There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
audio bios blue screen boot bsod computer connection crash dcom dell driver drivers email error excel firefox freeze google hard drive hardware hijackthis internet keyboard laptop logon logs off malware microsoft motherboard network problem ram recovery router screen slow software sound trojan usb userinit.exe virus vista webcam wifi windows windows 7 windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Uncontrollable Pop Ups and Browser Closing (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
Page 1 of 2 1 2
 
Thread Tools
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
29-Apr-2007, 10:01 PM #1
Uncontrollable Pop Ups and Browser Closing
I just recently have been having problems with multiple pop ups popping up in IE. Also some of them try and download things to my computer. Also my IE closes unexpectedly and when I start it up and look at my privacy settings it keeps setting to Accept al Cookies regardless of how many times I change it.

Here my HJT log let me know if anything looks fishy. thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:49:54 PM, on 4/29/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SPYWAREfighter\spftray.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\SPYWAREfighter\spfprc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\System32\ipv6monl.dll
O2 - BHO: (no name) - {3F9D0C61-737D-44D1-BD80-91AF857061CC} - C:\WINDOWS\System32\jkkhedc.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {BD2E3B0E-F085-45C8-890C-2A99617FBB87} - C:\WINDOWS\System32\ursts.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\txopigth.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spftray.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\System32\ccxfposs.dll",realset
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\hqoilji.dll
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://ca.west.com/CertControl/xenrlinf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://oma01appgw.west.com/wahatrai...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153609205197
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {666006C6-C743-11D5-BA02-00C04F2EFC0F} (ProxySupMain) - https://oma01appgw.west.com/wahatrai...a32/icaweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149447389286
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} (ShowSetupObj6 Class) - https://invite.mshow.com/(pdw1gz55b4...ShowSetup6.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - https://calltaking.workathomeagent.n...ostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teletech.webex.com/client/T2...ng/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato.cciu.org/Pathways/pway_...b/pwlninst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://flowers-vpn.liveops.com/dana...erSetupSP1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b3.../java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/...ad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: jkkhedc - C:\WINDOWS\SYSTEM32\jkkhedc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: ursts - C:\WINDOWS\System32\ursts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c0049C1A - C:\WINDOWS\System32\__c0049C1A.dat
O20 - Winlogon Notify: __c0075FE4 - C:\WINDOWS\System32\__c0075FE4.dat
O20 - Winlogon Notify: __c009DABC - C:\WINDOWS\System32\__c009DABC.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPYWAREfighterRP - SpamFighter APS - C:\Program Files\SPYWAREfighter\spfprc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Register for free to hide this ad!
cybertech's Avatar
Computer Specs
Moderator with 68,814 posts.
  
Join Date: Apr 2002
Location: Washington State
30-Apr-2007, 11:57 AM #2
Hi, Welcome to TSG!!

You need to go here and install "Service Pack 1" This will patch numerous security holes in IE and Windows. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates before we proceed or we will be wasting our time.

DO NOT install Service pack 2 yet. If you install SP 2 on an infected machine it will cause serious problems. Just get Service Pack 1 installed. After you get SP1 installed, restart your computer. Come back here and post the new Hijack This log.
__________________
Microsoft MVP/Windows - Consumer Security
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
30-Apr-2007, 08:29 PM #3
I'm having a problem installing Service Pack 1. I keep getting an error that says The file c:\windows\system32\drivers\ndis.sys is open or in use by another application. Close all other applications and then click retry.

The only time it doesn't say that is when I run the installation in Safe Mode. But even then I can't complete it because I can't connect to the internet while in safe mode. I can't figure out what program is using ndis.sys. What steps should I take from here?
cybertech's Avatar
Computer Specs
Moderator with 68,814 posts.
  
Join Date: Apr 2002
Location: Washington State
01-May-2007, 05:51 PM #4
Download this tool
http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file and choose install.


Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
__________________
Microsoft MVP/Windows - Consumer Security
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
01-May-2007, 08:47 PM #5
********************************* ROOTCHK-(30-04-07)-LOG, by ejvindh
Tue 05/01/2007 18:34:52.69

Driver kprof (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver ntldr.sys (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.
Driver poof (visible) is present. Run COMBOFIX by sUBs or SDFIX by AndyManchesta.

********************************* ROOTCHK-LOG-end


catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 18:34:55
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\0B2POJOR\CAM5IP3T.: 3789 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\HTW9BLNH\online-sweepstakes[1].: 19699 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\I7A101UR\keywords;kw=crackdown;dcopt=ist;tcat=1249;items= 157;sz=440x198;tile=5;ord=1171734319841;[1].: 4015 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\ILQBYF4V\pixel;sz=1x1;ord=9211755488347328[1].: 300 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\IZ0Z7KLC\click,AgAAAPB2AgARVgIAv7sBAAIANXUAAP8AAAADAQIABg FszgIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACTUEUYAAAAA,,http%3A%2F%2Fdelb[1].: 923 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\KTANK5I7\scores;sz=728x90;ord=1586124637938467[1].: 3019 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\LGUZ5B5O\comedy;sz=728x90;kch=2179803025;kbg=FFFFFF;kkw=C omedy;kracy=FLAGGED;kgender=m;kage=19;kvideoid=rDQvCAQyS3Y;ord=961714379980 9588[1].: 500 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\M94TVYYC\search[1].: 3110 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\M94TVYYC\CANWYFX1.: 3780 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\8VUX85GJ\myspace[1].: 44221 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\8XLUVDSC\a@Top1[1].: 1754 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\S4BXGI63\CA89YJ6D.: 461 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\SHAV4P6V\ads[1].: 4121 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\SX2B81MJ\CAYG3IGE.: 3782 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\SX2B81MJ\CA4FZ14E.: 3774 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\TAFTX2WM\optn=64[1].: 4591 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\U9IXULKN\B2132124;sz=728x90;ord=107135110[1].: 4396 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\VPTH69JI\3[1].: „ 310140 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\W5OLOL4Z\Type=click&FlightID=38787&AdID=64556&TargetID=71 66&Values=710&Redirect=;ord=diykdv,bcWqKfNngmqo[1].: 3910 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\W5OLOL4Z\Type=click&FlightID=38787&AdID=64556&TargetID=71 66&Values=710&Redirect=;ord=ewqwej,bcWrddssoIsj[1].: 3910 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\WX23012Z\search[1].: 5452 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\WX23012Z\search[2].: 3831 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\CP2RKHYZ\a@Top1[1].: 405 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\DCS4ZH2S\a@x15[1].: 533 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\2ZW5KNA7\a6mMYh3svgTs3cVGZb7RmFnTtrWTrFP3batUanvWEvbQEYFS VJZaPb6oSW7cVsMV4rmxmdArXEaM3tvFSGjH5AJImdPmVWJhXbQjXFYk0qeMSFvZbUFYQWd3Xor 7uRbFtYqnN3TBi4TU1oEnK1F7[1].: 4776 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\41YVMZ6F\comedy;sz=728x90;kch=2179803025;kbg=FFFFFF;kkw=C omedy;kracy=RACY;kgender=m;kage=19;kvideoid=yPfaeUmsYZM;ord=693428689511851 0[1].: 500 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\NNALU859\search[1].: 3210 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\O1M3CPEJ\skininfo[1].: 414 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\O1UV8TUV\slide_ticker_log[1].: 214 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\O4WV5RF1\optn=64[1].: 4384 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\OPEVGTA7\ads[1].: 6264 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\OW1TYRR1\aEmMQgorFxPFjMYEnn5qUd4aQPmEFIYrbcUt7Xn6rCpVvwoW rG5TBl5dmq5PZbZanbrEYG3UYVv1XVJOpTnQ5Uv2VUMZcWP72QTf5ScvtQHUu0tvoVmjM2VMUYU BAUmun5mFePABE2WBr1HnZdpWi[1].: 4814 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\PV1RHEJV\statepropertychick[1].: 20794 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\Q89LB3BR\The%20Chappelle%20Show[1].: 42981 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\F81V3YKD\ads[1].: 5950 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\GDMF8FUL\CAIL9GGJ.: 3801 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\9RDSDR3W\optn=64[1].: 4564 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\577Z6BD3\ads[1].: 8803 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\6WY9678P\fantasy[1].: „ 60847 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\79SKMSQ3\myspace[1].: 34613 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\79WLP3D1\search[1].: 22259 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\7QZED2PR\a3mMYh36UY5cM8UGr9WGM6RPJuWWM3UrZb53UAuVTnwTEQlQ E3KQG3ZdQrupRWUcWGr54UymnWinXa2y4WbZbPsrD2m3FmdAyTWfeYrf9YFF91EEMRrQZdTFU2T tvToF7oPbBy1EQm5TJg4a3XnTj[1].: 4172 bytes hidden from API
C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\7QZED2PR\click,AgAAAPB2AgDmmQQApbsBAAIAaXQAAP8AAAAGEAIABg LkdQEARs4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABERKUYAAAAA,,http%3A%2F%2Fdelb2% 2Emyspace%2Ecom%2Fhtml[1].: 5706 bytes hidden from API

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 43
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
01-May-2007, 08:49 PM #6
ComboFix
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Chris\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\lvbkhvtu.dll
C:\WINDOWS\system32\oewkohcd.dll
C:\WINDOWS\system32\ruvcecvv.dll
C:\WINDOWS\system32\tpqlxvqr.dll
C:\WINDOWS\system32\vrejjqad.dll
C:\WINDOWS\system32\khfgeff.dll
C:\WINDOWS\system32\stsru.bak1
C:\WINDOWS\system32\stsru.bak2
C:\WINDOWS\system32\ursts.dll
C:\WINDOWS\system32\jkkhedc.dll
C:\WINDOWS\system32\stsru.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1275OinAdmin.exe
C:\Program Files\Common Files\Yazzle1275OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\DOCUME~1\User\APPLIC~1\Sskknwrd.dll
C:\install.log
C:\WINDOWS\svchost.exe
C:\cp1334.nls

Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Iprip
-------\kprof
-------\ntldr
-------\NwSapAgent
-------\poof
-------\LEGACY_IPRIP
-------\LEGACY_NTLDR
-------\LEGACY_NWSAPAGENT
-------\LEGACY_POOF


((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))


2007-05-01 09:39 <DIR> d-------- C:\DOCUME~1\GUEST~1.CHR\APPLIC~1\Lavasoft
2007-05-01 09:20 <DIR> d-------- C:\DOCUME~1\GUEST~1.CHR\APPLIC~1\Juniper Networks
2007-05-01 07:44 132,660 --a------ C:\WINDOWS\system32\mxkghicn.dll
2007-05-01 00:14 98,304 --a------ C:\WINDOWS\system32\lffpx14N.dll
2007-05-01 00:14 86,016 --a------ C:\WINDOWS\system32\Lfpct14N.dll
2007-05-01 00:14 81,920 --a------ C:\WINDOWS\system32\Dlgobjs.dll
2007-05-01 00:14 73,728 --a------ C:\WINDOWS\system32\ltlst14N.dll
2007-05-01 00:14 69,632 --a------ C:\WINDOWS\system32\lfpsd14N.dll
2007-05-01 00:14 61,440 --a------ C:\WINDOWS\system32\Lfwmf14N.dll
2007-05-01 00:14 61,440 --a------ C:\WINDOWS\system32\lfgif14N.dll
2007-05-01 00:14 57,344 --a------ C:\WINDOWS\system32\lfbmp14N.dll
2007-05-01 00:14 53,248 --a------ C:\WINDOWS\system32\lttmb14N.dll
2007-05-01 00:14 53,248 --a------ C:\WINDOWS\system32\lfpcx14N.dll
2007-05-01 00:14 53,248 --a------ C:\WINDOWS\system32\lfiff14N.dll
2007-05-01 00:14 53,248 --a------ C:\WINDOWS\system32\lfclp14N.dll
2007-05-01 00:14 49,152 --a------ C:\WINDOWS\system32\lftga14N.dll
2007-05-01 00:14 49,152 --a------ C:\WINDOWS\system32\lfsgi14N.dll
2007-05-01 00:14 49,152 --a------ C:\WINDOWS\system32\lfras14N.dll
2007-05-01 00:14 487,424 --a------ C:\WINDOWS\system32\ltkrn14N.dll
2007-05-01 00:14 417,792 --a------ C:\WINDOWS\system32\Lfcmp14n.dll
2007-05-01 00:14 393,216 --a------ C:\WINDOWS\system32\lffpx7.dll
2007-05-01 00:14 303,104 --a------ C:\WINDOWS\system32\LTDIS14N.dll
2007-05-01 00:14 279,696 --a------ C:\WINDOWS\system32\Ltrtw14n.dll
2007-05-01 00:14 274,432 --a------ C:\WINDOWS\system32\ltefx14N.dll
2007-05-01 00:14 180,224 --a------ C:\WINDOWS\system32\ltfil14N.DLL
2007-05-01 00:14 172,032 --a------ C:\WINDOWS\system32\lftif14N.dll
2007-05-01 00:14 159,744 --a------ C:\WINDOWS\system32\Lfpng14N.dll
2007-05-01 00:14 151,552 --a------ C:\WINDOWS\system32\lttwn14n.dll
2007-05-01 00:14 126,976 --a------ C:\WINDOWS\system32\lfkodak.dll
2007-05-01 00:14 112,776 --a------ C:\WINDOWS\system32\LTRVR14n.dll
2007-05-01 00:14 102,400 --a------ C:\WINDOWS\system32\lffax14N.dll
2007-05-01 00:14 1,699,840 --a------ C:\WINDOWS\system32\LTCLR14N.dll
2007-05-01 00:14 1,126,400 --a------ C:\WINDOWS\system32\ltimg14N.dll
2007-05-01 00:14 <DIR> d-------- C:\Program Files\PhotoELF
2007-04-30 17:43 <DIR> d----c--- C:\61d7ddb89ce2f3e13337e4caddb09450
2007-04-30 15:45 <DIR> d----c--- C:\b35e27de76221047b2c
2007-04-30 14:58 <DIR> d----c--- C:\799b6f7929aab67082b2d782e0f371b5
2007-04-30 14:37 <DIR> d----c--- C:\852fc87ed
2007-04-30 09:00 <DIR> d-------- C:\DOCUME~1\GUEST~1.CHR\APPLIC~1\ICAClient
2007-04-29 19:23 <DIR> d-------- C:\Program Files\HJT
2007-04-29 14:08 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2007-04-29 14:08 550,400 --a------ C:\WINDOWS\system32\rtcdll.dll
2007-04-29 14:08 48,640 --a------ C:\WINDOWS\system32\browser.dll
2007-04-29 14:08 454,656 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-04-29 14:08 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2007-04-29 13:52 97,280 --a------ C:\WINDOWS\system32\txflog.dll
2007-04-29 13:52 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2007-04-29 13:52 442,880 --a------ C:\WINDOWS\system32\rpcrt4.dll
2007-04-29 13:52 226,816 --a------ C:\WINDOWS\system32\es.dll
2007-04-29 13:52 214,528 --a------ C:\WINDOWS\system32\rpcss.dll
2007-04-29 13:52 1,105,408 --a------ C:\WINDOWS\system32\ole32.dll
2007-04-29 09:56 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-04-29 07:35 <DIR> d---s---- C:\DOCUME~1\GUEST~1.CHR\UserData
2007-04-29 07:34 <DIR> d-------- C:\DOCUME~1\GUEST~1.CHR\APPLIC~1\Tenebril
2007-04-29 07:34 <DIR> d-------- C:\DOCUME~1\GUEST~1.CHR\APPLIC~1\Google
2007-04-28 23:09 524,288 --ah----- C:\DOCUME~1\ADMINI~1.CHR\NTUSER.DAT
2007-04-28 23:09 <DIR> d-------- C:\DOCUME~1\ADMINI~1.CHR\APPLIC~1\DivX
2007-04-28 22:38 <DIR> d--hs---- C:\WINDOWS\CSC
2007-04-28 21:41 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\.gaim
2007-04-28 07:40 795 --a--c--- C:\xcrashdump.dat
2007-04-28 07:35 54,784 --a------ C:\WINDOWS\cjipj.exe
2007-04-28 07:35 36,352 --a------ C:\WINDOWS\system32\__c009DABC.dat
2007-04-28 07:35 36,352 --a------ C:\WINDOWS\system32\__c0075FE4.dat
2007-04-28 07:35 36,352 --a------ C:\WINDOWS\system32\__c0049C1A.dat
2007-04-27 19:35 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Tenebril
2007-04-27 18:55 <DIR> d-------- C:\Program Files\WhatsRunning
2007-04-27 18:53 <DIR> d-------- C:\DOCUME~1\Faith\APPLIC~1\Vidalia
2007-04-27 18:52 <DIR> d-------- C:\Program Files\Vidalia
2007-04-27 18:52 <DIR> d-------- C:\Program Files\Tor
2007-04-27 18:52 <DIR> d-------- C:\Program Files\Privoxy
2007-04-27 18:52 <DIR> d-------- C:\DOCUME~1\Faith\APPLIC~1\Tor
2007-04-27 18:42 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2007-04-27 15:32 <DIR> d-------- C:\DOCUME~1\Faith\APPLIC~1\Tenebril
2007-04-27 15:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Tenebril
2007-04-27 15:05 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-04-27 15:05 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-04-27 12:32 21,504 --a------ C:\WINDOWS\system32\hqoilji.dll
2007-04-26 19:33 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-04-26 15:55 132,660 --a------ C:\WINDOWS\system32\ccxfposs.dll
2007-04-25 22:24 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-04-25 22:24 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-04-25 22:24 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2007-04-25 18:54 <DIR> d--h-c--- C:\WINDOWS\$MSI30UninstallMSI30-KB884016$
2007-04-25 04:06 <DIR> d-------- C:\Program Files\PC Camera
2007-04-25 04:06 <DIR> d-------- C:\Program Files\Common Files\PCCamera
2007-04-25 03:28 198,424 --a------ C:\WINDOWS\system32\iuengine.dll
2007-04-25 03:28 <DIR> d----c--- C:\WUTemp
2007-04-24 17:20 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-24 17:09 <DIR> d-------- C:\DOCUME~1\DEFAUL~1.WIN\APPLIC~1\DivX
2007-04-24 17:04 8,704 --a------ C:\WINDOWS\system32\infoctrs.dll
2007-04-24 17:04 8,192 --a------ C:\WINDOWS\system32\staxmem.dll
2007-04-24 17:04 7,168 --a------ C:\WINDOWS\system32\wamregps.dll
2007-04-24 17:04 60,416 --a------ C:\WINDOWS\system32\iismap.dll
2007-04-24 17:04 6,144 --a------ C:\WINDOWS\system32\ftpsapi2.dll
2007-04-24 17:04 6,144 --a------ C:\WINDOWS\system32\admxprox.dll
2007-04-24 17:04 59,392 --a------ C:\WINDOWS\system32\iisext.dll
2007-04-24 17:04 56,320 --a------ C:\WINDOWS\system32\convlog.exe
2007-04-24 17:04 5,632 --a------ C:\WINDOWS\system32\w3svapi.dll
2007-04-24 17:04 5,632 --a------ C:\WINDOWS\system32\iisrstap.dll
2007-04-24 17:04 4,608 --a------ C:\WINDOWS\system32\w3ctrs.dll
2007-04-24 17:04 34,816 --a------ C:\WINDOWS\system32\admwprox.dll
2007-04-24 17:04 3,584 --a------ C:\WINDOWS\system32\iismui.dll
2007-04-24 17:04 249,344 --a------ C:\WINDOWS\system32\adsiis.dll
2007-04-24 17:04 19,968 --a------ C:\WINDOWS\system32\inetsloc.dll
2007-04-24 17:04 14,336 --a------ C:\WINDOWS\system32\iisreset.exe
2007-04-24 17:04 13,312 --a------ C:\WINDOWS\system32\exstrace.dll
2007-04-24 17:04 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-04-24 17:04 120,832 --a------ C:\WINDOWS\system32\iisRtl.dll
2007-04-24 17:04 11,776 --a------ C:\WINDOWS\system32\infoadmn.dll
2007-04-24 17:04 10,240 --a------ C:\WINDOWS\system32\aspperf.dll
2007-04-24 17:04 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-04-24 16:52 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2007-04-24 16:45 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-04-24 16:45 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-04-24 16:27 135,168 --a------ C:\WINDOWS\system32\igfxres.dll
2007-04-24 16:20 9,728 --a------ C:\WINDOWS\system32\smtpapi.dll
2007-04-24 16:20 9,216 --a------ C:\WINDOWS\system32\rwnh.dll
2007-04-24 16:20 7,168 --a------ C:\WINDOWS\system32\snprfdll.dll
2007-04-24 16:20 5,632 --a------ C:\WINDOWS\system32\adsiisex.dll
2007-04-24 16:20 43,520 --a------ C:\WINDOWS\system32\fcachdll.dll
2007-04-24 16:20 23,040 --a------ C:\WINDOWS\system32\regtrace.exe
2007-04-24 16:20 12,288 --a------ C:\WINDOWS\system32\smtpctrs.dll
2007-04-24 16:20 <DIR> d-------- C:\WINDOWS\system32\Cache
2007-04-24 16:19 96,256 --a------ C:\WINDOWS\system32\evntagnt.dll
2007-04-24 16:19 84,992 --a------ C:\WINDOWS\system32\evntwin.exe
2007-04-24 16:19 5,120 --a------ C:\WINDOWS\system32\snmpmib.dll
2007-04-24 16:19 35,328 --a------ C:\WINDOWS\system32\hostmib.dll
2007-04-24 16:19 22,528 --a------ C:\WINDOWS\system32\evntcmd.exe
2007-04-24 16:19 <DIR> d----c--- C:\Inetpub
2007-04-20 20:26 25,517 --a------ C:\WINDOWS\wkve.exe
2007-04-17 18:02 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\Intuit
2007-04-17 17:56 1,716,297 --a------ C:\WINDOWS\system32\InetClnt.dll
2007-04-17 17:52 <DIR> d-------- C:\DOCUME~1\Chris\APPLIC~1\InstallShield
2007-04-15 18:28 <DIR> d-------- C:\Program Files\Sony
2007-04-15 18:25 <DIR> d-------- C:\Program Files\Sony Setup
2007-04-09 20:49 <DIR> d-------- C:\Program Files\Veoh Networks


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-01 17:43 36352 --a------ C:\WINDOWS\system32\__c0049c1a.dat
2007-05-01 02:41 -------- d-------- C:\Program Files\hotshots
2007-04-29 09:27 -------- d--h----- C:\Program Files\windowsupdate
2007-04-29 03:05 -------- d-------- C:\Program Files\wisdom-soft autoscreenrecorder free
2007-04-28 21:39 -------- d-------- C:\Program Files\paltalk messenger interop
2007-04-25 04:13 -------- d--h----- C:\Program Files\installshield installation information
2007-04-24 17:05 23348 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-04-17 17:56 -------- d-------- C:\Program Files\Common Files\intuit
2007-04-17 17:54 -------- d-------- C:\Program Files\turbotax
2007-04-12 02:42 -------- d-------- C:\DOCUME~1\Chris\APPLIC~1\skype
2007-04-06 17:33 -------- d-------- C:\DOCUME~1\Chris\APPLIC~1\webex
2007-04-06 09:53 -------- d-------- C:\Program Files\taxcut business 2006
2007-04-04 17:45 199751 --a------ C:\WINDOWS\system32\atasnt40.dll
2007-03-30 02:15 -------- d-------- C:\DOCUME~1\Chris\APPLIC~1\msn6
2007-03-26 17:47 51304 --a------ C:\WINDOWS\system32\drivers\atnt40k.sys
2007-03-19 10:48 -------- d-------- C:\Program Files\deductionpro 2006
2007-03-18 12:57 -------- d-------- C:\Program Files\taxcut06
2007-03-18 12:54 51716 --a------ C:\WINDOWS\system32\pdf995mon.dll
2007-03-18 12:54 118784 --a------ C:\WINDOWS\system32\pdfmona.dll
2007-03-15 21:01 -------- d-------- C:\Program Files\divx
2007-03-14 01:28 -------- d-------- C:\DOCUME~1\Chris\APPLIC~1\vlc
2007-03-13 23:28 -------- d-------- C:\Program Files\videolan
2007-03-08 23:25 -------- d-------- C:\Program Files\itsdeductible2006
2007-03-07 12:59 -------- d-------- C:\Program Files\mshow client
2007-03-07 01:00 -------- d-------- C:\Program Files\firstclass
2007-03-07 01:00 -------- d-------- C:\DOCUME~1\Chris\APPLIC~1\installshield installation information
2007-03-07 00:53 304182 --a--c--- C:\StiImg.dat
2007-03-02 00:38 -------- d-------- C:\Program Files\corel
2007-03-02 00:22 3608 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-03-02 00:21 88 -rahs---- C:\WINDOWS\system32\f5bf2b91f7.sys
2007-02-22 23:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 23:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Brows er Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{0A87E45F-537A-40B4-B812-E2544C21A09F} C:\Program Files\SpyCatcher\SCActiveBlock.dll [x]
{724d43a9-0d85-11d4-9908-00400523e39a} C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3} C:\WINDOWS\System32\txopigth.dll [x]
{F9A7167C-5E46-458A-AF94-B3ACFBB36645} C:\WINDOWS\System32\ursts.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PRONoMgr.exe"="C:\\Program Files\\Intel\\PROSetWireless\\NCS\\PROSet\\PRONoMgr.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"WG511WLU"="C:\\Program Files\\NETGEAR\\WG511\\Utility\\WG511WLU.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"igfxtray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\System32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\System32\\igfxpers.exe"
"SoundMan"="SOUNDMAN.EXE"
"MSConfig"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RoboForm"="\"C:\\Program Files\\Siber Systems\\AI RoboForm\\RoboTaskBarIcon.exe\""
"Regscan"="C:\\WINDOWS\\System32\\regscan.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier. exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceob jectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0049C1A
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0075FE4
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009DABC

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\America Online 8.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 8.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0A\\aoltray.exe -check"
"item"="America Online 8.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\hp psc 1000 series.lnk"
"backup"="C:\\WINDOWS\\pss\\hp psc 1000 series.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpohmr08.exe "
"item"="hp psc 1000 series"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\hpoddt01.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\hpoddt01.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpotdd01.exe "
"item"="hpoddt01.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\InterVideo WinCinema Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\InterVideo WinCinema Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\INTERV~1\\Common\\Bin\\WINCIN~1.EXE "
"item"="InterVideo WinCinema Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\SpyCatcher Protector.lnk"
"backup"="C:\\WINDOWS\\pss\\SpyCatcher Protector.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SPYCAT~1\\PROTEC~1.EXE "
"item"="SpyCatcher Protector"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F11AEDC.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_A00F11AEDC"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Faith\\LOCALS~1\\Temp\\_A00F11AEDC.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F11AEE6.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_A00F11AEE6"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Faith\\LOCALS~1\\Temp\\_A00F11AEE6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F11C030.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_A00F11C030"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Faith\\LOCALS~1\\Temp\\_A00F11C030.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F11C17B.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_A00F11C17B"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\Faith\\LOCALS~1\\Temp\\_A00F11C17B.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim6"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\City of Heroes NCsoft crack]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="City of Heroes NCsoft crack"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Chris\\Shared\\City of Heroes NCsoft crack.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1131490230\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DLM"
"hkey"="HKCU"
"command"="C:\\Program Files\\IGN\\Download Manager\\DLM.exe /windowsstart /startifwork"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mxkghicn"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\System32\\mxkghicn.dll\",realset"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MegaPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HSTrans"
"hkey"="HKLM"
"command"="C:\\Program Files\\ACNielsen\\Homescan Internet Transporter\\HSTrans.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier. exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VeohClient"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe\" /VeohHide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SavRoam"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
01-May-2007, 08:51 PM #7
ComboFix continued
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20050405-173833-209
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
backup-20050317-122502-533
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
backup-20050317-104745-653
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
backup-20050317-104513-197
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-104513-568
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-104513-617
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-104513-814
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-104513-297
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-104513-948
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090406-853
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Program Files\IEMenuExtension\tbextn.dll
backup-20050317-090406-826
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-090406-914
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-090406-871
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090406-476
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-090406-758
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090406-762
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-090338-947
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-090338-240
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-090338-326
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090338-703
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-090338-375
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-090338-446
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090321-150
O15 - Trusted IP range: 213.159.117.202 (HKLM)
backup-20050317-090321-900
O15 - Trusted IP range: 213.159.117.202
backup-20050317-090321-968
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090321-974
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-090321-113
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
backup-20050317-090321-257
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-090321-239
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
backup-20050317-090321-957
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
backup-20050317-090001-153
O15 - Trusted Zone: *.windupdates.com
backup-20050317-090001-844
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
backup-20050317-090001-175
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
backup-20050317-090001-393
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
backup-20050317-085453-302
O15 - Trusted Zone: *.windupdates.com (HKLM)
backup-20050317-085453-917
O15 - Trusted Zone: *.my-internet.info (HKLM)
backup-20050317-085453-727
O15 - Trusted Zone: *.mt-download.com (HKLM)
backup-20050317-085453-218
O15 - Trusted Zone: *.ysbweb.com
backup-20050317-085252-449
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
backup-20050317-084822-147
O4 - HKCU\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
backup-20050317-084557-216
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
backup-20050317-084557-575
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
backup-20050317-084431-975
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
backup-20050317-084327-921
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
backup-20050317-084256-133
O15 - Trusted Zone: *.ysbweb.com (HKLM)
backup-20050317-084256-510
O15 - Trusted Zone: *.slotchbar.com (HKLM)
backup-20050317-084256-241
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
backup-20050317-084256-739
O15 - Trusted Zone: *.slotch.com (HKLM)
backup-20050317-084255-236
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
backup-20050317-084255-965
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
backup-20050317-084255-336
O15 - Trusted Zone: *.flingstone.com (HKLM)
backup-20050317-084255-980
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
backup-20050317-084255-327
O15 - Trusted Zone: *.clickspring.net (HKLM)
backup-20050317-084255-232
O15 - Trusted Zone: *.blazefind.com (HKLM)
backup-20050317-084255-381
O15 - Trusted Zone: *.slotchbar.com
backup-20050317-084255-221
O15 - Trusted Zone: *.slotch.com
backup-20050317-084255-474
O15 - Trusted Zone: *.searchmiracle.com
backup-20050317-084255-467
O15 - Trusted Zone: *.skoobidoo.com
backup-20050317-084255-590
O15 - Trusted Zone: *.my-internet.info
backup-20050317-084255-946
O15 - Trusted Zone: *.searchbarcash.com
backup-20050317-084255-323
O15 - Trusted Zone: *.mt-download.com
backup-20050317-084255-749
O15 - Trusted Zone: *.iframedollars.biz
backup-20050317-084255-263
O15 - Trusted Zone: *.flingstone.com
backup-20050317-084255-930
O15 - Trusted Zone: *.clickspring.net
backup-20050317-084255-429
O15 - Trusted Zone: *.blazefind.com
backup-20050317-084255-494
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
backup-20050310-183559-248
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
backup-20050310-182850-394
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
backup-20050310-182850-369
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
backup-20050310-182850-734
O1 - Hosts: 127.0.0.3 megapornix.com
backup-20050310-182850-935
O1 - Hosts: 127.0.0.3 sp2****ed.biz
backup-20050310-182850-363
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
backup-20050310-182850-545
O1 - Hosts: 127.0.0.3 www.megapornix.com
backup-20050310-182850-392
O1 - Hosts: 127.0.0.3 www.slutmania.biz
backup-20050310-182850-804
O1 - Hosts: 127.0.0.3 toolbarpartner.com
backup-20050310-182850-252
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
backup-20050310-182850-310
O1 - Hosts: 127.0.0.3 slutmania.biz
backup-20050310-182850-249
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
backup-20050310-182850-779
O1 - Hosts: 127.0.0.3 buldog-stats.com
backup-20050310-182850-358
O1 - Hosts: 127.0.0.3 awmcash.biz
backup-20050310-182850-389
O1 - Hosts: 127.0.0.3 www.awmcash.biz
backup-20050310-182850-447
O1 - Hosts: 127.0.0.3 virgin-tgp.net
backup-20050310-182850-464
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
backup-20050310-182850-297
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
backup-20050310-182850-415
O1 - Hosts: 127.0.0.3 aaasexypics.com
backup-20050310-182850-162
O1 - Hosts: 127.0.0.3 pizdato.biz
backup-20050310-182850-132
O1 - Hosts: 127.0.0.3 www.pizdato.biz
backup-20050310-182850-325
O1 - Hosts: 127.0.0.3 vesbiz.biz
backup-20050310-182850-540
O1 - Hosts: 127.0.0.3 www.newiframe.biz
backup-20050310-182850-612
O1 - Hosts: 127.0.0.3 newiframe.biz
backup-20050310-182850-255
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
backup-20050310-182850-298
O1 - Hosts: 127.0.0.3 iframe.biz
backup-20050310-182850-868
O1 - Hosts: 127.0.0.3 www.iframe.biz
backup-20050310-182850-814
O1 - Hosts: 127.0.0.3 www.allforadult.com
backup-20050310-182850-322
O1 - Hosts: 127.0.0.3 allforadult.com
backup-20050310-182850-926
O1 - Hosts: 127.0.0.3 awmdabest.com
backup-20050310-182850-595
O1 - Hosts: 127.0.0.3 sexfiles.nu
backup-20050310-182850-930
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
backup-20050310-182850-663
O1 - Hosts: 127.0.0.3 www.awmdabest.com
backup-20050310-182850-841
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
backup-20050310-182850-495
O1 - Hosts: 127.0.0.3 vparivalka.com
backup-20050310-182850-100
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
backup-20050310-182850-586
O1 - Hosts: 127.0.0.3 nylonsexy.com
backup-20050310-182850-137
O1 - Hosts: 127.0.0.3 www.greg-tut.com

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1115337418.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 19:23:23
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 19:27:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-01 19:27
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
01-May-2007, 08:51 PM #8
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 7:42:29 PM, on 5/1/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\txopigth.dll (file missing)
O2 - BHO: (no name) - {F9A7167C-5E46-458A-AF94-B3ACFBB36645} - C:\WINDOWS\System32\ursts.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://ca.west.com/CertControl/xenrlinf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://oma01appgw.west.com/wahatrai...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153609205197
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {666006C6-C743-11D5-BA02-00C04F2EFC0F} (ProxySupMain) - https://oma01appgw.west.com/wahatrai...a32/icaweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149447389286
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} (ShowSetupObj6 Class) - https://invite.mshow.com/(pdw1gz55b4...ShowSetup6.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - https://calltaking.workathomeagent.n...ostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teletech.webex.com/client/T2...ng/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato.cciu.org/Pathways/pway_...b/pwlninst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://flowers-vpn.liveops.com/dana...erSetupSP1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b3.../java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/...ad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c0049C1A - C:\WINDOWS\System32\__c0049C1A.dat
O20 - Winlogon Notify: __c0075FE4 - C:\WINDOWS\System32\__c0075FE4.dat
O20 - Winlogon Notify: __c009DABC - C:\WINDOWS\System32\__c009DABC.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
cybertech's Avatar
Computer Specs
Moderator with 68,814 posts.
  
Join Date: Apr 2002
Location: Washington State
02-May-2007, 10:29 AM #9
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
__________________
Microsoft MVP/Windows - Consumer Security
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
02-May-2007, 08:31 PM #10
SDFix: Version 1.81

Run by Chris - Wed 05/02/2007 - 18:59:58.56

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\odbc.INI - Deleted
C:\WINDOWS\system32\form.txt - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameter s\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enable d:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Faith\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe
C:\Documents and Settings\Guest.CHRIS-0WW1B6UF6\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\America Online 8.0a\aolphx.exe
C:\Program Files\America Online 8.0a\aoltray.exe
C:\Program Files\America Online 8.0a\RBM.exe
C:\Program Files\America Online 8.0a\waol.exe
C:\Program Files\America Online 8.0a\COMIT\cswitch.exe
C:\WINDOWS\system32\F5BF2B91F7.sys
C:\WINDOWS\system32\KGyGaAvL.sys
C:\Program Files\InterActual\InterActual Player\iti1.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished

Logfile of HijackThis v1.99.1
Scan saved at 7:30:07 PM, on 5/2/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\txopigth.dll (file missing)
O2 - BHO: (no name) - {F9A7167C-5E46-458A-AF94-B3ACFBB36645} - C:\WINDOWS\System32\ursts.dll (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://ca.west.com/CertControl/xenrlinf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://oma01appgw.west.com/wahatrai...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153609205197
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {666006C6-C743-11D5-BA02-00C04F2EFC0F} (ProxySupMain) - https://oma01appgw.west.com/wahatrai...a32/icaweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149447389286
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} (ShowSetupObj6 Class) - https://invite.mshow.com/(pdw1gz55b4...ShowSetup6.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - https://calltaking.workathomeagent.n...ostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teletech.webex.com/client/T2...ng/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato.cciu.org/Pathways/pway_...b/pwlninst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://flowers-vpn.liveops.com/dana...erSetupSP1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b3.../java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/...ad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: __c0049C1A - C:\WINDOWS\System32\__c0049C1A.dat
O20 - Winlogon Notify: __c0075FE4 - C:\WINDOWS\System32\__c0075FE4.dat
O20 - Winlogon Notify: __c009DABC - C:\WINDOWS\System32\__c009DABC.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
cybertech's Avatar
Computer Specs
Moderator with 68,814 posts.
  
Join Date: Apr 2002
Location: Washington State
03-May-2007, 10:11 AM #11
1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy the entire contents of the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:
Registry keys to delete:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0049C1A
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0075FE4
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009DABC


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh hijackthis log.


Run HJT again and put a check in the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\txopigth.dll (file missing)
O2 - BHO: (no name) - {F9A7167C-5E46-458A-AF94-B3ACFBB36645} - C:\WINDOWS\System32\ursts.dll (file missing)
O20 - Winlogon Notify: __c0049C1A - C:\WINDOWS\System32\__c0049C1A.dat
O20 - Winlogon Notify: __c0075FE4 - C:\WINDOWS\System32\__c0075FE4.dat
O20 - Winlogon Notify: __c009DABC - C:\WINDOWS\System32\__c009DABC.dat

Close all applications and browser windows before you click "fix checked".


Download this tool to your desktop:
http://www.mvps.org/winhelp2002/DelDomains.inf
Right click on the file and choose install.


Download the HostsXpert 3.8 - Hosts File Manager.
  • Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as C:\HostsXpert 3.8 - Hosts File Manager
  • Run HostsXpert 3.8 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Original Hosts and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


You need to go here and install "Service Pack 1" This will patch numerous security holes in IE and Windows. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates before we proceed or we will be wasting our time.

DO NOT install Service pack 2 yet. If you install SP 2 on an infected machine it will cause serious problems. Just get Service Pack 1 installed. After you get SP1 installed, restart your computer. Come back here and post the new Hijack This log.
__________________
Microsoft MVP/Windows - Consumer Security
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
03-May-2007, 03:36 PM #12
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wfeqmvdo

*******************

Script file located at: \??\C:\WINDOWS\System32\qybctchp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0049C1A deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c0075FE4 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c009DABC deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 3:34:59 PM, on 5/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://ca.west.com/CertControl/xenrlinf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://oma01appgw.west.com/wahatrai...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153609205197
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {666006C6-C743-11D5-BA02-00C04F2EFC0F} (ProxySupMain) - https://oma01appgw.west.com/wahatrai...a32/icaweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149447389286
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} (ShowSetupObj6 Class) - https://invite.mshow.com/(pdw1gz55b4...ShowSetup6.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - https://calltaking.workathomeagent.n...ostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teletech.webex.com/client/T2...ng/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato.cciu.org/Pathways/pway_...b/pwlninst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://flowers-vpn.liveops.com/dana...erSetupSP1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b3.../java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/...ad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
cybertech's Avatar
Computer Specs
Moderator with 68,814 posts.
  
Join Date: Apr 2002
Location: Washington State
03-May-2007, 05:39 PM #13
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.





Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
  • Click Close to exit the program.
__________________
Microsoft MVP/Windows - Consumer Security
TruMack247's Avatar
Junior Member with 10 posts.
  
Join Date: Apr 2007
Experience: Intermediate
04-May-2007, 04:12 PM #14
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/04/2007 at 02:47 PM

Application Version : 3.7.1018

Core Rules Database Version : 3228
Trace Rules Database Version: 1239

Scan type : Complete Scan
Total Scan Time : 01:09:47

Memory items scanned : 430
Memory threats detected : 0
Registry items scanned : 6854
Registry threats detected : 0
File items scanned : 59478
File threats detected : 28

Adware.Tracking Cookie
C:\Documents and Settings\Chris\Cookies\chris@tribalfusion[2].txt
C:\Documents and Settings\Chris\Cookies\chris@atwola[1].txt
C:\Documents and Settings\Chris\Cookies\chris@burstnet[2].txt
C:\Documents and Settings\Chris\Cookies\chris@6038405[1].txt
C:\Documents and Settings\Chris\Cookies\chris@server.iad.liveperson[1].txt
C:\Documents and Settings\Chris\Cookies\chris@2o7[1].txt
C:\Documents and Settings\Chris\Cookies\chris@ads.pointroll[2].txt
C:\Documents and Settings\Chris\Cookies\chris@realmedia[2].txt
C:\Documents and Settings\Chris\Cookies\chris@questionmarket[2].txt
C:\Documents and Settings\Chris\Cookies\chris@ad.yieldmanager[1].txt
C:\Documents and Settings\Chris\Cookies\chris@xiti[1].txt
C:\Documents and Settings\Chris\Cookies\chris@casalemedia[1].txt
C:\Documents and Settings\Chris\Cookies\chris@fastclick[2].txt
C:\Documents and Settings\Chris\Cookies\chris@atdmt[2].txt
C:\Documents and Settings\Chris\Cookies\chris@www.burstnet[1].txt
C:\Documents and Settings\Chris\Cookies\chris@cpvfeed[2].txt
C:\Documents and Settings\Chris\Cookies\chris@advertising[2].txt
C:\Documents and Settings\Chris\Cookies\chris@advertising.paltalk[1].txt
C:\Documents and Settings\Chris\Cookies\chris@revsci[2].txt
C:\Documents and Settings\Chris\Cookies\chris@indexstats[2].txt

Adware.Zango Toolbar/Hb
C:\Documents and Settings\Chris\Application Data\ZangoToolbar\v3.0\zangotoolbar\static\1
C:\Documents and Settings\Chris\Application Data\ZangoToolbar\v3.0\zangotoolbar\static\DownLoad
C:\Documents and Settings\Chris\Application Data\ZangoToolbar\v3.0\zangotoolbar\static
C:\Documents and Settings\Chris\Application Data\ZangoToolbar\v3.0\zangotoolbar
C:\Documents and Settings\Chris\Application Data\ZangoToolbar\v3.0
C:\Documents and Settings\Chris\Application Data\ZangoToolbar\zbar.log
C:\Documents and Settings\Chris\Application Data\ZangoToolbar

Trojan.Downloader-MSNETAX
C:\SYSTEM VOLUME INFORMATION\_RESTORE{1BCE80F0-1A4F-4CC4-A95F-B3E05686310B}\RP47\A0054990.DLL

Logfile of HijackThis v1.99.1
Scan saved at 4:11:36 PM, on 5/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\PSIService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Privoxy\privoxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\HJT\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Chris\Start Menu\Programs\>IMVU\Run IMVU.lnk (file missing)
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://ca.west.com/CertControl/xenrlinf.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://oma01appgw.west.com/wahatrai...a32/wficat.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by124w.bay124.mail.live.com/m...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1153609205197
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {666006C6-C743-11D5-BA02-00C04F2EFC0F} (ProxySupMain) - https://oma01appgw.west.com/wahatrai...a32/icaweb.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1149447389286
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/C...CamControl.ocx
O16 - DPF: {BE7DBB5F-6377-405E-9040-F8C95C6997B6} (ShowSetupObj6 Class) - https://invite.mshow.com/(pdw1gz55b4...ShowSetup6.cab
O16 - DPF: {D8EE8DC0-F193-11D0-B1E5-08005A885319} (MicroX Persistent Mainframe Display Control) - https://calltaking.workathomeagent.n...ostexpress.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://teletech.webex.com/client/T2...ng/ieatgpc.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} (PWLNINST Control) - http://plato.cciu.org/Pathways/pway_...b/pwlninst.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://flowers-vpn.liveops.com/dana...erSetupSP1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/7530-b3.../java/RntX.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/...ad/XUpload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\System32\PSIService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
cybertech's Avatar
Computer Specs
Moderator with 68,814 posts.
  
Join Date: Apr 2002
Location: Washington State
04-May-2007, 04:45 PM #15
Looks fine. How is it running now? Any problems?
Closed Thread Bookmark and Share   techguy.org/568151
Page 1 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!


« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 01:20 PM.
Copyright © 1996 - 2010 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2010, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.