20 2560 --a--c--- C:\WINDOWS\_msrstrt.exe
    2006-12-05 21:18 -------- d-------- C:\Program Files\Common Files\stardock
    2006-11-30 11:58 -------- d-------- C:\Program Files\quicktime
    2006-11-30 11:48 -------- d-------- C:\Program Files\finepixviewer
    2006-11-26 12:51 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
    2006-11-26 12:48 -------- d-------- C:\Program Files\gameshadow
    2006-11-26 12:45 86016 --a------ C:\WINDOWS\system32\openal32.dll
    2006-11-26 12:45 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2006-11-26 12:38 -------- d-------- C:\Program Files\konami
    2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
    2006-11-15 23:42 -------- d-------- C:\Program Files\ashampoo
    2006-11-15 22:45 -------- d-------- C:\Program Files\Common Files\fellowes
    2006-11-15 22:43 1425594 --a--c--- C:\WINDOWS\recorder.reg
    2006-11-15 22:43 1065 --a------ C:\WINDOWS\newrecorder.reg
    2006-11-15 22:43 -------- d-------- C:\Program Files\pinnacle
    2006-11-11 22:20 -------- d-------- C:\Program Files\grisoft
    2006-11-11 20:24 -------- d-------- C:\Program Files\Common Files\java
    2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-11-06 23:43 4966912 --a------ C:\WINDOWS\system32\logonuix.exe
    2006-11-04 21:48 -------- d---s---- C:\Documents and Settings\Sean Debling\Application Data\microsoft
    2006-11-04 15:27 -------- d-------- C:\Program Files\thq
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
    2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
    2006-10-18 21:54 1024 --a--c--- C:\Documents and Settings\Sean Debling\Application Data\wavcodec.wff
    2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
    2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
    2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
    2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
    2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
    2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
    2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
    2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
    2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
    2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
    2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
    2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
    2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
    2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
    2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
    2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Start WingMan Profiler"=""
    "Steam"=""
    "tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
    "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
    "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
    "CARPService"="carpserv.exe"
    "GSICONEXE"="GSICON.EXE"
    "DSLAGENTEXE"="dslagent.exe USB"
    "Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
    "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
    "EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

    HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
    Ip6FwHlp

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    Shell\AutoRun\command D:\Autorun.exe

    Completion time: 07-01-04 21:43:46.17


    Incidently, I've noticed a new folder called e17da79eb306db570881 that has appeared. All that is inside is a text document called msxml4-KB927978-enu that has loads and loads of writing on it. I fear it will take at least 3 of these messages to convey it all Any ideas ?

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    That new folder is due to a windows update

    If you have any flash drives, memory cards, usb disks plug them in
    Run combofix again and post its log please

    Also what are your d and e drives ?
    What does this "dubious search engine site" look like ?
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  5. #5
    Member
    Join Date
    Nov 2006
    Posts
    40

    Default

    D drive is DVD drive and E drive is CD-RW drive.

    I've taken some screenshots to show what these sites look like.

    http://img99.imageshack.us/img99/5142/404v1hu1.jpg

    http://img99.imageshack.us/img99/9875/404v2ct0.jpg

    http://img99.imageshack.us/img99/3107/404v3vz6.jpg

    http://img69.imageshack.us/img69/6981/404v4xm8.jpg

    http://img99.imageshack.us/img99/4761/404v5yb9.jpg

    As you can see same sort of interface (except one) using two fictitious web addresses. I don't use any usb sticks etc. I'll run the combo tonight and post the log (on my lunch hour at the moment )

  6. #6
    Member
    Join Date
    Nov 2006
    Posts
    40

    Default

    Combo as follows.....

    "Sean Debling" - 07-01-05 20:30:14.53 Service Pack 2
    ComboFix 07-01-04W-BetaE2 - Running from: "C:\Documents and Settings\Sean Debling\Desktop\Security"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    d:\autorun.inf" . . . . failed to delete


    ((((((((((((((((((((((((((((((( Files Created from 2006-12-05 to 2007-01-05 ))))))))))))))))))))))))))))))))))


    2007-01-04 23:53 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\Ashampoo Photo Commander 3
    2007-01-04 23:11 848 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-01-04 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Corel
    2007-01-04 23:10 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\Corel
    2006-12-27 13:25 <DIR> d-------- C:\Program Files\NovaLogic
    2006-12-25 09:06 <DIR> d-------- C:\Program Files\Call of Duty
    2006-12-21 21:50 92,728 --------- C:\WINDOWS\system32\bass.dll
    2006-12-21 21:50 <DIR> d-------- C:\Program Files\You Ripper
    2006-12-20 19:44 <DIR> d-------- C:\Program Files\Electronic Arts
    2006-12-13 18:11 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
    2006-12-13 18:10 <DIR> d-------- C:\WINDOWS\Internet Logs
    2006-12-11 23:27 <DIR> d-------- C:\DOCUME~1\SEANDE~1\APPLIC~1\OfficeUpdate12
    2006-12-11 21:39 <DIR> d--h-c--- C:\WINDOWS\ie7
    2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\WBEM
    2006-12-11 21:39 <DIR> d-------- C:\WINDOWS\system32\en-US
    2006-12-11 21:38 121,856 --------- C:\WINDOWS\system32\xmllite.dll
    2006-12-11 21:37 <DIR> d-------- C:\WINDOWS\network diagnostic
    2006-12-11 21:33 <DIR> d-------- C:\Program Files\MSXML 4.0
    2006-12-11 21:33 <DIR> d-------- C:\e17da79eb306db570881
    2006-12-05 21:08 <DIR> d-------- C:\Themes


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-01-04 23:53 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\ashampoo photo commander 3
    2007-01-04 23:48 -------- d-------- C:\Program Files\ashampoo
    2007-01-04 23:20 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\corel
    2007-01-04 13:38 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\adobe
    2007-01-02 13:45 -------- d-------- C:\Program Files\java
    2006-12-29 16:11 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
    2006-12-27 13:32 -------- d--h----- C:\Program Files\installshield installation information
    2006-12-11 23:47 -------- d-------- C:\Documents and Settings\Sean Debling\Application Data\officeupdate12
    2006-12-11 23:39 -------- d-------- C:\Program Files\microsoft works
    2006-12-10 13:33 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
    2006-12-10 13:33 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
    2006-12-07 05:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
    2006-12-05 21:20 2560 --a--c--- C:\WINDOWS\_msrstrt.exe
    2006-12-05 21:18 -------- d-------- C:\Program Files\Common Files\stardock
    2006-11-30 11:58 -------- d-------- C:\Program Files\quicktime
    2006-11-30 11:48 -------- d-------- C:\Program Files\finepixviewer
    2006-11-26 12:51 98304 --a--c--- C:\WINDOWS\system32\cmdlineext.dll
    2006-11-26 12:48 -------- d-------- C:\Program Files\gameshadow
    2006-11-26 12:45 86016 --a------ C:\WINDOWS\system32\openal32.dll
    2006-11-26 12:45 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll
    2006-11-26 12:38 -------- d-------- C:\Program Files\konami
    2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
    2006-11-15 22:45 -------- d-------- C:\Program Files\Common Files\fellowes
    2006-11-15 22:43 1425594 --a--c--- C:\WINDOWS\recorder.reg
    2006-11-15 22:43 1065 --a------ C:\WINDOWS\newrecorder.reg
    2006-11-15 22:43 -------- d-------- C:\Program Files\pinnacle
    2006-11-11 22:20 -------- d-------- C:\Program Files\grisoft
    2006-11-11 20:24 -------- d-------- C:\Program Files\Common Files\java
    2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
    2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
    2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
    2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
    2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
    2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
    2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
    2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
    2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
    2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
    2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
    2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
    2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
    2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
    2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
    2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
    2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
    2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
    2006-11-06 23:43 4966912 --a------ C:\WINDOWS\system32\logonuix.exe
    2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
    2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
    2006-10-18 21:54 1024 --a--c--- C:\Documents and Settings\Sean Debling\Application Data\wavcodec.wff
    2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
    2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
    2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\winfxdocobj.exe
    2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
    2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
    2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
    2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
    2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
    2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
    2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
    2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
    2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
    2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
    2006-10-13 12:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
    2006-10-13 12:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
    2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
    "Start WingMan Profiler"=""
    "Steam"=""
    "tunebite.exe"="C:\\Program Files\\tunebite\\tunebite.exe -hidden"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "PtiuPbmd"="Rundll32.exe ptipbm.dll,SetWriteBack"
    "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
    "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
    "CARPService"="carpserv.exe"
    "GSICONEXE"="GSICON.EXE"
    "DSLAGENTEXE"="dslagent.exe USB"
    "Ptipbmf"="rundll32.exe ptipbmf.dll,SetWriteCacheMode"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "AceGain LiveUpdate"="C:\\Program Files\\AceGain\\LiveUpdate\\LiveUpdate.exe"
    "REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
    "EPSON Stylus Photo R300 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0F2.EXE /P30 \"EPSON Stylus Photo R300 Series\" /O6 \"USB001\" /M \"Stylus Photo R300\""
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
    "OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
    "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
    "nwiz"="nwiz.exe /install"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
    "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "Installed"="1"
    "NoChange"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "0aMCPClient"="{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

    [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
    "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
    "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

    HKLM\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
    Ip6FwHlp

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    Shell\AutoRun\command D:\Autorun.exe

    Completion time: 07-01-05 20:42:29.67

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Download and run Silentrunners.Vbs post the log it creates please
    http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
    Wait until there is a All Done message !!, Then open and post the log next to it.
    Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  8. #8
    Member
    Join Date
    Nov 2006
    Posts
    40

    Default

    "Silent Runners.vbs", revision 49, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:
    ---------------------------------

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "Start WingMan Profiler" = "(empty string)" [file not found]
    "Steam" = "(empty string)" [file not found]
    "tunebite.exe" = "C:\Program Files\tunebite\tunebite.exe -hidden" [file not found]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "PtiuPbmd" = "Rundll32.exe ptipbm.dll,SetWriteBack" [MS]
    "PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe" [empty string]
    "Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
    "CARPService" = "carpserv.exe" ["Conexant Systems"]
    "GSICONEXE" = "GSICON.EXE" ["Fujitsu, Inc."]
    "DSLAGENTEXE" = "dslagent.exe USB" [null data]
    "Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "AceGain LiveUpdate" = "C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe" [null data]
    "REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
    "EPSON Stylus Photo R300 Series" = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"" ["SEIKO EPSON CORPORATION"]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
    "OpwareSE2" = ""C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" ["ScanSoft, Inc."]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
    "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
    "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
    "SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
    "Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "SSVHelper Class"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"
    -> {HKLM...CLSID} = "CD Copy Shell Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
    "{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"
    -> {HKLM...CLSID} = "CD Wizard Shell Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]
    "{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension"
    -> {HKLM...CLSID} = "InstantWrite Shellextension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\iwshex.dll" ["VOB Computersysteme GmbH"]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {HKLM...CLSID} = "Microsoft Office Outlook"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {HKLM...CLSID} = "Outlook File Icon Extension"
    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {HKLM...CLSID} = "AVG7 Find Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{C1728FC8-0162-4827-85B0-8420B5B20263}" = "All Converter"
    -> {HKLM...CLSID} = "All Converter"
    \InProcServer32\(Default) = "C:\Program Files\All Converter\CMExt.dll" [file not found]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
    -> {HKLM...CLSID} = "DesktopContext Class"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
    -> {HKLM...CLSID} = "NVIDIA CPL Extension"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
    -> {HKLM...CLSID} = "nView Desktop Context Menu"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
    "System" = (value not set)

    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
    -> {HKLM...CLSID} = "CContextScan Object"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
    WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {HKLM...CLSID} = "AVG7 Shell Extension Class"
    \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
    -> {HKLM...CLSID} = "WinZip"
    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------

    Note: detected settings may not have any effect.

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}


    Active Desktop and Wallpaper:
    -----------------------------

    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\My Documents\My Pictures\WINDVD Capture\cap002.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Sean Debling\My Documents\My Pictures\WINDVD Capture\cap002.bmp"


    Startup items in "Sean Debling" & "All Users" startup folders:
    --------------------------------------------------------------

    C:\Documents and Settings\Sean Debling\Start Menu\Programs\Startup
    "Registration-INSDVD" -> shortcut to: "C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe INSDVD,INSDVD,register,EN,0,serial=ABDPG-AAUAC-NQUDN-QAPIA-HDRPA" [file not found]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
    "Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
    "InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" ["InterVideo Inc."]


    Winsock2 Service Provider DLLs:
    -------------------------------

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:
    ------------------------------------

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
    -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
    -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------

    AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    FTP Publishing, MSFtpsvc, "C:\WINDOWS\System32\inetsrv\inetinfo.exe" [MS]
    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:
    ---------------

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
    Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


    ----------
    <<!>>: Suspicious data at a malware launch point.

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 202 seconds.
    ---------- (total run time: 256 seconds)

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Odd case.

    You had I think ran fixwareout prior to your first post in the other thread,
    lets run it again.
    Redownload becouse it is changed.
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/file...Fixwareout.exe
    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    You will be asked to reboot your computer; please do so.
    Your system may take longer than usual to load; this is normal.
    Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

    A Panda online scan might help to
    Panda ActiveScan-Free online scanner,
    http://www.pandasoftware.com/products/activescan.htm
    Do a full scan > Click the my computer button
    After the scan click see report then Save the report and post it back here please.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  10. #10
    Member
    Join Date
    Nov 2006
    Posts
    40

    Default

    Fixwareout
    Last edited 1/1/2006
    Post this report in the forums please
    ...
    Prerun check
    HKLM run and Winlogon System values
    System restarted
    ...
    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "dpid"
    ...
    Random Runs removed from HKLM
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    Searching by size/names...


    Search five digit cs, dm kd and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal

    Other suspects.

    Misc files.

    Checking for older varients covered by the Rem3 tool.

    Postrun check
    HKLM run
    Winlogon System value
    "system"=""


    Logfile of HijackThis v1.99.1
    Scan saved at 14:34:32, on 07/01/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0011)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\carpserv.exe
    C:\WINDOWS\system32\GSICON.EXE
    C:\WINDOWS\system32\dslagent.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\AceGain\LiveUpdate\aceagent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
    O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


    Incident Status Location

    Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[1].txt
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[2].txt
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@apmebf[1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@atdmt[2].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@doubleclick[1].txt
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@xiti[1].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@112.2o7[1].txt
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@adtech[2].txt
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@advertising[2].txt
    Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@adviva[1].txt
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@clickbank[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@com[1].txt
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@fastclick[2].txt
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@hitbox[2].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@mediaplex[1].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@questionmarket[1].txt
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula_debling@statse.webtrendslive[1].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@112.2o7[2].txt
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@247realmedia[1].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@2o7[1].txt
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@ads.pointroll[1].txt
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@adtech[2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@com[1].txt
    Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@findwhat[1].txt
    Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@hotlog[2].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@questionmarket[2].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@serving-sys[2].txt
    Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@spylog[1].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean_debling@tribalfusion[1].txt
    Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\backups\backup-20060615-122223-938-PowerReg Scheduler.exe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •