View Full Version : unable to delete sysweb telecom
HI,
A friends computer cant get rid of an entry using spybot S&D. This includes a scan on reboot. The entry is sysweb telecom. Can someone please review the HJT log file and help with this and/or any other problems that might be found?
Thanks very much in advance for any help you are able to provide.
Logfile of HijackThis v1.99.1
Scan saved at 2:57:04 PM, on 03/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Moore\Desktop\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab47946.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
I'm hoping a bump might help
Budfred
03-24-2007, 10:13 AM
There is nothing I can see in your log to explain the problem... Please do this to see if we can find more:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall... Use as many posts as needed to post the entire log...
Thank you for your reply and help budfred.
Combofix gave a message that the report was too long to generate. There was however, a log I copied from C:/ComboFix.txt
here it is:
"Moore" - 07-03-25 16:38:19 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Moore\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-02-25 to 2007-03-25 ))))))))))))))))))))))))))))))))))
2007-03-16 13:36 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-04 15:22 <DIR> d-------- C:\Program Files\Real Alternative
2007-03-04 15:22 <DIR> d-------- C:\Program Files\Media Player Classic
2007-03-04 15:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-03-01 23:54 <DIR> d-------- C:\Program Files\UltraVNC
2007-03-01 22:39 <DIR> d-------- C:\DOCUME~1\HOCKEY~1\APPLIC~1\Lavasoft
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2007-03-16 13:36 -------- d-------- C:\Program Files\messenger
2007-03-04 14:48 -------- d-------- C:\Program Files\Common Files\real
2007-03-04 14:46 -------- d-------- C:\DOCUME~1\Moore\APPLIC~1\real
2007-03-04 14:34 -------- d-------- C:\Program Files\spywareguard
2007-02-05 20:03 -------- d-------- C:\Program Files\msn messenger
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\runonce]
"FlashPlayerUpdate"="C:\\PROGRA~1\\MOZILL~1\\plugins\\GetFlash.exe -p"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinVNC"="\"C:\\Program Files\\UltraVNC\\winvnc.exe\" -servicehelper"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1. EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\K ODAKS~1.EXE "
"item"="Kodak software updater"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\MyWebSearch\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALUNOTIFY"
"hkey"="HKLM"
"command"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNOTIFY.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BackWeb-8876480"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\" /WinStart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_RegSoAlertWxSzNn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="soproc"
"hkey"="HKCU"
"command"="rundll32 shell32.dll,ShellExec_RunDLL C:\\PROGRA~1\\SOFTWA~1\\soproc.exe -pack RegSoAlertWxSzNn"
"inimapping"="0"
part 2......
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\thirdaxis]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="license itch"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Moore\\APPLIC~1\\DRVFUN~1\\license itch.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winis"
"hkey"="HKLM"
"command"="winis.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0500"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\Apps\\CDA\\GameDrvr.exe\" /startup \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0500.dll\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windowforklongvc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kind Type"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\else download window fork\\Kind Type.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"thirdaxis"="C:\\DOCUME~1\\NETWOR~1\\APPLIC~1\\DRVFUN~1\\licens e itch.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN39O3F05Z6B.job
************************************************** ******************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
[url]http://www.gmer.net[/url]
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\Hockey Kid\Local Settings\Temp\$179038A2.t$m 4096 bytes
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
************************************************** ******************
Completion time: 07-03-25 16:49:22
Budfred
03-25-2007, 11:41 PM
You have several infected processes showing in the log... One of them is LOP and it looks like you have Messenger Plus3 installed, but not running... If so, the best bet is to activate Messenger Plus3 and then uninstall it properly... Let me know the situation with that...
Also, uninstall this: MyWebSearch...
Also, find and delete these:
C:\Documents and Settings\Hockey Kid\Local Settings\Temp\$179038A2.t$m
C:\Program Files\MyWebSearch (whole folder)
You will probably need to show hidden files/folders to find and delete them...
In Windows XP, on the taskbar, click Start > My Computer.
On the Tools menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.
You may need to boot to Safe Mode to kill them... Reboot and press F8 just before Windows starts to load... Choose Safe Mode...
Report back on how this all went...
Hello Budfred, Thanks very much for your reply, My appologies for not getting back sooner. I won't bore you with the details as to why. I got back on my friends machine to follow your instructions. I couldn't find LOP, Messenger plus3, My websearch, or the temp file. I unhid hidden files and did seaches including hidden files and folders so no luck at all with the above.
Another spybot S&D scan found several entries that could not be deleted without a boot scan. The boot scan seemed to fix them all except the sysweb telecom entry again. I ran another HJT and another combofix considering the time that has passed. Hopefully there's something new you can see that might lead to a solution. They're pasted below. Thanks again for your help.
Logfile of HijackThis v1.99.1
Scan saved at 2:11:04 PM, on 05/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\rtvxyqvr.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - [url]http://spaces.msn.com//PhotoUpload/MsnPUpld.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
"Moore" - 07-05-04 14:13:13 Service Pack 2
ComboFix 07-03-23 - Running from: "C:\Documents and Settings\Moore\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-04-04 to 2007-05-04 ))))))))))))))))))))))))))))))))))
2007-05-02 03:29 132,660 --a------ C:\WINDOWS\system32\rtvxyqvr.dll
2007-05-01 19:07 132,660 --a------ C:\WINDOWS\system32\frmuruwu.dll
2007-04-28 12:55 36,352 --a------ C:\WINDOWS\system32\__c00AA1FF.dat
2007-04-28 12:20 <DIR> d-------- C:\DOCUME~1\HOCKEY~1\APPLIC~1\MSN6
2007-04-28 12:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-04-26 20:38 49,204 --a------ C:\WINDOWS\system32\hvrdfceu.dll
2007-04-25 19:56 132,660 --a------ C:\WINDOWS\system32\umvrpynu.dll
2007-04-24 19:56 123,972 --a------ C:\WINDOWS\system32\qpvfuaoi.dll
2007-04-24 15:52 123,972 --a------ C:\WINDOWS\system32\yxykndea.dll
2007-04-23 15:52 123,972 --a------ C:\WINDOWS\system32\afoucabe.dll
2007-04-22 15:52 123,972 --a------ C:\WINDOWS\system32\hjaebfbh.dll
2007-04-21 15:52 123,972 --a------ C:\WINDOWS\system32\uctbcmxw.dll
2007-04-20 15:51 123,972 --a------ C:\WINDOWS\system32\tkciprrf.dll
2007-04-19 15:51 123,972 --a------ C:\WINDOWS\system32\beexwroe.dll
2007-04-18 15:51 123,972 --a------ C:\WINDOWS\system32\knkwyvvj.dll
2007-04-17 21:18 125,460 --a------ C:\WINDOWS\system32\woipmhvd.dll
2007-04-17 21:18 123,972 --a------ C:\WINDOWS\system32\nblxtyhy.dll
2007-04-16 21:17 123,972 --a------ C:\WINDOWS\system32\bjhgebsa.dll
2007-04-15 21:17 123,972 --a------ C:\WINDOWS\system32\dojhebdu.dll
2007-04-15 10:11 <DIR> d-------- C:\DOCUME~1\Moore\APPLIC~1\SystemDoctor 2006 Free
2007-04-14 21:19 123,972 --a------ C:\WINDOWS\system32\dnbmgwxv.dll
2007-04-13 21:13 125,460 --a------ C:\WINDOWS\system32\awcybfgt.dll
2007-04-13 21:13 123,972 --a------ C:\WINDOWS\system32\dlakfvoq.dll
2007-04-12 21:13 48,708 --a------ C:\WINDOWS\system32\sjxydfiv.dll
2007-04-12 21:13 123,972 --a------ C:\WINDOWS\system32\uhempafi.dll
2007-04-11 21:12 906,212 ---hs---- C:\WINDOWS\system32\cccdd.bak2
2007-04-11 21:12 48,708 --a------ C:\WINDOWS\system32\atpfmhmh.dll
2007-04-11 21:12 123,972 --a------ C:\WINDOWS\system32\yshrvwot.dll
2007-04-10 21:12 887,890 ---hs---- C:\WINDOWS\system32\cccdd.bak1
2007-04-10 21:12 48,708 --a------ C:\WINDOWS\system32\aafcpqnb.dll
2007-04-10 21:12 280,676 ---hs---- C:\WINDOWS\system32\ddccc.dll
2007-04-10 20:48 26,694 --a------ C:\WINDOWS\system32\opnnlmj.dll
2007-04-10 20:47 189,952 --a------ C:\WINDOWS\us.exe
2007-04-10 20:47 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))
2007-05-03 17:04 36352 --a------ C:\WINDOWS\system32\__c00aa1ff.dat
2007-04-10 21:02 -------- d-------- C:\Program Files\msn messenger
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-16 13:36 -------- d-------- C:\Program Files\messenger
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-04 15:22 -------- d-------- C:\Program Files\real alternative
2007-03-04 15:22 -------- d-------- C:\Program Files\media player classic
2007-03-04 14:34 -------- d-------- C:\Program Files\spywareguard
2007-02-05 13:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"WinVNC"="\"C:\\Program Files\\UltraVNC\\winvnc.exe\" -servicehelper"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"cmonitor"=""
"InfoData"="rundll32.exe \"C:\\WINDOWS\\system32\\rtvxyqvr.dll\",realset"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1. EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\K ODAKS~1.EXE "
"item"="Kodak software updater"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\KEM.exe "
"item"="Logitech SetPoint"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\MyWebSearch Email Plugin.lnk"
"backup"="C:\\WINDOWS\\pss\\MyWebSearch Email Plugin.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\MyWebSearch\\bar\\1.bin\\MWSOEMON.EXE "
"item"="MyWebSearch Email Plugin"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALUAlert]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALUNOTIFY"
"hkey"="HKLM"
"command"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNOTIFY.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BackWeb-8876480"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\BackWeb-8876480.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\" /WinStart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Tray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SOProc_RegSoAlertWxSzNn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="soproc"
"hkey"="HKCU"
"command"="rundll32 shell32.dll,ShellExec_RunDLL C:\\PROGRA~1\\SOFTWA~1\\soproc.exe -pack RegSoAlertWxSzNn"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\thirdaxis]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="license itch"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Moore\\APPLIC~1\\DRVFUN~1\\license itch.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winis"
"hkey"="HKLM"
"command"="winis.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0500"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\WildTangent\\Apps\\CDA\\GameDrvr.exe\" /startup \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0500.dll\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windowforklongvc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kind Type"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\else download window fork\\Kind Type.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{9796007A-181E-4C97-99EB-7F71B8989A7B}"=""
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"
"thirdaxis"="C:\\DOCUME~1\\NETWOR~1\\APPLIC~1\\DRVFUN~1\\licens e itch.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableTaskMgr"=dword:00000000
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddccc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnlmj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00AA1FF
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HP DArC Task #Hewlett-Packard#deskjet3600#CN39O3F05Z6B.job
************************************************** ******************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
[url]http://www.gmer.net[/url]
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
************************************************** ******************
Completion time: 07-05-04 14:19:51
C:\ComboFix2.txt ... 07-03-25 16:49
Budfred
05-05-2007, 08:44 AM
It looks like you picked up a nice collection of malware since you were last here... I don't have time this morning to analyze a ComboFix log, but there are a couple of things you can get started on fixing and I will look at the rest later...
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip) (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)]
and then....
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Thank you Budfred, I have followed your directions but we're having trouble booting into safe mode. Since I'm helping him remotely using VNC, I gave him instructions over the phone for the safe mode boot. It seems the boot gets to the dialogue box to choose between safe mode and a system restore. Clicking yes should finish the safe mode boot but it leads him to a blank screen with mouse cursor, and thats about the end of it. We tried logging on the various accounts he has but to no avail. I've not had this problem before, any thoughts? I should have googled before my reply but will do that now.
Budfred
05-07-2007, 12:42 AM
Go ahead with the SmitfraudFix and post the log for that...
For SDFix, if necessary, just go ahead and run it in Normal Mode if it will run...
Is he trying to boot from an Admin account?? I don't think it works well otherwise... Also, there should be options other than just System Restore and Safe Mode... If none of these options work, we will try some manual deletions and then see if Safe Mode is possible...
Thanks again Budfred, the SmitfraudFix log is pasted below. The SDFix said it needed to run in safe mode. I tried it anyway and it didn't generate a report.
Yes we were trying to boot from an admin account. The safe mode boot process got past the options of selecting safe mode, SM with networking, last known good etc. and the loading of drivers but just prior to the desktop appearing was the option to continue in safe mode or do a system restore. After clicking "yes" to continue in safe mode is the point where it would not go further and the desktop would not load.
Here is the log.
SmitFraudFix v2.175
Scan done at 1:29:14.06, 05/07/2007
Run from C:\tools\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moore
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Moore\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Moore\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: SiS 900-Based PCI Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 154.11.128.187
DNS Server Search Order: 154.11.128.59
HKLM\SYSTEM\CCS\Services\Tcpip\..\{255D89AD-8C2A-48FF-A6BA-C17624EBBBD3}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\..\{255D89AD-8C2A-48FF-A6BA-C17624EBBBD3}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS3\Services\Tcpip\..\{255D89AD-8C2A-48FF-A6BA-C17624EBBBD3}: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=154.11.128.187 154.11.128.59
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Budfred
05-07-2007, 09:11 AM
Okay... We are kind of stuck... Try a couple of other scans and if they don't work, post another ComboFix log and we will try manual deletions and see if you can get Safe Mode back...
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
and then...
* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
one more...
Download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/)
Double-click the icon on Desktop to launch AVG Anti-Spyware
On the top of the main screen click Shield and click the word active to change it to inactive
On the top of the main screen click Update and then click on Start Update.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports" select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions:
Select Complete System Scan to begin scanning.
* If you have any infections you will prompted, then select "Apply all actions"
* Once finished, click the Save report button, then click Save Report As and save it to your Desktop.
Close AVG Anti-Spyware and Reboot in Normal Mode.
Thank you again Budfred,
The fsecure scan took a few attempts and stalled at the submit info to fsecure stage but was able to generate a report. Here they are:
Scanning Report
Tuesday, May 08, 2007 09:25:59 - 13:12:31
Computer name: MORSEY
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 27 malware found
Adware.BHO(generic) (spyware)
* System
Packed.Win32.Morphine.a (virus)
* C:\WINDOWS\SYSTEM32\AWCYBFGT.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\WOIPMHVD.DLL (Submitted)
Tracking Cookie (spyware)
* System (Disinfected)
* System (Submitted)
* System
* System
Vundo.gen17 (virus)
* C:\WINDOWS\SYSTEM32\DDCCC.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\OPNNLMJ.DLL (Submitted)
Vundo.gen18 (virus)
* C:\WINDOWS\SYSTEM32\AFOUCABE.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\BEEXWROE.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\BJHGEBSA.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\DLAKFVOQ.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\DNBMGWXV.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\DOJHEBDU.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\HJAEBFBH.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\KNKWYVVJ.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\NBLXTYHY.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\QPVFUAOI.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\TKCIPRRF.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\UCTBCMXW.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\UHEMPAFI.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\YSHRVWOT.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\YXYKNDEA.DLL (Submitted)
W32/Vundo.O (virus)
* C:\WINDOWS\SYSTEM32\AAFCPQNB.DLL
* C:\WINDOWS\SYSTEM32\ATPFMHMH.DLL
* C:\WINDOWS\SYSTEM32\SJXYDFIV.DLL
Statistics
Scanned:
* Files: 36877
* System: 4123
* Not scanned: 5
Actions:
* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 26
* Submitted: 20
Files not scanned:
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{B66F24 79-50A2-4E83-9CF9-212CB5550D71}.BIN
* C:\DOCUMENTS AND SETTINGS\MOORE\LOCAL SETTINGS\TEMP\EWFKUAGI.DLL
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\F6D155A0B546 7A28FA11DFD55CD7713F_192C3DF9-0073-42FC-BBB0-55C556386883
Options
Scanning engines:
* F-Secure Libra: 2.4.2, 2007-05-08
* F-Secure AVP: 7.0.171, 2007-05-08
* F-Secure Orion: 1.2.37, 2007-05-08
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 2007-04-30
* F-Secure Pegasus: 1.19.0, 2007-04-01
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
__c00aa1ff.dat;c:\windows\system32;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;
awcybfgt.dll;c:\windows\system32;Adware.Crew;Incur able.Will be moved after reboot.;
ddccc.dll;c:\windows\system32;Trojan.Virtumod;Will be cured after reboot.;
hvrdfceu.dll;c:\windows\system32;Trojan.Juan;Will be cured after reboot.;
opnnlmj.dll;c:\windows\system32;Trojan.Virtumod;Wi ll be cured after reboot.;
rtvxyqvr.dll;c:\windows\system32;Trojan.Virtumod;W ill be cured after reboot.;
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:45:55 PM 05/08/2007
+ Scan result:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Ext\Stats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\S tats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105718.exe -> Adware.Systemdoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105719.exe -> Adware.Systemdoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105721.exe -> Adware.Systemdoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105724.dll -> Adware.SystemDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105727.dll -> Adware.Systemdoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105728.exe -> Adware.SystemDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105730.exe -> Adware.Systemdoctor : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-583907252-725345543-1004\Software\SystemDoctor 2006 Free -> Adware.Systemdoctor : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-583907252-725345543-1004\Software\SystemDoctor 2006 Free\Settings -> Adware.Systemdoctor : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-583907252-725345543-1004\Software\SystemDoctor 2006 Free\Settings2 -> Adware.Systemdoctor : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-583907252-725345543-1004\Software\SystemDoctor 2006 Free\TaskSettings -> Adware.Systemdoctor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\opnnlmj.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP928\A0105720.exe -> Adware.WinFixer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP930\A0106779.exe -> Downloader.ConHook.ah : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP870\A0095050.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP890\A0096335.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Moore\Local Settings\Temp\ewfkuagi.dll -> Logger.VBStat.h : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2000478354-583907252-725345543-1005\Dc447.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
:mozilla.190:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.191:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.192:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@network-ca.247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.123:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.147:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.159:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.170:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.179:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.180:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.488:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.489:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.490:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.498:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.65:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.67:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.69:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.74:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.92:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@partygaming.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
:mozilla.347:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.348:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.60:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.61:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.485:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.24:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.35:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.470:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.492:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Bfast : Cleaned.
:mozilla.493:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@ads.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.298:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.299:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.38:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.39:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.40:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.41:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.45:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.84:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.85:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.86:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.87:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.88:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.89:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.318:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey kid@com[1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.486:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.502:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@stat.dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.110:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.469:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@enhance[2].txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.54:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.184:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.18:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.19:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.20:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.21:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.22:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.171:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.36:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.37:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.476:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.99:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.173:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.174:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.54:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.55:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.229:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Info : Cleaned.
:mozilla.231:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Info : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
:mozilla.230:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Intelli-direct : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@search.live[1].txt -> TrackingCookie.Live : Cleaned.
:mozilla.146:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.147:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.234:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.235:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey kid@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.64:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.146:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.25:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.26:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey kid@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@overture[2].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.384:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.499:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.500:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.501:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
:mozilla.129:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.130:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.167:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.168:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.372:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.373:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.10:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.11:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.12:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.13:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.14:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.15:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.16:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.17:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.18:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.19:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.20:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.7:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.84:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.85:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.86:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.87:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.88:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.89:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.8:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.90:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.91:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.9:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.169:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.170:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.171:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.172:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.174:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.375:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.376:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.377:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.378:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.379:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.380:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey kid@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
:mozilla.162:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.244:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.245:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.246:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.175:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.176:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.177:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey kid@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.467:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Toplist : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@trafic[1].txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.468:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.59:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@fhads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.383:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.80:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Moore\Cookies\moore@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.177:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.178:C:\Documents and Settings\Hockey Kid\Application Data\Mozilla\Firefox\Profiles\7yibqdio.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.80:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.81:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.82:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.83:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Hockey Kid\Cookies\hockey_kid@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.119:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.120:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.121:C:\Documents and Settings\Moore\Application Data\Mozilla\Firefox\Profiles\x5z6akg8.default\coo kies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Moore\DoctorWeb\Quarantine\__c00aa1ff.dat -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{29D0950D-BE35-48EA-9F7B-F37C5889CBAA}\RP934\A0112892.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\WINDOWS\US.0XE -> Worm.Agent.a : Cleaned with backup (quarantined).
::Report end
Budfred
05-08-2007, 07:47 PM
I missed Vundo!! Since I don't trust F-Secure to actually kill it, do this:
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.
Thank you once again, here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 11:46:14 PM, on 05/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\tools\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {732952D4-F54D-40A1-AE3C-B169780D811E} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\rtvxyqvr.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - [url]http://spaces.msn.com//PhotoUpload/MsnPUpld.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab[/url]
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: opnnlmj - opnnlmj.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c00AA1FF - C:\WINDOWS\system32\__c00AA1FF.dat (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
VundoFix V6.3.21
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:24:56 PM 05/08/2007
Listing files found while scanning....
C:\WINDOWS\system32\aafcpqnb.dll
C:\WINDOWS\system32\afoucabe.dll
C:\WINDOWS\system32\atpfmhmh.dll
C:\WINDOWS\system32\beexwroe.dll
C:\WINDOWS\system32\bjhgebsa.dll
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\dlakfvoq.dll
C:\WINDOWS\system32\dnbmgwxv.dll
C:\WINDOWS\system32\dojhebdu.dll
C:\WINDOWS\system32\frmuruwu.dll
C:\WINDOWS\system32\hjaebfbh.dll
C:\WINDOWS\system32\hvrdfceu.dll
C:\WINDOWS\system32\knkwyvvj.dll
C:\WINDOWS\system32\nblxtyhy.dll
C:\WINDOWS\system32\opnnlmj.dll
C:\WINDOWS\system32\qpvfuaoi.dll
C:\WINDOWS\system32\sjxydfiv.dll
C:\WINDOWS\system32\tkciprrf.dll
C:\WINDOWS\system32\uctbcmxw.dll
C:\WINDOWS\system32\uhempafi.dll
C:\WINDOWS\system32\umvrpynu.dll
C:\WINDOWS\system32\unyprvmu.ini
C:\WINDOWS\system32\uwurumrf.ini
C:\WINDOWS\system32\yshrvwot.dll
C:\WINDOWS\system32\yxykndea.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\aafcpqnb.dll
C:\WINDOWS\system32\aafcpqnb.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\afoucabe.dll
C:\WINDOWS\system32\afoucabe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\atpfmhmh.dll
C:\WINDOWS\system32\atpfmhmh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\beexwroe.dll
C:\WINDOWS\system32\beexwroe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\bjhgebsa.dll
C:\WINDOWS\system32\bjhgebsa.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\ddccc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dlakfvoq.dll
C:\WINDOWS\system32\dlakfvoq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dnbmgwxv.dll
C:\WINDOWS\system32\dnbmgwxv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dojhebdu.dll
C:\WINDOWS\system32\dojhebdu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\frmuruwu.dll
C:\WINDOWS\system32\frmuruwu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjaebfbh.dll
C:\WINDOWS\system32\hjaebfbh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hvrdfceu.dll
C:\WINDOWS\system32\hvrdfceu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\knkwyvvj.dll
C:\WINDOWS\system32\knkwyvvj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nblxtyhy.dll
C:\WINDOWS\system32\nblxtyhy.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qpvfuaoi.dll
C:\WINDOWS\system32\qpvfuaoi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sjxydfiv.dll
C:\WINDOWS\system32\sjxydfiv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tkciprrf.dll
C:\WINDOWS\system32\tkciprrf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uctbcmxw.dll
C:\WINDOWS\system32\uctbcmxw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uhempafi.dll
C:\WINDOWS\system32\uhempafi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\umvrpynu.dll
C:\WINDOWS\system32\umvrpynu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\unyprvmu.ini
C:\WINDOWS\system32\unyprvmu.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\uwurumrf.ini
C:\WINDOWS\system32\uwurumrf.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\yshrvwot.dll
C:\WINDOWS\system32\yshrvwot.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yxykndea.dll
C:\WINDOWS\system32\yxykndea.dll Has been deleted!
Performing Repairs to the registry.
Done!
Budfred
05-09-2007, 11:07 PM
You need to run one more scan and then see if the rest will go with HJT...
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Okay, see if you can fix the leftovers with HJT if they are still there:
O2 - BHO: (no name) - {732952D4-F54D-40A1-AE3C-B169780D811E} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\rtvxyqvr.dll",realset
O20 - Winlogon Notify: opnnlmj - opnnlmj.dll (file missing)
O20 - Winlogon Notify: __c00AA1FF - C:\WINDOWS\system32\__c00AA1FF.dat (file missing)
If you did not install UltraVNC, check this too:
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
Close all open windows except HJT and press Fix checked...
Reboot, post a new HJT log and the SDFix log... Let me know how it is going...
Thanks Budfred, it all went well, here are the logs.
SDFix: Version 1.83
Run by Moore - 05/10/2007 - 22:23:28.28
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe:*:Disabled:backWeb-8876480"
"C:\\Program Files\\iMesh\\Client\\iMeshClient.exe"="C:\\Program Files\\iMesh\\Client\\iMeshClient.exe:*:Enabled:iM esh"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessen ger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:RTC App Sharing"
"C:\\Program Files\\iMesh\\iMesh5\\iMesh.exe"="C:\\Program Files\\iMesh\\iMesh5\\iMesh.exe:*:Enabled:iMesh 5"
"%windir%\\system32\\ccapp.exe"="%windir%\\system32\\ccapp.exe:*:Enabled:System Process"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yah oo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire 4.2.6\\LimeWire.exe:*:Disabled:LimeWire"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll, -20000"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc. exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\DomainPr ofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2re s.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll, -20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
Checking For Files with Hidden Attributes:
Finished
Logfile of HijackThis v1.99.1
Scan saved at 1:34:26 AM, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\tools\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - [url]http://spaces.msn.com//PhotoUpload/MsnPUpld.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - [url]http://support.f-secure.com/ols/fscax.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab47946.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab[/url]
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - [url]http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab[/url]
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\winvnc.exe" -service (file missing)
Budfred
05-11-2007, 08:59 AM
Assuming that you intend to use UltraVNC, your logs look okay... How is the problem doing at this point??
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.