Page 1 of 8 12345 ... LastLast
Results 1 to 10 of 78

Thread: IE Closes & Products keep being cked to ignore in scan and slow

  1. #1
    Member
    Join Date
    Oct 2006
    Location
    Southern Louisiana
    Posts
    54

    Default IE Closes & Products keep being cked to ignore in scan and slow

    Hi,

    I have 3 computer quirks that has slowly come up in the last 4-6 weeks.
    They are:
    * Computer is extremely SLOW to start up and shut down.
    * Sporadically, there is delayed times from my actions.... (clicking, typing, or etc)... It can be when I am typing into the search box, preparing a post or closing a window.
    * Approx 1 - 2 minutes after opening IE, it suddenly closes. After I reopen IE, it runs great.....Strangely IE only closes on the initial IE opening.

    Both Ad-Aware SE Personal Build 1.06r1 and Spybot-S&D 1.4 were run & cleaned if any found.

    I have a few questions about my Spybot S&D 1.4 settings......
    There are a few ignore product check marks that i DID NOT check....
    I unchk them but next time they are chked again.
    CDilla PUPS
    CDilla Revision sbi
    SideStep PUPS

    I Don't understand, why I cant keep them uncked and what are they?

    I would like advice on where to proceed since these problems remain.

    Thank you so kindly for any & all assistance.
    J-escalader72


    ___________________________________

    Here is my Spybot S&D log
    --- Search result list ---
    --- System information ---
    Windows XP (Build: 2600) Service Pack 1
    / DataAccess: Microsoft Data Access Components KB870669
    / DataAccess: Security update for Microsoft Data Access Components
    / DataAccess: Security Update for Microsoft Data Access Components
    / DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
    / Windows Media Player: Windows Media Player Hotfix [See KB837272 for more information]
    / Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
    / Windows Media Player: Windows Media Update 817787
    / Windows Media Player: Windows Media Update 819639
    / Windows Media Player: Windows Media Update 828026
    / Windows XP / SP0: Windows Media Player Hotfix [See KB837272 for more information]
    / Windows XP / SP1: Windows XP Service Pack 1a
    / Windows XP / SP2: Windows XP Hotfix - KB810217
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See KB810243 for more information]
    / Windows XP / SP2: Windows XP Hotfix - KB820291
    / Windows XP / SP2: Windows XP Hotfix - KB821253
    / Windows XP / SP2: Windows XP Hotfix - KB821557
    / Windows XP / SP2: Windows XP Hotfix - KB822603
    / Windows XP / SP2: Windows XP Hotfix - KB823182
    / Windows XP / SP2: Windows XP Hotfix - KB823559
    / Windows XP / SP2: Windows XP Hotfix - KB824105
    / Windows XP / SP2: Windows XP Hotfix - KB824141
    / Windows XP / SP2: Windows XP Hotfix - KB824146
    / Windows XP / SP2: Windows XP Hotfix - KB825119
    / Windows XP / SP2: Windows XP Hotfix - KB828028
    / Windows XP / SP2: Windows XP Hotfix - KB828035
    / Windows XP / SP2: Windows XP Hotfix - KB828741
    / Windows XP / SP2: Windows XP Hotfix - KB833998
    / Windows XP / SP2: Windows XP Hotfix - KB835409
    / Windows XP / SP2: Windows XP Hotfix - KB835732
    / Windows XP / SP2: Windows XP Hotfix - KB837001
    / Windows XP / SP2: Windows XP Hotfix - KB839645
    / Windows XP / SP2: Windows XP Hotfix - KB840315
    / Windows XP / SP2: Windows XP Hotfix - KB840374
    / Windows XP / SP2: Windows XP Hotfix - KB841873
    / Windows XP / SP2: Windows XP Hotfix - KB842773
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q322011
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q323255 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q327979
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q328310
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329048 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329115 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q329170
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329390 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q329441
    / Windows XP / SP2: Windows XP Hotfix (SP2) [See Q329834 for more information]
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q810565
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q810577
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q810833
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q811493
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q811630
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q814033
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q814995
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q815021
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q817287
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q817606
    / Windows XP / SP2: Windows XP Hotfix (SP2) Q819696
    / Windows XP / SP3: Windows XP Hotfix - KB885626
    / Windows XP / SP3: Windows Installer 3.1 (KB893803)


    --- Startup entries list ---
    Located: HK_LM:Run, _AntiSpyware
    command: C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    file: C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    size: 114688
    MD5: e75d193fc5f228b11e2c7b115320ef34

    Located: HK_LM:Run, blpgvyqlphz
    command: C:\WINDOWS\System32\tpttvtx.exe
    file:

    Located: HK_LM:Run, dla
    command: C:\WINDOWS\system32\dla\tfswctrl.exe
    file: C:\WINDOWS\system32\dla\tfswctrl.exe
    size: 106549
    MD5: 6d21f9202a24b36e7cb10e8ed9f9de37

    Located: HK_LM:Run, MCUpdateExe
    command: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    file: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    size: 25600
    MD5: b1babd95db16dfea7cd7206169b71cbb

    Located: HK_LM:Run, NvCplDaemon
    command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    file: C:\WINDOWS\system32\RUNDLL32.EXE
    size: 31744
    MD5: 0fb22dd37c17f80ad71316049f725170

    Located: HK_LM:Run, SunJavaUpdateSched
    command: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    file: C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    size: 25600
    MD5: b1babd95db16dfea7cd7206169b71cbb

    Located: HK_LM:Run, ViewMgr
    command: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    file: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    size: 25600
    MD5: b1babd95db16dfea7cd7206169b71cbb

    Located: HK_LM:Run, HP Software Update (DISABLED)
    command: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    file: C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    size: 25600
    MD5: b1babd95db16dfea7cd7206169b71cbb

    Located: HK_LM:Run, MCAgentExe (DISABLED)
    command: c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    file: c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    size: 25600
    MD5: b1babd95db16dfea7cd7206169b71cbb

    Located: HK_LM:Run, Microsoft Works Portfolio (DISABLED)
    command: C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    file:

    Located: HK_LM:Run, Microsoft Works Update Detection (DISABLED)
    command: C:\Program Files\Microsoft Works\WkDetect.exe
    file: C:\Program Files\Microsoft Works\WkDetect.exe
    size: 28739
    MD5: 3141750fad211c6dadf7c2dc2ec74da8

    Located: HK_LM:Run, nwiz (DISABLED)
    command: nwiz.exe /install
    file: C:\WINDOWS\system32\nwiz.exe
    size: 364544
    MD5: fa537c72dc6d4f74b3d8a87f7cfbb6ac

    Located: HK_LM:Run, Share-to-Web Namespace Daemon (DISABLED)
    command: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    file: C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    size: 69632
    MD5: d5bc63d2822b8e244e53d2ff8078cc6b

    Located: HK_LM:Run, Show missed alarms (DISABLED)
    command: C:\Program Files\Alarm\Alarm.exe
    file: C:\Program Files\Alarm\Alarm.exe
    size: 225704
    MD5: 03166938b9183861a323cc79469feafa

    Located: HK_LM:Run, TkBellExe (DISABLED)
    command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    size: 25600
    MD5: b1babd95db16dfea7cd7206169b71cbb

    Located: HK_LM:Run, VirusScan Online (DISABLED)
    command: "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    file: c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    size: 163840
    MD5: 3fe1e841ed8483f7a75a1e86f6fc2216

    Located: HK_LM:Run, VSOCheckTask (DISABLED)
    command: "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    file: c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
    size: 122880
    MD5: 90cf41e5d4e8d3a88d8630da5c3b7a3a

    Located: HK_LM:Run, WildTangent CDA (DISABLED)
    command: RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
    file: C:\WINDOWS\system32\RUNDLL32.exe
    size: 31744
    MD5: 0fb22dd37c17f80ad71316049f725170

    Located: HK_LM:Run, WinTools (DISABLED)
    command: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    file:

    Located: HK_LM:Run, WorksFUD (DISABLED)
    command: C:\Program Files\Microsoft Works\wkfud.exe
    file: C:\Program Files\Microsoft Works\wkfud.exe
    size: 24576
    MD5: 9d05d00e8631b7874d164d6dedd6d801

    Located: HK_CU:Run, Weather (DISABLED)
    command: C:\Program Files\AWS\WeatherBug\Weather.exe 1
    file:

    Located: HK_CU:Run, Yahoo! Pager (DISABLED)
    command: "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    file:

    Located: Startup (common), Google Updater.lnk (DISABLED)
    command: C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    file: C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    size: 114616
    MD5: f6a23759e3ad31c8537244f4e7b28f1d

    Located: Startup (common), ymetray.lnk (DISABLED)
    command: C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    file: C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
    size: 49152
    MD5: 92200938d2a67a41b334b2dcaf55e674

    Located: Startup (disabled), Adobe Reader Speed Launch.lnk (DISABLED)
    command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
    file:

    Located: Startup (disabled), Alarm Clock Icon.lnk (DISABLED)
    command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Clock Icon.lnk.disabled
    file:

    Located: Startup (disabled), America Online 7.0 Tray Icon (DISABLED)
    command: C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
    file: C:\PROGRA~1\AMERIC~1.0\aoltray.exe
    size: 32839
    MD5: 383f838bcc2b44152b5e2f5046d3108a

    Located: Startup (disabled), Enable Labtec Wireless Desktop (DISABLED)
    command: C:\PROGRA~1\LABTEC~1\MagicKey.exe
    file: C:\PROGRA~1\LABTEC~1\MagicKey.exe
    size: 258048
    MD5: 16cdc77415303f87fd617c5aaf9348c7

    Located: Startup (disabled), Microsoft Office (DISABLED)
    command: C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l
    file: C:\PROGRA~1\MICROS~4\Office\OSA9.EXE
    size: 65588
    MD5: ffdc3bcba32d5947cb628086193eba19

    Located: Startup (disabled), Microsoft Works Calendar Reminders (DISABLED)
    command: C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
    file: C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\wkcalrem.exe
    size: 24633
    MD5: 7084b58a098d2f83b304832251a8c6a8

    Located: Startup (disabled), msoffice (DISABLED)
    command: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msoffice.exe
    file:

    Located: System.ini, crypt32chain
    command: crypt32.dll
    file: crypt32.dll

    Located: System.ini, cryptnet
    command: cryptnet.dll
    file: cryptnet.dll

    Located: System.ini, cscdll
    command: cscdll.dll
    file: cscdll.dll

    Located: System.ini, igfxcui
    command: igfxsrvc.dll
    file: igfxsrvc.dll

    Located: System.ini, ScCertProp
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, Schedule
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, sclgntfy
    command: sclgntfy.dll
    file: sclgntfy.dll

    Located: System.ini, SensLogn
    command: WlNotify.dll
    file: WlNotify.dll

    Located: System.ini, termsrv
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, wlballoon
    command: wlnotify.dll
    file: wlnotify.dll

    Located: System.ini, WRNotifier
    command: WRLogonNTF.dll
    file: WRLogonNTF.dll

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi j-escalader72 and welcome to the Safer Networking Forums

    You got some infections there...

    Post a HijackThis log to here:
    • Please download HijackThis to your desktop -> HijackThis 1.99.1
    • Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
    • Run HijackThis.exe
    • Click on Do a system scan and save a logfile
    • Wait for the scan to end, a logfile will popup in a notepad document
    • Please copy that log and paste it to you thread

    Then we'll continue
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  3. #3
    Member
    Join Date
    Oct 2006
    Location
    Southern Louisiana
    Posts
    54

    Default

    Mr Jak,
    Thank you for the welcome and your quick response.
    Here is my HJT Log.
    Let me know what to do next.

    Take Care,
    J-escalader72
    _________________________________


    Logfile of HijackThis v1.99.1
    Scan saved at 8:44:59 PM, on 10/22/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\system32\LxrJD31s.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\ie.exe
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    O4 - HKLM\..\Run: [blpgvyqlphz] C:\WINDOWS\System32\tpttvtx.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - Global Startup: Google Updater.lnk.disabled
    O4 - Global Startup: ymetray.lnk.disabled
    O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://usmilitary.about.com
    O15 - Trusted Zone: http://www.la.ngb.army.mil
    O15 - Trusted Zone: http://www.armyonesource.com
    O15 - Trusted Zone: http://home.bellsouth.net
    O15 - Trusted Zone: http://www.juno.com
    O15 - Trusted Zone: www.militaryonesource.com
    O15 - Trusted Zone: http://www.hotmail.msn.com
    O15 - Trusted Zone: groups.msn.com
    O15 - Trusted Zone: www.msnusers.com
    O15 - Trusted Zone: http://vil.nai.com
    O15 - Trusted Zone: *.nextel.com
    O15 - Trusted Zone: http://loginnet.passport.com
    O15 - Trusted Zone: http://*.subratam.org
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccom...ad/tgctlcm.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edg...ex-2.0.3.1.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again

    One or more of the identified infections has backdoor capabilities.

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
    When Should I Format, How Should I Reinstall

    However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
    Should you have any questions, please feel free to ask.

    Please let us know what you have decided to do in your next post
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  5. #5
    Member
    Join Date
    Oct 2006
    Location
    Southern Louisiana
    Posts
    54

    Default

    Thank you for the info.

    I am wondering when this happened.... cause lately when i was updating my security stuff to the updated version, i noticed my mcafee was stopped from my lower toolbar as active..... dont know where it went.

    I dont do any banking or financial transactions on the PC. I am currently changing all passwords. I guess i need to isolate and get rid of the bug.
    Id like to inform you that i have various personal challanges due to a serious accident. As far as reformatting or redoing my puter, i would become too overwhelmed. My finances are very limited..... I can follow most directions pretty well but if too extensive i just shut down. Please advise my next step to get rid of bug...If you would like you can IM for quicker info.

    Thank you so very kindly for your assistance.
    J-escalader

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again and sorry for the delay, I've been busy.

    I'll be happy to help you with the cleaning process

    Some of the McAfee's startups have been disabled, you should enable these again.

    Start -> Run -> type the following without quotes and hit Ok, "msconfig"
    Click on the "Startup" tab and checkmark all the following entries:

    MCAgentExe
    VirusScan Online
    VSOCheckTask

    Hit Apply and Ok, close the window.
    Reboot the computer, McAfee should be enabled now.

    Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.

    Please post an uninstall list to here.
    • Start HijackThis
    • Click on the Config button
    • Click on the Misc Tools button
    • Click on the Open Uninstall Manager button.
    • Click on the Save list... button and specify where you would like to save this file.
    • When you press Save button a notepad will open with the contents of that file.
    • Simply copy and paste the contents of that notepad here on your next reply.

    Go to Start >Run and type "Notepad" without the quotes
    Copy the text from the quotebox to Notepad.
    Go to the menu at the top of the Notepad file and Save as:
    • Name the file peek.bat
    • Save as Type: All files
    • Select the desktop icon on the left to save it on the desktop.

    Double click on peek.bat and let it run.
    When finished it will open a file in Notepad.
    That file will be named startup.txt
    Please post the contents of startup.txt into your next reply here.

    if not exist Files MkDir Files

    regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
    regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
    type peek1.txt >> startup.txt
    type peek2.txt >> startup.txt
    del peek*.txt
    start notepad startup.txt

    Copy files\*.txt = startup.txt
    rmdir /s /q files
    Start Notepad startup.txt
    Then we'll continue
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  7. #7
    Member
    Join Date
    Oct 2006
    Location
    Southern Louisiana
    Posts
    54

    Default

    Mr Jak,
    Thank you.....
    I am confused on what you really wanted me to do with new notepad stuff....

    I was unsure how long it would take to run the peek.bat. (after waiting 10 min. i figiured i had done something incorrect)....so i restarted instructions again..... took me about an hour to figure out the instructions in what to do.... and it only took a few seconds to give peek.bat results and i hope this is what you need.

    but here goes


    uninstall list

    Ad-Aware SE Personal
    Adobe Atmosphere Player for Acrobat and Adobe Reader
    Adobe Download Manager 1.2 (Remove Only)
    Adobe Photoshop Album 2.0 Starter Edition
    Adobe Reader 7.0
    America Online
    AOL Coach Version 1.0(Build:20020605.1)
    AOL Instant Messenger
    ArcSoft Software Suite
    Belarc Advisor 6.0
    BellSouth FastAccess DSL WEB Controls
    BellSouth® Communications Suite
    BroadJump Client Foundation
    Calc98
    Creative WebCam Instant Driver (1.01.02.0729)
    Detto IntelliMover Demo
    DirectX 9 Hotfix - KB839643
    Disney's Lilo and Stitch Pinball
    DLA
    ewido security suite
    FileAlyzer 1.1i
    FoneSync
    Google Earth
    Google Toolbar for Internet Explorer
    Google Updater
    Hemera Products
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    HijackThis 1.99.1
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Format SDK (KB910998)
    hp center
    hp deskjet 3320 series (Remove only)
    hp instant support
    HP Memories Disc
    HP Photo and Imaging 1.0 - Scanjet 3500c Series
    HP Photo and Imaging 1.1 - Photosmart Cameras
    HP Photo and Imaging 2.0 - Scanners
    HP Photosmart Essential
    HP Software Update
    hp toolkit
    ImageMixer
    Inactive HP Printer Drivers (Remove only)
    Intel(R) Extreme Graphics Driver
    Intel® Create & Share® Software
    InterActual Player
    Internet Explorer Q867801
    InterVideo WinDVD
    iPod Update 2004-04-28
    J2SE Runtime Environment 5.0 Update 3
    Java 2 Runtime Environment, SE v1.4.2_05
    JD Secure 3.1
    Juno 6
    Kaspersky On-line Scanner
    KBD
    Labtec Wireless Desktop
    Lernout & Hauspie TruVoice American English TTS Engine
    LimeWire 4.12.3
    LiveReg (Symantec Corporation)
    LiveUpdate 1.80 (Symantec Corporation)
    Macromedia Flash MX 2004
    Macromedia Flash Player 8
    Macromedia Shockwave Player
    MathPlayer
    McAfee AntiSpyware
    McAfee SecurityCenter
    McAfee VirusScan Professional
    Microsoft Chat 2.5
    Microsoft Data Access Components KB870669
    Microsoft Internet Explorer 5 PowerTweaks Web Accessory
    Microsoft Office Excel Viewer 2003
    Microsoft PowerPoint Viewer 97
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Word 2000 SR-1
    Microsoft Works 2001 Setup Launcher
    Microsoft Works 6.0
    Microsoft Works Suite Add-in for Microsoft Word
    MicroStaff WINASPI
    Moffsoft FreeCalc
    Mozilla Firefox (1.5.0.7)
    MSN Add-in for Windows Messenger
    MSN Gaming Zone
    MSN Messenger 7.5
    MSN Toolbar
    MUSICMATCH Jukebox
    NVIDIA Windows 2000/XP Display Drivers
    Outlook Express Q823353
    PC-Doctor for Windows
    PigPen
    Python 2.2 combined Win32 extensions
    Python 2.2.1
    Quicken Financial Center
    QuickTime
    RealPlayer
    RTC Client API v1.2
    SabreWing 2
    Snowboard Extreme
    Space Rocks
    Speedway
    Spy Sweeper
    Spybot - Search & Destroy 1.4
    Talking Alarm Clock
    Ultra WinCleaner One Click! Version 8.0
    upapp
    Virtual Warfare
    Westell Firmware Upgrade
    Windows Installer 3.1 (KB893803)
    Windows Media Format Runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player Hotfix [See KB837272 for more information]
    Windows Media Player Hotfix [See wm828026 for more information]
    Windows XP Hotfix - KB810217
    Windows XP Hotfix - KB820291
    Windows XP Hotfix - KB821253
    Windows XP Hotfix - KB821557
    Windows XP Hotfix - KB822603
    Windows XP Hotfix - KB823182
    Windows XP Hotfix - KB823559
    Windows XP Hotfix - KB824105
    Windows XP Hotfix - KB824141
    Windows XP Hotfix - KB824146
    Windows XP Hotfix - KB825119
    Windows XP Hotfix - KB828028
    Windows XP Hotfix - KB828035
    Windows XP Hotfix - KB828741
    Windows XP Hotfix - KB833998
    Windows XP Hotfix - KB835409
    Windows XP Hotfix - KB835732
    Windows XP Hotfix - KB837001
    Windows XP Hotfix - KB839645
    Windows XP Hotfix - KB840315
    Windows XP Hotfix - KB840374
    Windows XP Hotfix - KB841873
    Windows XP Hotfix - KB842773
    Windows XP Hotfix - KB885626
    Windows XP Hotfix (SP2) [See Q329048 for more information]
    Windows XP Hotfix (SP2) [See Q329115 for more information]
    Windows XP Hotfix (SP2) [See Q329390 for more information]
    Windows XP Hotfix (SP2) [See Q329834 for more information]
    Windows XP Hotfix (SP2) Q322011
    Windows XP Hotfix (SP2) Q327979
    Windows XP Hotfix (SP2) Q328310
    Windows XP Hotfix (SP2) Q329170
    Windows XP Hotfix (SP2) Q329441
    Windows XP Hotfix (SP2) Q810565
    Windows XP Hotfix (SP2) Q810577
    Windows XP Hotfix (SP2) Q810833
    Windows XP Hotfix (SP2) Q811493
    Windows XP Hotfix (SP2) Q814033
    Windows XP Hotfix (SP2) Q814995
    Windows XP Hotfix (SP2) Q815021
    Windows XP Hotfix (SP2) Q817287
    Windows XP Hotfix (SP2) Q817606
    Windows XP Hotfix (SP2) Q819696
    WordPerfect Productivity Pack
    WordPerfect Productivity Pack
    Yahoo! Address AutoComplete
    Yahoo! extras
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Toolbar

    Startup list

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hi again, good work

    You should print these instructions or save these to a text file. Follow these instructions carefully.

    At first we'll take handle the disabled startups....
    Please open Spybot S&D -> Mode -> Advanced mode
    Select Tools -> System startup

    Enable (checkmark) the following entries:

    MCAgentExe
    VirusScan Online
    VSOCheckTask


    Then, delete the following entries (select the entry with mouse and hit Delete)
    WinTools
    Weather

    Close Spybot S&D.

    Make your hidden files visible:
    • Go to My Computer
    • Select the Tools menu and click Folder Options
    • Click the View tab.
    • Checkmark the "Display the contents of system folders"
    • Under the Hidden files and folders select "Show hidden files and folders"
    • Uncheck "Hide protected operating system files"
    • Click Apply and then the OK and close My Computer.


    ==================

    Go to virustotal.com
    Click on the Browse button
    Browse to the following file: C:\WINDOWS\ie.exe
    Click Open and then on Send
    Wait for the scan to end.

    Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") to download Silent Runners.
    • Save it to the desktop.
    • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
    • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
    • Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

    *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

    ================

    When you're ready, post the following logs to here:
    - silentrunners log
    - a fresh HijackThis log
    - results from virustotal scan
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  9. #9
    Member
    Join Date
    Oct 2006
    Location
    Southern Louisiana
    Posts
    54

    Smile

    Mr Jak,
    Thank you so much for your prompt assistance.
    As you requested, I am posting the following logs for you.

    - silent runners log
    Jay Escalader

    "Silent Runners .vbs", revision 49,
    OS: Windows XP
    Startup items buried in registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
    "ie.exe" = "C:\WINDOWS\ie.exe" [null data]

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet" [file not found]
    "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
    "Acme.PCHButton" = "C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe" ["Motive Communications, Inc."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [null data]
    "_AntiSpyware" = "C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe" ["Network Associates, Inc."]
    "blpgvyqlphz" = "C:\WINDOWS\System32\tpttvtx.exe" [file not found]
    "dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["VERITAS Software, Inc."]
    "NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
    "MCAgentExe" = "c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [null data]
    "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [null data]
    "StorageGuard" = ""C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r" [file not found]
    "Share-to-Web Namespace Daemon" = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
    "Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string]
    "Propel Accelerator" = "C:\PROGRA~1\BELLSO~1\PropelAC.exe" [file not found]
    "LTMSG" = "LTMSG.exe 7" ["Agere Systems"]
    "KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"]
    "IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
    "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
    "HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" ["HP"]
    "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
    "CamMonitor" = "c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [empty string]
    "BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."]
    "BellSouthSyn" = "C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize" ["BellSouth"]
    "BellSouthScheduler" = "C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler" ["BellSouth"]
    "VirusScan Online" = ""c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"" ["Networks Associates Technology, Inc"]
    "VSOCheckTask" = ""c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask" ["Networks Associates Technology, Inc"]

    HKLM\Software\Microsoft\Active Setup\Installed Components\
    >{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
    >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
    \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
    {8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
    \StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
    {94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
    \StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "AcroIEHlprObj Class"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "UberButton Class"
    \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled" [file not found]
    {65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "YahooTaggedBM Class"
    \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll__BHODemonDisabled" [file not found]
    {9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "ST"
    \InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "Google Toolbar Helper"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
    {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "MSNToolBandBHO"
    \InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {HKLM...CLSID} = "Display Panning CPL Extension"
    \InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
    -> {HKLM...CLSID} = "Desktop Explorer"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
    -> {HKLM...CLSID} = (no title provided)
    \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
    "{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
    -> {HKLM...CLSID} = "DriveLetterAccess"
    \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["VERITAS Software, Inc."]
    "{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
    -> {HKLM...CLSID} = "America Online"
    \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
    -> {HKLM...CLSID} = "RealOne Player Context Menu Class"
    \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
    "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
    -> {HKLM...CLSID} = "YMailShellExt Class"
    \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
    "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
    -> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" ["Network Associates, Inc."]
    "{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"
    -> {HKLM...CLSID} = "WayTech MultiMouse Extension"
    \InProcServer32\(Default) = "C:\Program Files\Labtec Wireless Desktop\CPDll.dll" [null data]
    "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"
    -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
    \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    <<!>> "{F2A0229A-C4CA-4789-B606-973D24DCDD1C}" = "McAfee AntiSpyware Shell Extension"
    -> {HKLM...CLSID} = "McAfee AntiSpyware Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\McAfee\McAfee AntiSpyware\MssShell.dll" ["Network Associates, Inc."]
    <<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
    \InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\System\CurrentControlSet\Control\SecurityProviders\
    <<!>> ("zwebauth.dll" [MS]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"
    HKLM\System\CurrentControlSet\Control\Session Manager\
    <<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    <<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
    <<!>> WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]
    HKLM\Software\Classes\PROTOCOLS\Filter\
    <<!>> application/xhtml+xml\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
    -> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
    \InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
    <<!>> text/xml\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
    -> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
    \InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
    <<!>> text/xml; charset=iso-8859-1\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
    -> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
    \InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
    <<!>> text/xml; charset=utf-8\CLSID = "{32F66A26-7614-11D4-BD11-00104BD3F987}"
    -> {HKLM...CLSID} = "MathPlayer Mime Filter Class"
    \InProcServer32\(Default) = "C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll" ["Design Science, Inc."]
    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
    -> {HKLM...CLSID} = "PDF Shell Extension"
    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
    -> {HKLM...CLSID} = "YMailShellExt Class"
    \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20041123.dll" ["Yahoo! Inc."]
    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"
    -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"
    \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]
    Group Policies {policy setting}:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Shutdown: Allow system to be shut down without having to log on}

    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Devices: Allow undock without having to log on}

    Active Desktop and Wallpaper:
    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\Owner\My Documents\My Pictures\Gif & jpg pictures\PhotoImpression4.bmp"

    Enabled Screen Saver:
    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]

    Startup items in "Owner" & "All Users" startup folders:
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    <<!>> "Adobe Reader Speed Launch.lnk.disabled" [null data]
    <<!>> "Alarm Clock Icon.lnk.disabled" [null data]
    "America Online 7.0 Tray Icon" -> shortcut to: "C:\Program Files\America Online 7.0\aoltray.exe -check" ["America Online, Inc."]
    "Enable Labtec Wireless Desktop" -> shortcut to: "C:\Program Files\Labtec Wireless Desktop\MagicKey.exe" [empty string]
    <<!>> "Google Updater.lnk.disabled" [null data]
    "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
    "Microsoft Works Calendar Reminders" -> shortcut to: "C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe" ["Microsoft® Corporation"]
    <<!>> "ymetray.lnk.disabled" [null data]

    Enabled Scheduled Tasks
    :
    "Chancy 's School time" -> launches: "C:\Program Files\Alarm\Alarm.exe "Chancy 's School time"" ["Cinnamon Software Inc."]
    "McAfee.com Update Check (FAMILY-CHANCY)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
    "McAfee.com Update Check (FAMILY-GUESS WHO)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
    "McAfee.com Update Check (FAMILY-Hanson2)" -> launches: "C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule" [null data]
    "McAfee.com Update Check (FAMILY-Owner)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
    "McAfee.com Update Check (FAMILY-rhino)" -> launches: "C:\PROGRA~1\mcafee.com\agent\mcupdate.exe /Schedule" [null data]
    "Yahoo" -> launches: "C:\Program Files\Alarm\Alarm.exe Yahoo" ["Cinnamon Software Inc."]

    Winsock2 Service Provider DLLs:
    Namespace Service Providers
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:
    Toolbars
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
    -> {HKLM...CLSID} = "Yahoo! Toolbar"
    \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
    "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
    -> {HKLM...CLSID} = "MSN"
    \InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]

    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = (no title provided)
    -> {HKLM...CLSID} = "hp toolkit"
    \InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]
    "{BA52B914-B692-46C4-B683-905236F6F655}" = "McAfee VirusScan"
    -> {HKLM...CLSID} = "McAfee VirusScan"
    \InProcServer32\(Default) = "c:\progra~1\mcafee.com\vso\mcvsshl.dll" ["Networks Associates Technology, Inc"]
    "{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
    -> {HKLM...CLSID} = "MSN"
    \InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll" [MS]
    "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
    -> {HKLM...CLSID} = "Yahoo! Toolbar"
    \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
    -> {HKLM...CLSID} = "&Google"
    \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

    Explorer Bars
    HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
    {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "&Yahoo! Messenger"
    \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [file not found]

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "&Yahoo! Messenger"
    \InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" [file not found]
    {8F4902B6-6C04-4ADE-8052-AA58578A21BD}\(Default) = (no title provided)
    -> {HKLM...CLSID} = "hp toolkit"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

    HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\(Default) = "hp toolkit"
    Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
    InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]

    Extensions (Tools menu items, main toolbar menu buttons)
    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
    -> {HKLM...CLSID} = "Web Browser Applet Control"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

    {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
    "ButtonText" = "Yahoo! Services"
    "CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
    -> {HKLM...CLSID} = "UberButton Class"
    \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled" [file not found]

    {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
    "ButtonText" = "AIM"
    "Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

    {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF}\
    "ButtonText" = "Messenger"
    "Exec" = "C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe" ["BellSouth"]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

    Miscellaneous IE Hijack Points
    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

    Missing lines (compared with English-language version):
    [Strings]: 1 line

    Running Services (Display Name, Service Name, Path {Service DLL}):
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
    Lexar JD31, LxrJD31s, "LxrJD31s.exe" [null data]
    WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
    Webroot Spy Sweeper Engine, svcWRSSSDK, "C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe" ["Webroot Software, Inc."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

    Print Monitors:

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    hpzsnt05\Driver = "hpzsnt05.dll" ["HP"]
    hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]
    ---------
    <<!>>: Suspicious data at a malware launch point.
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    ......

  10. #10
    Member
    Join Date
    Oct 2006
    Location
    Southern Louisiana
    Posts
    54

    Smile

    Mr Jak,
    The following logs exceeded the maximum post length to put all together in one post. Heres the other logs you requested.
    - a fresh HijackThis log
    - results from virustotal scan

    I hope i did this correctly.
    Thank you so kindly for the assistance.
    Jay-escalader


    HiJack This Log
    Logfile of HijackThis v1.99.1
    Scan saved at 8:00:16 PM, on 10/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\system32\LxrJD31s.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\LTMSG.exe
    C:\HP\KBD\KBD.EXE
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe
    C:\WINDOWS\ie.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    C:\Program Files\America Online 7.0\aoltray.exe
    C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    C:\Program Files\Labtec Wireless Desktop\MulMouse.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Labtec Wireless Desktop\OSD.EXE
    C:\Documents and Settings\Owner\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us6.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us6.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (disabled by BHODemon)
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll (disabled by BHODemon)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [_AntiSpyware] C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
    O4 - HKLM\..\Run: [blpgvyqlphz] C:\WINDOWS\System32\tpttvtx.exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRA~1\BELLSO~1\PropelAC.exe
    O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [BellSouthSyn] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Synchronize
    O4 - HKLM\..\Run: [BellSouthScheduler] C:\Program Files\BellSouth\Application Center\BsnAppCenter.exe /Scheduler
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
    O4 - Global Startup: Alarm Clock Icon.lnk.disabled
    O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe
    O4 - Global Startup: Google Updater.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: ymetray.lnk.disabled
    O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll__BHODemonDisabled (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {DECDBEEF-D3AD-B3EF-DE4D-B3EFDEADB3EF} - C:\Program Files\BellSouth\Communications Suite\BstMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://usmilitary.about.com
    O15 - Trusted Zone: http://www.la.ngb.army.mil
    O15 - Trusted Zone: http://www.armyonesource.com
    O15 - Trusted Zone: http://home.bellsouth.net
    O15 - Trusted Zone: http://www.juno.com
    O15 - Trusted Zone: www.militaryonesource.com
    O15 - Trusted Zone: http://www.hotmail.msn.com
    O15 - Trusted Zone: groups.msn.com
    O15 - Trusted Zone: www.msnusers.com
    O15 - Trusted Zone: http://vil.nai.com
    O15 - Trusted Zone: *.nextel.com
    O15 - Trusted Zone: http://loginnet.passport.com
    O15 - Trusted Zone: http://*.subratam.org
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.fastaccess.com/sdccom...ad/tgctlcm.cab
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edg...ex-2.0.3.1.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...29/mcfscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: application/xhtml+xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter hijack: text/xml - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=iso-8859-1 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O18 - Filter: text/xml; charset=utf-8 - {32F66A26-7614-11D4-BD11-00104BD3F987} - C:\Program Files\Design Science\MathPlayer\MathMLMimer.dll
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    VirusTotal 24 October 2006
    Antivirus Version Update Result
    AntiVir 7.2.0.32 10.24.2006 R/Delphi.Downloader.Gen
    Authentium 4.93.8 10.24.2006 W32/Backdoor.OKB
    Avast 4.7.892.0 10.24.2006 no virus found
    AVG 386 10.25.2006 Downloader.Agent.GNR
    BitDefender 7.2 10.24.2006 no virus found
    CAT-QuickHeal 8.00 10.23.2006 TrojanDownloader.Agent.azn
    ClamAV devel-20060426 10.24.2006 no virus found
    DrWeb 4.33 10.24.2006 no virus found
    eTrust-InoculateIT 23.73.34 10.23.2006 no virus found
    eTrust-Vet 30.3.3154 10.24.2006 no virus found
    Ewido 4.0 10.24.2006 no virus found
    Fortinet 2.82.0.0 10.24.2006 W32/Agent.ESM!tr
    F-Prot 3.16f 10.24.2006 security risk named W32/Backdoor.OKB
    F-Prot4 4.2.1.29 10.24.2006 W32/Backdoor.OKB
    Ikarus 0.2.65.0 10.24.2006 no virus found
    Kaspersky 4.0.2.24 10.25.2006 Trojan-Downloader.Win32.Agent.azn
    McAfee 4880 10.24.2006 no virus found
    Microsoft 1.1609 10.25.2006 no virus found
    NOD32v2 1.1831 10.24.2006 no virus found
    Norman 5.80.02 10.24.2006 W32/Agent.APCO
    Panda 9.0.0.4 10.24.2006 Suspicious file
    Sophos 4.10.0 10.24.2006 Mal/Packer
    TheHacker 6.0.1.104 10.23.2006 no virus found
    UNA 1.83 10.25.2006 no virus found
    VBA32 3.11.1 10.24.2006 no virus found
    VirusBuster 4.3.7:9 10.24.2006 no virus found

    Aditional Information
    File size: 8080 bytes
    MD5: c9ee6c9b7033d4f7dfa6da06e6b7a718
    SHA1: a4d28397684b2827325f02b19a60e22fc9bc365d
    packers: UPACK

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •