Hacktool:Exploit/iFrame

morpheus63 · 10:39 PM

Hi Guys,

I've been suspecting that someone or something has hacked my computer, so I did a system scan with panda activescan and this has confirmed my suspicions. Its seems these files are located in Outlook 2000.

I've been suspicious about this for a few weeks but last night when some of my clients were receiving email failed notices when trying to send me emails - one of them asked if I was using a blackberry phone and whether my emails were being redirected to this phone, to which I answered "no". Therefore it appears that what ever hacker tool is lurking in Outlook could be redirecting my emails to someone else. This is only my assumption and I would like someone to confirm if this is in fact correct.

Can someone help to remove all the hacking tools in Outlook 2000, and also the spyware that activescan has picked up.

I have attached the results of activescan and also a hijackthis log file. Both are attached in notepad.

Thanks.

Kind Regards,
Brian

morpheus63 · 26-Aug-2007, 08:24 AM #2

Hi,

Just while I'm waiting for a response to this post I thought I'd update you so you have more information to better help me.

Its seems that the email diversion I mentioned in my previous post is in fact incorrect - it seems the problem is my service provider. However my system has been extremely slow and I feel their is a problem which is highlighted in the ActiveScan log file.

I would like someone to look at the attached log files and help me to remove the spyware, hacking tools and adware that seems to be causing these problems.

I have removed the 3 emails which were classed as Hacktool:Exploit/iFrame, however all 3 emails had no information in the body of the email - it was blank. I'm not sure what this means but I thought I'd mention it anyway.

I look forward to hearing from someone.

Thanks,
Brian

Kenny94 · 08-Sep-2007, 04:24 PM #3

Hi morpheus63

The hacking tools were Disinfected so they were deleted by the Panda online scanner

Quote:

I have removed the 3 emails which were classed as Hacktool:Exploit/iFrame, however all 3 emails had no information in the body of the email - it was blank. I'm not sure what this means but I thought I'd mention it anyway.

You have received some infected emails that should be deleted from your computer.
Please perform these instructions to get rid of them: (If you had not done so)
1. Close all programs so that you have nothing open and are at the Desktop.
2. Launch your email application.
3. Look through the list of emails in your Inbox and delete all those that appear to be Mail Delivery failure or similar.
4. Empty your Deleted Items folder.

Please do not Attach logs, it's harder to read this way.

Download and install AVG Anti-Spyware v7.5

After download, double click on the file to launch the install process.
Choose a language, click "OK" and then click "Next".
Read the "License Agreement" and click "I Agree".
Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update".
Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer.
Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:

Click on the "Scanner" button and choose the "Settings" tab.
Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
Under "How to Scan? ", "Possibly unwanted software", and What to Scan?" leave all the default settings.
Under "Reports" select "Do not automatically generate reports".
Click the "Scan" tab to return to scanning options.
Click "Complete System Scan" to start.
When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period.

In your next reply, please include these log(s):

* AVG Anti-Spyware report
* HijackThis log (new)

morpheus63 · 10-Sep-2007, 09:27 AM #4

Hi Kenny94,

Thanks for your response.

Quote:

The hacking tools were Disinfected so they were deleted by the Panda online scanner

Just to clarify that the hacking tools could not have been deleted by Panda Online Scanner because it states next to each item "not disenfected".

I wasnt able to run AVG Anti-Spyware in Safe Mode because I could not find the icon in this mode even after following your instructions - so I had to run it in normal mode.

I have attached a log file for both AVG Anti-Spyware and HijackThis as you requested.

Thanks

Kind Regards,
Brian
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:46:33 PM 10/09/2007

+ Scan result:

:mozilla.64:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.66:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.69:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.109:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.110:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.111:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.112:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.39:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.40:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.41:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.42:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.43:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.65:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.67:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.68:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.70:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.58:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.59:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.103:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.104:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.105:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.106:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.107:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.108:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.29:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.30:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.31:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.32:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.33:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.34:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.35:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.36:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.37:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.78:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.79:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.80:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.81:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.82:C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:52:46 PM, on 10/09/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk\PDesk.exe
C:\WINNT\soundman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Evidence Eliminator\ee.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\pdaBusiness\Qlock\Qlock.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
D:\Setup Software\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cable.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles/fjfe8quz.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Shortcut to Fax.lnk = ?
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Qlock.lnk = C:\Program Files\pdaBusiness\Qlock\Qlock.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: BGL WebBanking - https://ebanking.bgl.lu/classes/dubgl.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {11A724DE-E7C8-1759-23F1-5D20243861E5} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {297CD482-9C4E-32BC-87F5-384B5DEC8306} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3C77EFAC-7667-4A9A-2533-0A47481A754F} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {3E18C866-5E9F-25B7-96A5-728D2F42EC79} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {453EFBEE-46D5-2272-70A7-3FD45CF69BD6} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {512ED6BC-ECB1-1B3C-26F9-78005CB5CF13} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {58116E9D-4952-2A46-EAED-1B1677A6C564} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {59D22F56-F3CC-465F-2F5E-3EA33E388832} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123032575281
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {6BCB8C39-E119-6580-BDB7-62C500FE06A9} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {708D93A6-A816-755E-606A-0DEC67D98B85} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {781D5EA7-BD54-6323-F47B-53A559038A5D} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {7A1AF77F-6743-4938-96E3-09D25EAB9EA2} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7EBC6081-586C-6492-E962-783562E03B4D} - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://sunshinecoast.worldtourism.co...al/svideo3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} - http://www.tradeexit.com/Config.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O16 - DPF: {FDF08AD8-FF1A-11D3-AD38-00105A49098D} (MSSignData Control) - https://www.rbworld.lv/bankworld/en/...MSSignData.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\System32\mgabg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

Kenny94 · 10-Sep-2007, 09:59 PM #5

Hi morpheus63

Quote:

Just to clarify that the hacking tools could not have been deleted by Panda Online Scanner because it states next to each item "not disenfected".

Yeah! I see now.. I'm on my home computer now, that Panda online scanner said "not disenfected" ....

Quote:

I wasnt able to run AVG Anti-Spyware in Safe Mode because I could not find the icon in this mode even after following your instructions - so I had to run it in normal mode.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC?s (family PC?s) present a different problem; please tell me if your PC has more than one individual?s setting, but continue with the fix.

Lets play it safe and download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

In your next reply, please include these log(s):

Dr.Web Cureit.
Deckard's System Scanner contents

morpheus63 · 11-Sep-2007, 11:47 PM #6

Hi Kenny94,

Quote:

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC?s (family PC?s) present a different problem; please tell me if your PC has more than one individual?s setting, but continue with the fix.

I do have Administrator rights but I logged into my main identity to use Safe Mode on this occasion. This PC is only used by myself under the main identity. I never use the Administrator identity to work from, only my main identity.

Dr Web Curit scan produced no results therefore no report was generated.

The 2 reports from DSS are below as requested. I will need to create 2 posts because there are too many characters for one post. The main.txt is below and the extra.txt will be in the 2nd post.

Thanks again.

Kind Regards,
Brian

Deckard's System Scanner v20070905.67
Run by Brian on 2007-09-12 08:07:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 85% (more than 75%).

-- HijackThis (run as Brian.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-09-12 08:08:41
Platform: Windows 2000 Service Pack 3 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)

Running processes:
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\system32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\wbem\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\PDesk\pdesk.exe
C:\WINNT\soundman.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Evidence Eliminator\Ee.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\CTFMON.EXE
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\pdaBusiness\Qlock\Qlock.exe
C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgw.exe
C:\Documents and Settings\brian.PENTIUM4\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cable.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.msn.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKEY_LOCAL_MACHINE\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKEY_LOCAL_MACHINE\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKEY_LOCAL_MACHINE\..\Run: [SoundMan] soundman.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [LoadQM] loadqm.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [POINTER] point32.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKEY_LOCAL_MACHINE\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKEY_LOCAL_MACHINE\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKEY_LOCAL_MACHINE\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKEY_LOCAL_MACHINE\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKEY_LOCAL_MACHINE\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKEY_LOCAL_MACHINE\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Evidence Eliminator] C:\Program Files\Evidence Eliminator\ee.exe /m
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\MSN Messenger\msnmsgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles/fjfe8quz.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Shortcut to Fax.lnk =
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\EspMain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Qlock.lnk = C:\Program Files\pdaBusiness\Qlock\Qlock.exe
O4 - Global Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.2\CM_camera.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: (no name) - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra 'Tools' menuitem: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O10 - Unknown file in Winsock LSP: C:\WINNT\system32\winrnr.dll
O15 - Trusted Zone: *.*.windowsupdate.microsoft.com (HKCU)
O15 - Trusted Zone: https://*.update.microsoft.com (HKCU)
O15 - Trusted Zone: https://download.windowsupdate.com (HKCU)
O15 - Trusted IP Range: 206.161.125.149 (HKEY_LOCAL_MACHINE)
O16 - DPF: BGL WebBanking () - https://ebanking.bgl.lu/classes/dubgl.cab
O16 - DPF: Yahoo! Chat () - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11A724DE-E7C8-1759-23F1-5D20243861E5} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {297CD482-9C4E-32BC-87F5-384B5DEC8306} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
O16 - DPF: {3C77EFAC-7667-4A9A-2533-0A47481A754F} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {3E18C866-5E9F-25B7-96A5-728D2F42EC79} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} () - http://download.microsoft.com/downlo...1F/wmvadvd.cab
O16 - DPF: {453EFBEE-46D5-2272-70A7-3FD45CF69BD6} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {512ED6BC-ECB1-1B3C-26F9-78005CB5CF13} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {58116E9D-4952-2A46-EAED-1B1677A6C564} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {59D22F56-F3CC-465F-2F5E-3EA33E388832} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123032575281
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab
O16 - DPF: {6BCB8C39-E119-6580-BDB7-62C500FE06A9} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {708D93A6-A816-755E-606A-0DEC67D98B85} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {781D5EA7-BD54-6323-F47B-53A559038A5D} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {7A1AF77F-6743-4938-96E3-09D25EAB9EA2} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {7EBC6081-586C-6492-E962-783562E03B4D} () - http://64.237.41.215/1/rdgAU409.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.co...897.7801388889
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) - http://java.sun.com/products/plugin/...ndows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://sunshinecoast.worldtourism.co...al/svideo3.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F0230524-9D39-4E84-8452-41C592961EA7} () - http://www.tradeexit.com/Config.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O16 - DPF: {FDF08AD8-FF1A-11D3-AD38-00105A49098D} (MSSignData Control) - https://www.rbworld.lv/bankworld/en/...MSSignData.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: sclgntfy - C:\WINNT\system32\sclgntfy.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ousbehci (NEC PCI to USB Enhanced Host Controller) - c:\winnt\system32\drivers\ousbehci.sys <Not Verified; OrangeWare Corporation; USB 2.0 Enhanced Host Controller Driver>
R2 Sentinel - c:\winnt\system32\drivers\sentinel.sys
R3 G550DH - c:\winnt\system32\drivers\g550dhm.sys <Not Verified; Matrox Graphics Inc.; Matrox G550DH Miniport Driver>
R3 ousb2hub (OrangeWare USB 2.0 Root Hub Support) - c:\winnt\system32\drivers\ousb2hub.sys <Not Verified; OrangeWare Corporation; USB 2.0 Hub Driver>
R3 WinDriver (WinDriver kernel module) - c:\winnt\system32\drivers\windrvr.sys <Not Verified; Jungo; WinDriver Device Driver>

S3 ichaud (Service for AC'97 Driver (WDM)) - c:\winnt\system32\drivers\ichaud.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
S3 UtilNT - c:\winnt\system32\drivers\utilnt.sys <Not Verified; Matrox Graphics Inc.; Matrox Graphics Inc. UtilNt>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Iprip (RIP Listener) - c:\winnt\system32\svchost.exe -k netsvcs <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
R2 MGABGEXE - c:\winnt\system32\mgabg.exe <Not Verified; Matrox Graphics Inc.; Matrox Graphics Inc. MGABG>
R2 SimpTcp (Simple TCP/IP Services) - c:\winnt\system32\tcpsvcs.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>

S3 LPDSVC (TCP/IP Print Server) - c:\winnt\system32\tcpsvcs.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2003-09-29 10:28:32 390 --a------ C:\WINNT\Tasks\{B4F7C33D-C938-44E0-AEC3-FC86B6031AE5}_PENTIUM4_Brian.job
2003-09-29 10:28:32 390 --a------ C:\WINNT\Tasks\{A8568C7B-F922-433E-B6A1-5D16074C2EFE}_PENTIUM4_Brian.job
2003-09-29 10:28:32 390 --a------ C:\WINNT\Tasks\{1CF3BEC5-7FAE-4661-93DD-15B82C03A4D1}_PENTIUM4_Brian.job
2003-09-29 10:25:56 390 --a------ C:\WINNT\Tasks\{6AB86C6E-3C53-4EB8-BE58-F74521F9D5C9}_PENTIUM4_Brian.job
2003-09-29 10:25:56 390 --a------ C:\WINNT\Tasks\{67D64908-BDC5-40C7-93C1-0C86D33D116F}_PENTIUM4_Brian.job
2003-09-29 10:25:56 390 --a------ C:\WINNT\Tasks\{0BE2E5BF-80C6-47F9-B263-B9898B64ECD1}_PENTIUM4_Brian.job
2003-09-29 10:25:20 390 --a------ C:\WINNT\Tasks\{EF52F857-561A-4EC1-BC54-2237AAE0987A}_PENTIUM4_Brian.job
2003-09-29 10:25:20 390 --a------ C:\WINNT\Tasks\{85400A5E-9476-4F30-B0E9-F5E949BBAE3F}_PENTIUM4_Brian.job
2003-09-29 10:25:20 390 --a------ C:\WINNT\Tasks\{59F5F76B-27C1-4B80-8ED5-1517B1F6A84F}_PENTIUM4_Brian.job
2003-08-22 13:36:20 390 --a------ C:\WINNT\Tasks\{FA426FDA-4D3E-4184-9D8D-0FBF9E3F058C}_PENTIUM4_Brian.job
2003-08-22 13:36:20 390 --a------ C:\WINNT\Tasks\{F826C570-7D68-4288-9C65-54D7FB3055B2}_PENTIUM4_Brian.job
2003-08-22 13:36:20 390 --a------ C:\WINNT\Tasks\{BCAA8661-60D9-49B1-8EEC-667B6E57DC1B}_PENTIUM4_Brian.job

-- Files created between 2007-08-12 and 2007-09-12 -----------------------------

2007-09-11 13:11:47 0 d-------- C:\Documents and Settings\brian.PENTIUM4\DoctorWeb
2007-09-11 08:14:56 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3fc.dat
2007-09-11 08:14:39 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_718.dat
2007-09-11 08:11:29 16384 --a-----t C:\WINNT\system32\Perflib_Perfdata_3b4.dat
2007-09-10 23:09:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3d0.dat
2007-09-10 21:44:29 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3b0.dat
2007-09-10 16:47:39 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3a0.dat
2007-09-10 16:45:12 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_548.dat
2007-09-10 16:25:23 0 d-------- C:\Documents and Settings\brian.PENTIUM4\Application Data\Grisoft
2007-09-07 14:46:04 0 d-------- C:\FOUND.029
2007-09-05 15:00:06 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_8f8.dat
2007-09-04 07:59:24 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3e8.dat
2007-09-04 07:54:11 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_39c.dat
2007-09-03 14:49:13 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3ac.dat
2007-08-26 18:32:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_37c.dat
2007-08-25 09:04:10 0 d-------- C:\WINNT\system32\ActiveScan
2007-08-25 00:23:57 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-08-25 00:23:47 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-08-25 00:23:47 0 d-------- C:\Documents and Settings\brian.PENTIUM4\Application Data\SUPERAntiSpyware.com
2007-08-24 10:55:08 8 --a------ C:\WINNT\sess_422014349b4ed3f9b3ddc055240759fc
2007-08-24 10:20:56 8 --a------ C:\WINNT\sess_68ec20e8c236b94855fc81b9a8681319
2007-08-23 22:09:41 8 --a------ C:\WINNT\sess_106e7e0b9408be5e15b4d5b16f7bc75d
2007-08-23 13:33:20 8 --a------ C:\WINNT\sess_a417cd28f768ebe812ff9b17681ece2d
2007-08-23 09:07:35 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3bc.dat
2007-08-22 12:44:37 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_370.dat
2007-08-22 00:36:19 8 --a------ C:\WINNT\sess_f43b7eca6df2fa07a2483272683f60e9
2007-08-21 22:52:58 8 --a------ C:\WINNT\sess_5699f5371f2f1bead1455c65d0b13deb
2007-08-21 13:50:13 0 d-------- C:\Program Files\Instant Niche Site Builder
2007-08-18 09:12:18 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3a8.dat
2007-08-17 16:26:49 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_38c.dat
2007-08-17 11:20:44 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_374.dat
2007-08-15 20:50:16 0 d-------- C:\Program Files\Common Files\Skype
2007-08-13 13:29:45 8 --a------ C:\WINNT\sess_31c2c95a845c1bbb89caea1b88658f30

-- Find3M Report ---------------------------------------------------------------

2007-09-11 19:19:06 4212 ---h----- C:\WINNT\system32\zllictbl.dat
2007-08-15 09:24:04 926950 ---h----- C:\WINNT\ShellIconCache
2007-08-01 23:54:08 8 --a------ C:\WINNT\sess_d8bf9b9d124d117e4564aad1152a31a0
2007-07-28 00:12:34 8 --a------ C:\WINNT\sess_dbdcf7ceef86718807ee494a9fe02060
2007-07-25 13:45:24 8 --a------ C:\WINNT\sess_0ba0e0e5412a06a30f3bde43024cf90f
2007-07-15 09:16:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_384.dat
2007-07-15 00:23:14 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_36c.dat
2007-07-03 12:07:32 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_390.dat
2007-06-27 17:29:24 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3c4.dat
2007-06-26 09:49:50 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_380.dat
2007-06-25 13:00:40 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3c0.dat
2007-06-23 18:52:48 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_368.dat
2007-06-23 18:39:52 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_3b8.dat
2007-06-23 17:52:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2b4.dat
2007-06-23 17:49:16 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4a8.dat
2007-06-23 17:36:12 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4bc.dat
2007-06-23 17:24:56 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_32c.dat
2007-06-23 17:04:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4c0.dat
2007-06-23 17:01:52 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_324.dat
2007-06-23 16:55:58 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2e0.dat
2007-06-23 16:52:06 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2cc.dat
2007-06-23 16:50:20 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c4.dat
2007-06-23 16:48:32 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2d8.dat
2007-06-23 16:20:30 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2bc.dat
2007-06-23 15:42:56 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2d4.dat
2007-06-23 15:39:28 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_200.dat
2007-06-23 14:50:32 512 --a------ C:\ScanSectorLog.dat
2007-06-21 21:33:38 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_308.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [07/12/99 12:00p C:\WINNT\system32\mobsync.exe]
"Matrox Powerdesk"="C:\WINNT\System32\PDesk\PDesk.exe" [14/02/02 02:22p]
"SoundMan"="soundman.exe" [29/05/01 07:02p C:\WINNT\soundman.exe]
"LoadQM"="loadqm.exe" [03/05/00 05:23p C:\WINNT\loadqm.exe]
"POINTER"="point32.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [09/11/06 03:07p]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [19/09/04 05:24p]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/01 10:50a]
"NWEReboot"="" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/05 11:46p]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [17/08/07 09:42a]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [14/06/06 04:24p]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [14/01/04 11:10a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [12/09/06 06:33p]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/03/07 12:02a]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/07 07:25p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Evidence Eliminator"="C:\Program Files\Evidence Eliminator\ee.exe" [28/11/03 03:01p]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [19/08/05 07:34p]
"MSMSGS"="C:\Program Files\MSN Messenger\msnmsgr.exe" [14/06/05 10:05a]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [14/06/05 10:05a]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [23/04/03 08:43a]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [06/08/07 12:43p]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [31/05/05 01:04a]
"ctfmon.exe"="ctfmon.exe" [20/02/01 01:09p C:\WINNT\system32\CTFMON.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles/fjfe8quz.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb. sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sy s]
@="Driver"

-- End of Deckard's System Scanner: finished at 2007-09-12 08:13:18 ------------

morpheus63 · 11-Sep-2007, 11:49 PM #7

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 3.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 1.80GHz
Percentage of Memory in Use: 91%
Physical Memory (total/avail): 511.48 MiB / 44.64 MiB
Pagefile Memory (total/avail): 1245.95 MiB / 663.13 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1983.34 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 37.26 GiB total, 15.26 GiB free.
D: is Fixed (FAT32) - 37.26 GiB total, 0.81 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-32CAA0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 37.27 GiB - C:

\\.\PHYSICALDRIVE1 - WDC WD400BB-32CLB0 - 37.27 GiB - 1 partition
\PARTITION0 - Unknown - 37.27 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is disabled.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\brian.PENTIUM4\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PENTIUM4
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\brian.PENTIUM4
LOGONSERVER=\\PENTIUM4
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;;;;;"C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\BRIAN~1.PEN\LOCALS~1\Temp
TMP=C:\DOCUME~1\BRIAN~1.PEN\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=PENTIUM4
USERNAME=Brian
USERPROFILE=C:\Documents and Settings\brian.PENTIUM4
windir=C:\WINNT

-- User Profiles ---------------------------------------------------------------

brian (new local)
brian.PENTIUM4 (admin)
Eagles (new local)
Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
--> C:\WINNT\UNNeroVision.exe /UNINSTALL
--> C:\WINNT\UNNMP.exe /UNINSTALL
--> MsiExec.exe /X{E9F81423-211E-46B6-9AE0-38568BC5CF6F}
3D Studio MAX R3 --> C:\WINNT\uninst.exe -fC:\3DSMAX3\DeIsL2.isu
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~2\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~2\INSTALL.LOG
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Acrobat Reader for Pocket PC 1.0 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Microsoft ActiveSync\Adobe\Uninst.isu" -c"C:\Program Files\Adobe\Acrobat Reader for Pocket PC\UnInstall.dll"
Adobe Flash Player 9 ActiveX --> C:\WINNT\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Photoshop 7.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 7.0.5 Language Support --> MsiExec.exe /I{AC76BA86-7AD7-5464-3428-7050000000A7}
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Atomic Clock Sync --> C:\PROGRA~1\ATOMIC~1\UNWISE.EXE C:\PROGRA~1\ATOMIC~1\INSTALL.LOG
AutoPilotRiches Companion --> MsiExec.exe /X{B824C1E6-29C6-4B9E-9B65-7548A011061D}
Avance AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Canon iP5200 --> C:\WINNT\system32\CNMCP79.exe "-PRINTERNAMECanon iP5200" "-HELPERDLLC:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINNT\Canon iP5200 Installer\Inst2\cnmis.dll" "-RCDLLcnmi0409.dll"
Canon PhotoRecord --> MsiExec.exe /X{BBBC2B89-E193-4348-A83C-C8DD8210A4AC}
Canon Setup Utility 2.0 --> "C:\Program Files\Canon\Canon Setup Utility 2.0\Maint.exe" /Uninstall C:\Program Files\Canon\Canon Setup Utility 2.0\uninst.ini
Canon Utilities Easy-PhotoPrint --> C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
Canon Utilities Easy-PrintToolBox --> C:\WINNT\BJPSUNST.EXE
CD-LabelPrint --> "C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
DivX Codec --> C:\WINNT\unvise32.exe C:\Program Files\DivX\DivX Codec\uninstal.log
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
Dynacrypt 5 --> MsiExec.exe /I{753E0BF0-C4F1-11D4-A3B0-0008C7794879}
Easy-WebPrint --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
eFax Messenger Plus --> C:\PROGRA~1\EFAXME~1\UNINST.EXE
EPSON SMART PANEL for Scanner --> C:\WINNT\uninst.exe -f"C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\DeIsL1.isu"
Evidence Eliminator --> C:\PROGRA~1\EVIDEN~1\UNWISE.EXE C:\PROGRA~1\EVIDEN~1\INSTALL.LOG
Good Keywords v2.01.120706 --> "C:\Program Files\Softnik Technologies\Good Keywords v2.01\unins000.exe"
GoToMeeting/GoToWebinar 3.0.0.190 --> C:\Program Files\Citrix\GoToMeeting\190\G2MUninstall.exe /uninstall
GPL Ghostscript 8.50 --> c:\gs\uninstgs.exe "c:\gs\gs8.50\uninstal.txt"
GPL Ghostscript Fonts --> c:\gs\uninstgs.exe "c:\gs\fonts\uninstal.txt"
Hexagon Version 6.32 --> C:\WINNT\IsUninst.exe -fC:\HEX0632\Uninst.isu -cC:\HEX0632\PGM\UNINST.DLL
HijackThis 1.99.1 --> D:\Setup Software\hijackthis\HijackThis.exe /uninstall
HotTopicMediaQuizzMaker 1.08 --> "c:\HotTopicMediaQuizzMaker\unins000.exe"
InterActual Player --> C:\Program Files\InterActual\InterActual Player\inuninst.exe
InterVideo WinDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C1939820-A945-11D4-86F6-0001031E5712}\setup.exe" REMOVEALL
iPresentation Mobile Client --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57902BBA-4E6B-4655-9130-D8D627AF298F}\Setup.exe" -l0x9
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150020}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142000}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}
Java(TM) SE Runtime Environment 6 Update 1 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LeechFTP --> C:\WINNT\eraser.exe KILL "C:\Program Files\LeechFTP\uninstall.uif"
Lemmings for Windows 95 --> C:\Program Files\WinLemm\wlvsun10.exe uninstall
Macromedia Shockwave Player --> C:\WINNT\system32\MACROMED\SHOCKW~2\UNWISE.EXE C:\WINNT\system32\MACROMED\SHOCKW~2\Install.log
Manx TT SuperBike --> C:\WINNT\uninst.exe -fC:\Sega\ManxTT\DeIsL1.isu
Matrox Graphics Software (remove only) --> C:\WINNT\System32\PDesk\PDUninst.exe
Microsoft .NET Framework 2.0 --> C:\WINNT\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft ActiveSync 3.7 --> "C:\WINNT\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Data Access Components KB870669 --> C:\WINNT\muninst.exe C:\WINNT\INF\KB870669.inf
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft Office FrontPage 2003 --> MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office XP Media Content --> MsiExec.exe /I{90300409-6000-11D3-8CFE-0050048383C9}
Microsoft Publisher 2002 --> MsiExec.exe /I{90190409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.2) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.4) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Firefox (2.0.0.6) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600816}
MSN Messenger Update for Windows Mobile 2003 based Pocket PCs --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{CF56B6FC-F26B-4493-802B-2E5EA74DC775}
Nero Suite --> C:\Program Files\Common Files\Ahead\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
OLYMPUS CAMEDIA Master 4.2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.2
Package:GLOBAL ONE CHARTS --> C:\Program Files\GLOBAL ONE CHARTS\Uninst.exe
Panda ActiveScan --> C:\WINNT\system32\ASUninst.exe Panda ActiveScan
PrintKey2000 --> C:\PROGRA~1\PRINTK~1\UNWISE.EXE C:\PROGRA~1\PRINTK~1\INSTALL.LOG
Qlock 1.44 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\pdaBusiness\Qlock\Uninst.isu"
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Registry Mechanic --> "C:\Program Files\Registry Mechanic\unins000.exe"
Resource Center V1.3 --> MsiExec.exe /X{9C8EE3B8-30A0-49BB-A6ED-DF88200A17BA}
Sentinel System Driver --> C:\WINNT\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Shockwave --> C:\WINNT\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\MACROMED\SHOCKW~1\Install.log
Skype™ 3.5 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
Skype™ for Pocket PC 2.0 --> "C:\Program Files\Microsoft ActiveSync\Skype for Pocket PC\unins000.exe"
SmartFTP Client --> MsiExec.exe /I{C169D3BB-9A27-43F5-9979-09A0D65FE95C}
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Squeeze Page Generator --> C:\PROGRA~1\SQUEEZ~1\UNWISE.EXE C:\PROGRA~1\SQUEEZ~1\INSTALL.LOG
Toolbar Software --> "C:\Program Files\IETB\unins000.exe"
Turbo Lister 2 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{69640730-B830-4C24-BB5C-222DA1260548}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
xp-AntiSpy (nur entfernen) --> "C:\Program Files\xp-AntiSpy\uninstall.exe"
Yahoo! extras --> C:\PROGRA~1\YAHOO!\COMMON\unyext.exe
Yahoo! Messenger --> C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type8203 / Warning
Event Submitted/Written: 09/11/2007 08:12:40 AM
Event ID/Source: 61 / WinMgmt
Event Description:
WMI ADAP was unable to process the RemoteAccess performance library due to a time violation in the open function

Event Record #/Type8199 / Error
Event Submitted/Written: 09/11/2007 00:22:38 AM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry class file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL Access is denied. , Build number ((2195)).

Event Record #/Type8198 / Warning
Event Submitted/Written: 09/10/2007 11:36:20 PM
Event ID/Source: 61 / WinMgmt
Event Description:
WMI ADAP was unable to process the RemoteAccess performance library due to a time violation in the open function

Event Record #/Type8194 / Error
Event Submitted/Written: 09/10/2007 11:32:30 PM
Event ID/Source: 1000 / Userenv
Event Description:
Windows cannot unload your registry class file. If you have a roaming profile, your settings are not replicated. Contact your administrator.

DETAIL Access is denied. , Build number ((2195)).

Event Record #/Type8193 / Warning
Event Submitted/Written: 09/10/2007 11:10:26 PM
Event ID/Source: 61 / WinMgmt
Event Description:
WMI ADAP was unable to process the RemoteAccess performance library due to a time violation in the open function

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type8898 / Error
Event Submitted/Written: 09/11/2007 01:37:35 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.6 for the Network Card with network address 0010B50FAA43 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type8896 / Error
Event Submitted/Written: 09/11/2007 01:16:26 PM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.3 for the Network Card with network address 0010B50FAA43 has been
denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).

Event Record #/Type8892 / Warning
Event Submitted/Written: 09/11/2007 08:16:08 AM
Event ID/Source: 2013 / Srv
Event Description:
The D: disk is at or near capacity. You may need to delete some files.

Event Record #/Type8891 / Error
Event Submitted/Written: 09/11/2007 08:13:29 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The Windows Firewall/Internet Connection Sharing (ICS) service hung on starting.

Event Record #/Type8884 / Warning
Event Submitted/Written: 09/10/2007 11:39:38 PM
Event ID/Source: 2013 / Srv
Event Description:
The D: disk is at or near capacity. You may need to delete some files.

-- End of Deckard's System Scanner: finished at 2007-09-12 08:13:18 ------------

Kenny94 · 12-Sep-2007, 07:45 AM #8

Hi morpheus63

As of now I'm getting something verify, but for now please do the following:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:

Download the latest version of Java Runtime Environment (JRE) 6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

No need to post a HijackThis log or a reply. I'll be back shortly..

Kenny94 · 12-Sep-2007, 01:57 PM #9

Posted Activescan for easy viewing

Incident Status Location

Spyware:spyware/betterinet Not disinfected c:\winnt\inf\BIINI.INF
Adware:adware/ncase Not disinfected c:\winnt\DIDDUID.INI
Adware:adware/cws.searchmeup Not disinfected c:\winnt\TOOLBAR.EXE
Adware:adware/searchexe Not disinfected Windows Registry
Adware:Adware/DNSErr Not disinfected C:\WINNT\DNSE.DLL
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.bs.serving-sys.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.clickbank.net/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.adrevolver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.realmedia.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[www.myaffiliateprogram.com/]
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\Setup Software\ComboFix\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/BrilliantDigital Not disinfected D:\Old P3 15_01_2003\My Installations\BDCORE.DLL
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Inbox\Christmas List
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Inbox\Advice
Hacktool:Exploit/iFrame Not disinfected Personal Folders\Inbox\RE: Members Training Members

Your logs look good and you did removed the bad files/emails above. And there's no hacking tools (activescan calls it this) or malware. How your computer running now?

morpheus63 · 13-Sep-2007, 05:08 AM **#10**

Hi Kenny94,

I've completed the update for Java Runtime. All seems okay.

The system also seems to be running okay however I'm concerned about the following spyware located by activescan.

Quote:

Spyware:spyware/betterinet Not disinfected c:\winnt\inf\BIINI.INF
Adware:adware/ncase Not disinfected c:\winnt\DIDDUID.INI
Adware:adware/cws.searchmeup Not disinfected c:\winnt\TOOLBAR.EXE
Adware:adware/searchexe Not disinfected Windows Registry
Adware:Adware/DNSErr Not disinfected C:\WINNT\DNSE.DLL

Can you explain why these are unable to be disinfected?

I've removed the potentially harmful emails and most of the other items picked up by activescan are only cookies, but my main concern is the DLL, EXE, INF and INI file extensions as highlighted above.

Thanks again.

Kind Regards,
Brian

Kenny94 · 05:45 AM

Hi morpheus63

Quote:

Can you explain why these are unable to be disinfected?

Activescan will not remove some or most items these days. And Activescan has shown false positives.. It manly shows us files and so forth.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

You will need to enable hidden files and folders by doing the following:
Windows XP

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Files (if present):

c:\winnt\inf\BIINI.INF
c:\winnt\DIDDUID.INI
c:\winnt\TOOLBAR.EXE
C:\WINNT\DNSE.DLL

Reboot back to normal windows.

morpheus63 · 15-Sep-2007, 01:11 AM **#12**

Hi Kenny94,

I've deleted the items as suggested but I did not delete c:\winnt\TOOLBAR.EXE because this may be a tool bar that I've installed on IE. Can you please confirm that this is the case?

However I'm unsure about this file: Adware:adware/searchexe - the Panda online scanner claims its in the windows registry. Can you explain what this does?

I've included a copy of the current Panda online scan below for your perusal.

Kind Regards,
Brian

Incident Status Location

Adware:adware/cws.searchmeup Not disinfected c:\winnt\TOOLBAR.EXE
Adware:adware/searchexe Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[ad.yieldmanager.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[www.errorsafe.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.errorsafe.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.casalemedia.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.888.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.clickbank.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\brian.PENTIUM4\Application Data\Mozilla\Firefox\Profiles\fjfe8quz.default\COOKIES.TXT[.com.com/]
Spyware:Spyware/BetterInet Not disinfected C:\Recycled\Dc8.inf
Adware:Adware/DNSErr Not disinfected C:\Recycled\Dc10.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected D:\Setup Software\ComboFix\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/BrilliantDigital Not disinfected D:\Old P3 15_01_2003\My Installations\BDCORE.DLL

Kenny94 · 15-Sep-2007, 05:31 AM **#13**

Hi morpheus63

Quote:

I've deleted the items as suggested but I did not delete c:\winnt\TOOLBAR.EXE because this may be a tool bar that I've installed on IE. Can you please confirm that this is the case?

you should remove it:

http://www.pandasecurity.com/homeuse...?idvirus=57329

Quote:

However I'm unsure about this file: Adware:adware/searchexe - the Panda online scanner claims its in the windows registry. Can you explain what this does?

Again it's the same variant
http://research.sunbelt-software.com...threatid=10900

I really DO NOT like to run two scanners, as we did with AVG, but in your case I feel we should.

Please download SUPERAntiSpyware Home Edition (free version)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining.
- Please leave the others unchecked.
- Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
- After reboot, double-click the SUPERAntispyware icon on your desktop.
- Click Preferences. Click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- It will open in your default text editor (such as Notepad/Wordpad).
- Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
Save the log information. And paste this info along with your HijackThis log.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Hacktool:Exploit/iFrame

Find the solution to your computer problem!

Find the solution to your
computer problem!