-
HIJACKTHIS log attached - Recently attacked by Trojan.Dropper.. run
Ran both Adware SE and Spybot S&D.. fully updated, fully immunized.. ran Spybot S&D in safe mode as well. Thought all was well until I came back online and a browser window popped up advertising some kind of cell phone.
Here is my HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 2:45:32 AM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\{4062BE82-072D-1033-1205-030523010001}\Update.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\kt0ql7d51.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
-
Security Expert-Emeritus
Welcome aboard
Please download Combofix to your desktop:- Double-click combofix.exe & follow the prompts.
- When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!
Proud Member of
ASAP since 2005.
-
Here you go - I think the popups might have stopped..
Shall I post a new HJT as well? Thanks by the way!
Craig Flannagan - 06-09-17 3:26:21.00 Service Pack 2
ComboFix 06.09.14 - Running from: C:\Documents and Settings\Craig Flannagan\Desktop
((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))
REGISTRY ENTRIES REMOVED:
[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{F2F2DECC-9FF3-4283-B4D0-F11BE109F11D}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
FILES REMOVED:
C:\WINDOWS\system32\jt6407jqe.dll
C:\WINDOWS\system32\kt0ql7d51.dll
C:\WINDOWS\system32\wgnsta.dll
C:\WINDOWS\system32\guard.tmp
Granting sedebugprivilege to Administrators ... successful
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{4062BE82-072D-1033-1205-030523010001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Documents and Settings\Craig Flannagan\Application Data\CURITY~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1
((((((((((((((((((((((((((((((( Files Created from 2006-08-17 to 2006-09-17 ))))))))))))))))))))))))))))))))))
2006-09-17 03:17 40,960 --a------ C:\Look2Me-Destroyer.exe
2006-09-17 00:08 240,000 -r-hs---- C:\WINDOWS\eenyseaA.exe
2006-09-17 00:07 1,147,824 -r-hs---- C:\WINDOWS\eenysea.exe
2006-08-31 00:40 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-08-29 21:41 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-09-17 03:26 -------- d-------- C:\Program Files\Common Files
2006-09-17 02:01 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-17 01:43 -------- d-------- C:\Program Files\Lavasoft
2006-09-17 01:43 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Lavasoft
2006-09-17 00:10 -------- d-------- C:\Program Files\PartyPoker
2006-09-17 00:07 32135 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2006-09-17 00:07 -------- d-------- C:\Program Files\NetMeeting
2006-09-17 00:07 -------- d-------- C:\Program Files\Internet Explorer
2006-09-16 22:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-08 22:17 -------- d-------- C:\Program Files\Lumigent
2006-09-07 07:31 -------- d-------- C:\Program Files\Symantec
2006-09-05 19:21 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-05 19:21 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Symantec
2006-09-03 21:07 -------- d---s---- C:\Documents and Settings\Craig Flannagan\Application Data\Microsoft
2006-09-01 20:02 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Azureus
2006-09-01 17:21 -------- d-------- C:\Program Files\Azureus
2006-08-31 08:50 157184 ---hs---- C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
2006-08-30 23:28 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\AdobeUM
2006-08-29 21:41 -------- d-------- C:\Program Files\Railroad Tycoon 3
2006-08-29 21:34 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-29 21:33 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32\nsc2FF.dll
2006-08-14 17:52 78848 --a------ C:\WINDOWS\system32\nsc299.dll
2006-08-08 23:17 -------- d-------- C:\Program Files\VoxCode
2006-08-08 23:01 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-08 22:58 -------- d-------- C:\Program Files\Microsoft SQL Server
2006-08-08 22:48 -------- d-------- C:\Program Files\SQLXML 4.0
2006-08-08 22:38 -------- d-------- C:\Program Files\Microsoft Analysis Services
2006-08-08 22:23 -------- d-------- C:\Program Files\IGN
2006-08-08 22:12 -------- d-------- C:\Program Files\Crimson Editor
2006-08-08 22:11 -------- d-------- C:\Program Files\Macromedia
2006-08-08 22:11 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Macromedia
2006-08-08 21:46 -------- d-------- C:\Program Files\MSDN
2006-08-08 21:42 -------- d-------- C:\Program Files\Microsoft.NET
2006-08-08 21:41 -------- d-------- C:\Program Files\Microsoft Device Emulator
2006-08-08 21:40 -------- d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2006-08-08 21:33 -------- d-------- C:\Program Files\MSBuild
2006-08-08 21:33 -------- d-------- C:\Program Files\Microsoft Visual Studio 8
2006-08-08 21:33 -------- d-------- C:\Program Files\HTML Help Workshop
2006-08-08 21:32 -------- d-------- C:\Program Files\Common Files\Merge Modules
2006-08-08 21:26 -------- d-------- C:\Program Files\Common Files\Business Objects
2006-08-08 21:24 -------- d-------- C:\Program Files\CE Remote Tools
2006-08-08 21:22 -------- d-------- C:\Program Files\Microsoft Office
2006-08-07 08:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll
2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 18:46 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\Mozilla
2006-07-25 00:39 -------- d-------- C:\Program Files\Messenger
2006-07-25 00:38 -------- d-------- C:\Program Files\Windows Media Player
2006-07-25 00:35 -------- d-------- C:\Program Files\Outlook Express
2006-07-25 00:35 -------- d-------- C:\Program Files\Common Files\System
2006-07-24 22:41 -------- d-------- C:\Program Files\D-Link
2006-07-24 22:41 -------- d-------- C:\Program Files\ANI
2006-07-24 22:21 -------- d-------- C:\Program Files\Movie Maker
2006-07-24 22:16 -------- d-------- C:\Program Files\Windows NT
2006-07-24 22:07 -------- d-------- C:\Program Files\Google
2006-07-24 21:44 -------- d-------- C:\Documents and Settings\Craig Flannagan\Application Data\POPFile
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 00:19 -------- d-------- C:\Program Files\Microsoft IntelliType Pro
2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll
2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll
2006-06-19 13:39 139264 --a------ C:\WINDOWS\876056.exe
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"D-Link RangeBooster G WDA-2320"="C:\\Program Files\\D-Link\\RangeBooster G WDA-2320\\AirPlusCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"nwiz"="nwiz.exe /install"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\NetMeeting\\podoci.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Internet Explorer\\mebezane.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,00,04,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hp psc 1000 series.lnk"
"backup"="C:\\WINDOWS\\pss\\hp psc 1000 series.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpohmr08.exe "
"item"="hp psc 1000 series"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hpoddt01.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\hpoddt01.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpotdd01.exe "
"item"="hpoddt01.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^odduo.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\odduo.exe"
"backup"="C:\\WINDOWS\\pss\\odduo.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\odduo.exe"
"item"="odduo"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run POPFile.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Run POPFile.lnk"
"backup"="C:\\WINDOWS\\pss\\Run POPFile.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\POPFile\\RUNPOP~1.EXE /startup"
"item"="Run POPFile"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrff_e5"
"hkey"="HKLM"
"command"="c:\\\\dfndrff_e5.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\eenyseaA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="eenyseaA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\eenyseaA.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdff_e5"
"hkey"="HKLM"
"command"="c:\\\\kybrdff_e5.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="topaff"
"hkey"="HKLM"
"command"="c:\\topaff.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LVCOMSX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMSX"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmff_e5"
"hkey"="HKLM"
"command"="c:\\\\nwnmff_e5.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NVMCTRAY"
"hkey"="HKCU"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PSCloner]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSCloner"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSCloner\\PSCloner.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\septpop06apsept]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="septpop06apsept"
"hkey"="HKLM"
"command"="c:\\program files\\popupwithcast\\septpop06apsept.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MirarSetup_876057"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\MirarSetup_876057.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"Windows Overlay Components"=dword:00000002
"cmdService"=dword:00000002
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1091233308.job
Completion time: Sun 09/17/2006 3:28:34.67
ComboFix.txt
-
Security Expert-Emeritus
Please print these instructions out, or write them down, as you can't read them during the fix.
Please download the Killbox by Option^Explicit.
Note: In the event you already have Killbox, this is a new version that I need you to download.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\eenyseaA.exe
C:\WINDOWS\eenysea.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\WINDOWS\system32\nsc2FF.dll
C:\WINDOWS\system32\nsc299.dll
C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\876056.exe
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.
-------
Once that is done.....
Please download MWav:- Unzip it to its predetermined directory (C:\Kaspersky)
- Locate kavupd.exe in the new folder and double-click to Update.
- If your firewall gives any messages about this program accessing to internet, allow it.
- If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
- When you see Updates Downloaded Successfully, hit Enter to continue.
- Restart onto Safe Mode and locate the Kaspersky folder.
- Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:- Leave the Default Settings checked.
- Add a check to Drives
- This will light up All Drives
- Add a check to Scan all Files
- Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.- Please be sure it has finished before proceeding.
- Once the scan has finished, all entries identified as Infected, will be displayed in the lower panel.
- Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
- Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis log.
Hi there, stranger!
Proud Member of
ASAP since 2005.
-
Thanks again -
Followup report:
Killbox process has been completed. No "PendingFileRenameOperations prompt" came up.
Upon reboot, two popups came up.
Now running mwavscan.com as per your instructions - will follow up with a new HJT when it's done. (28 viruses found so far, 19 deleted)
(posting from my other computer )
-
Two Mwscan logs
Went to sleep at 4am, woke 3 hours later.. looked at the scan, thought it was done and realized I stopped it while it was still in progress.. so I ran mwscan for 2nd time (both done in safe mode as per your instructions)
Attached are the 1st and 2nd session logs.
File C:\!KillBox\876056.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos1.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos5.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos7.zip infected by "Password-protected-EXE" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00840000.VBN infected by "Email-Worm.Win32.NetSky.aa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0000.VBN infected by "Trojan-Downloader.Win32.Qoologic.ax" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0004.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00001.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00002.VBN infected by "Trojan-Clicker.Win32.VB.is" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN infected by "Trojan-Downloader.Win32.VB.wz" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40002.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40003.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40004.VBN infected by "Trojan-Downloader.Win32.Qoologic.ax" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40005.VBN infected by "Trojan-Dropper.Win32.Mudrop.bq" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40006.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40008.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07CC0001.VBN infected by "Trojan-Downloader.Win32.Small.cyh" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40001.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00000.VBN infected by "Trojan-Downloader.Win32.VB.afa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40000.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E40001.VBN infected by "Email-Worm.Win32.NetSky.q" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07F00000.VBN infected by "Email-Worm.Win32.NetSky.aa" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Craig Flannagan\Desktop\For future reinstallations\Goodies.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Craig Flannagan\Desktop\For future reinstallations\Goodies.zip infected by "Trojan-Downloader.Win32.IstBar.bu" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\cfg32a.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.i. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\MirarSetup_876057.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\repairs303169590.dll tagged as not-a-virus:AdWare.Win32.SurfSide.ap. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\WinNB58.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\SET32E.tmp tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\webhdll.dll tagged as not-a-virus:AdWare.Win32.WebHancer.390. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Local Settings\Temporary Internet Files\Content.IE5\1MLBUOEN\popup[1].htm infected by "Trojan-Clicker.HTML.Agent.a" Virus. Action Taken: File Deleted.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.614. No Action Taken.
2nd session:
File C:\!KillBox\876056.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80004.VBN tagged as not-a-virus:AdWare.Win32.CASClient.m. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40000.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07D40001.VBN tagged as not-a-virus:AdWare.Win32.MediaMotor.p. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\cfg32a.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.i. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\MirarSetup_876057.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\repairs303169590.dll tagged as not-a-virus:AdWare.Win32.SurfSide.ap. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\system32\WinNB58.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\SET32E.tmp tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\Documents and Settings\Craig Flannagan\Desktop\infectded\webHancer\Programs\webhdll.dll tagged as not-a-virus:AdWare.Win32.WebHancer.390. No Action Taken.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.614. No Action Taken.
File C:\Program Files\NetMeeting\podoci.html infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037194.exe infected by "Trojan-Downloader.Win32.Small.ajc" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037197.dll tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037211.exe infected by "Trojan-Downloader.Win32.Qoologic.at" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037217.exe infected by "Trojan-Downloader.Win32.Agent.aqx" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037220.exe infected by "Trojan-PSW.Win32.LdPinch.arr" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037300.exe infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037302.exe infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037303.dll infected by "Trojan-Downloader.Win32.Qoologic.bj" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037317.exe tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037327.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037328.dll infected by "Trojan-Downloader.Win32.Small.ctp" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037329.ocx tagged as not-a-virus:AdWare.Win32.MediaMotor.m. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037330.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037331.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037332.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037333.dll tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037334.exe tagged as not-a-virus:Monitor.Win32.NetMon.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037335.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037336.exe infected by "Trojan-Downloader.Win32.Small.ctp" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037337.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037339.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037340.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037341.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037342.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037343.dll tagged as not-a-virus:AdWare.Win32.Mirar.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037344.dll tagged as not-a-virus:AdWare.Win32.Ucmore.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037345.exe tagged as not-a-virus:AdWare.Win32.MediaMotor.o. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037346.exe tagged as not-a-virus:AdWare.Win32.WebHancer.351. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037347.dll tagged as not-a-virus:AdWare.Win32.WebHancer. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037348.dll tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037349.exe tagged as not-a-virus:AdWare.Win32.CommAd.a. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037353.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037358.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037363.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037364.exe infected by "Trojan-Downloader.Win32.Dyfuca.ey" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037365.dll infected by "Trojan-Downloader.Win32.Agent.agw" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037366.exe tagged as not-a-virus:AdWare.Win32.Agent.ag. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037367.exe infected by "Trojan-Downloader.Win32.Qoologic.c" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037368.exe infected by "Trojan-Downloader.Win32.Qoologic.c" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037369.exe tagged as not-a-virus:AdWare.Win32.BookedSpace.h. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037404.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037405.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037406.dll tagged as not-a-virus:AdWare.Win32.Look2Me.ab. No Action Taken.
File C:\System Volume Information\_restore{0EEB65D8-2E83-4030-BD3C-77CAA83470B1}\RP268\A0037457.exe tagged as not-a-virus:AdWare.Win32.SaveNow.bj. No Action Taken.
File C:\WINDOWS\pss\odduo.exeCommon Startup infected by "Backdoor.Win32.Hupigon.cj" Virus. Action Taken: File Deleted.
-
And my latest HJT after the mwscans. I'm still getting popups.. one that asks me to install DriverCleaner (from DriverCleaner, Inc.. a .cab file with "Install/Don't Install" option) and later 3 more popups.. just regular ads.
Logfile of HijackThis v1.99.1
Scan saved at 2:48:24 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
-
Let me know if I'm missing anything else in terms of logs
-
Just a follow up while I'm awaiting reply..
I know that helpers here would probably frown if I take things into my own hands, but I figured this action was easy and relatively straightforward (low risk potential)
When I noticed this line:
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab I went to IE and removed the ActiveX object from the list.
Popups has stopped.. I haven't seen any in the last few hours..
Newest HJT:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:52 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = microweb
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [D-Link RangeBooster G WDA-2320] C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D4EDEB-9A7A-49A3-A149-596051162C97} (HOVRSConnector.Connector) - https://secure.hovrs.com/vrs_ssl/Vid...etup/setup.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/zuma/def...ploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
-
Security Expert-Emeritus
It was indeed a bad entry
Delete the following folder:
C:\Documents and Settings\Craig Flannagan\Desktop\infectded
Empty recycle bin...
----
Updating Java and Clearing Cache- Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
- Search in the list for all previous installed versions of Java. (J2RE Runtime Environment.... )
It should have next icon next to it:
Select it and click Remove.
- Now please install the Java Runtime Environment (JRE) 5.0 Update 8 manually..
- Note to reboot the computer after updating:
- After the reboot, go back into the Control Panel and double-click the Java Icon.
- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 Checked
- Downloaded Applets
Downloaded Applications
Other Files
- Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. - Click OK to leave the Java Control Panel.
---
Hows the system running?
Hi there, stranger!
Proud Member of
ASAP since 2005.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules