1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan.Vundo Infection - Need help removing

Discussion in 'Virus & Other Malware Removal' started by MelB, Feb 7, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. MelB

    MelB Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    7
    SAV 10.1.5 with def from 2/4/2007 detects Trojan.Vundo and says it has either Cleaned by deletion or Reboot Processing/Reboot Required - Cleaned by deletion. Once system has been rebooted and reconnected to network, Trojan.Vundo reappears.

    Other infections detected include Tojan.Adclicker, Infostealer, Doubleclick, Downloader and Backdoor.Trojan.

    I've run Lavasoft's VX2 cleaner plugin and Symantec's Vundo removal tool niether of which detected Vundo in Safe mode or regular XP load. (Safe Mode does not completely load. Have to start task manager then launch the tool by starting a new process.)

    I picked through the registry trying to locate the entries to be removed indicated by Symantec's Vundo removal instructions, could not find any of the entries.

    Rtvscan does not detect the infection until system is rebooted and connected to the network. Problem resides in exeplorer.exe and winlogon.exe but I haven't been able to resolve.

    Windows XP SP2, IE 6.0 SP2, SAV 10.1.5, Windows Firewall and Internet Connection Sharing disabled, ZoneAlarms Integrity Agent running.

    Thanks in advance for your help!

    Melissa
     
  2. sometimes_y

    sometimes_y

    Joined:
    Feb 8, 2007
    Messages:
    3
    I am having the same problem, except Norton Antivirus keeps telling me I have the Trojan.Vundo but it will not delete it and neither will the removal tool I downloaded from them to remove it.
    The location of the file is in C:\Windows\inf\abkmxl.dll but when I run the removal tool it says that no file has been found. I have to disable Norton Antivirus to even be able to use my computer because if I don't, the "Virus Alert" message repeatedly pops up and I can't access anything except that message. I have no idea what to do!
    i just figured I'd post my problem in this thread too so there wouldn't be two threads with the same problem. Any help from anyone would be great. Thanks!
     
  3. 1002richards

    1002richards Retired Trusted Advisor

    Joined:
    Jan 29, 2006
    Messages:
    5,333
    sometimes_y,
    please use the "warning triangle" above post no. and ask the moderators to move your post to a seperate thread. The reason being is that it's really difficult for someone to advise two people at once in one thread. 'Cos although the probs look similar - there will be lots of info going back and forth. Hope you are OK with this?
    -----------------------------------------------------------------------------------------------------------

    MelB,
    Hi,
    I think you need to post a HJT (HijackThis) log and let a qualified member (gold shield next to their name) take you through what needs to be done. I suggest you print off this guide, just in case ....
    Please go no further than the stages listed here for now.


    Using Hijackthis with the self-installer that puts it into Program Files for you:

    go to Click here to download HJTsetup.exe


    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    Once you've posted that log here you'll need to wait for a qualified member to take you through the next stages.

    Richard.
     
  4. MelB

    MelB Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    7
    Logfile of HijackThis v1.99.1
    Scan saved at 7:09:26 PM, on 2/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
    C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\iPass\iPassConnect\iPCAgent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
    C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    D:\Program Files\Oracle\ODrive\ODrive.exe
    D:\Program Files\Interwise\Student\pull.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.oracle.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-proxy.us.oracle.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com; ashah-us.us.oracle.com; ;<local>
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" -msi
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [Oracle RTC Messenger] C:\Program Files\Oracle\Messenger\OracleMessenger.exe -hidden
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Oracle Drive.lnk = ?
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Push Client.LNK = D:\Program Files\Interwise\Student\pull.exe
    O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
    O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com
    O15 - Trusted Zone: ashah-us.us.oracle.com
    O15 - Trusted Zone: ats-passport.us.oracle.com
    O15 - Trusted Zone: *.oracle.com
    O15 - Trusted Zone: *.oracleads.com
    O15 - Trusted Zone: *.oraclecorp.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
    O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6B39F20-83E5-480C-A7F8-3BB5199E0C65}: NameServer = 144.20.190.70,138.2.202.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - D:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
    O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
    O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Mediabee (MBXmlRpc) - Mediabee - C:\Program Files\Mediabee\src\py\dist\MediabeeService.exe
    O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
    O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
    O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation - D:\oracle\product\10.1.3.1\OracleAS\Mobile\Sdk\BIN\olsv2040.exe
    O23 - Service: Oracle BAM Active Data Cache - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMActiveDataCache.exe
    O23 - Service: Oracle BAM Event Engine - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMEventEngine.exe
    O23 - Service: Oracle BAM Plan Monitor - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMPlanMonitor.exe
    O23 - Service: Oracle BAM Report Cache - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMReportCache.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracle\product\10.2.0\db_orcl\bin\nmesrvc.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Oracle\product\10.1.0\Client\bin\omtsreco.exe
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracle\product\10.2.0\db_orcl\bin\isqlplussvc.exe
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracle\product\10.2.0\db_orcl\bin\ORACLE.EXE
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Oracle BAM Data Flow Service (SADCSVC) - Group 1 Software, Inc. - D:\ORACLE~3\ENTERP~1\Sadcsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
     
  5. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    PLease navigate to C:\Program Files\Hijackthis folder, rename Hijackthis.exe to fixvundo and press enter. Post a fresh Hijackthis log. Thank.s
     
  6. MelB

    MelB Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    7
    Logfile of HijackThis v1.99.1
    Scan saved at 7:40:45 PM, on 2/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
    C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\iPass\iPassConnect\iPCAgent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
    C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
    C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    C:\Program Files\Apoint\Apntex.exe
    D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Oracle\Messenger\OracleMessenger.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    D:\Program Files\Oracle\ODrive\ODrive.exe
    D:\Program Files\Interwise\Student\pull.exe
    C:\Program Files\Hijackthis\vixvundo.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.oracle.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =

    http://www-proxy.us.oracle.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

    *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.co

    m;*.oracleportal.com; ashah-us.us.oracle.com; ;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

    Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {36E747F7-9BC2-4927-9CE2-470096DFA9B9} - C:\WINDOWS\system32\pmkhi.dll
    O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - D:\Program

    Files\Oracle\ODrive\ODriveHelper.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity

    Client\iclient.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef

    /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel

    PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Roxio\Easy CD Creator 5

    \DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share

    -to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook

    Connector\profilerepair.exe" -msi
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [Oracle RTC Messenger] C:\Program

    Files\Oracle\Messenger\OracleMessenger.exe -hidden
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft

    ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN

    Client\vpngui.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak EasyShare

    software\bin\EasyShare.exe
    O4 - Global Startup: Oracle Drive.lnk = ?
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Push Client.LNK = D:\Program Files\Interwise\Student\pull.exe
    O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006

    \spy.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
    O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} -

    C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-

    8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} -

    C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program

    Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-

    00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

    Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

    C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2

    \OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1

    \AWS\WEATHE~1\Weather.exe (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com
    O15 - Trusted Zone: ashah-us.us.oracle.com
    O15 - Trusted Zone: ats-passport.us.oracle.com
    O15 - Trusted Zone: *.oracle.com
    O15 - Trusted Zone: *.oracleads.com
    O15 - Trusted Zone: *.oraclecorp.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
    O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6B39F20-83E5-480C-A7F8-3BB5199E0C65}: NameServer =

    144.20.190.70,138.2.202.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common

    Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1

    \msgrapp.dll" (file missing)
    O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - D:\PROGRA~1\QUESTS~1

    \TOADFO~1\RNetPin.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: pmkhi - C:\WINDOWS\system32\pmkhi.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32

    \WPDShServiceObj.dll
    O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner

    - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
    O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown

    owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

    Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

    Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program

    Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -

    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

    Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPassConnectEngine - iPass - C:\Program

    Files\iPass\iPassConnect\iPassConnectEngine.exe
    O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

    C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1

    \LUCOMS~2.EXE
    O23 - Service: Mediabee (MBXmlRpc) - Mediabee - C:\Program

    Files\Mediabee\src\py\dist\MediabeeService.exe
    O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation -

    C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
    O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation

    - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
    O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation -

    D:\oracle\product\10.1.3.1\OracleAS\Mobile\Sdk\BIN\olsv2040.exe
    O23 - Service: Oracle BAM Active Data Cache - Oracle Corporation -

    D:\OracleBAM\BAM\OracleBAMActiveDataCache.exe
    O23 - Service: Oracle BAM Event Engine - Oracle Corporation -

    D:\OracleBAM\BAM\OracleBAMEventEngine.exe
    O23 - Service: Oracle BAM Plan Monitor - Oracle Corporation -

    D:\OracleBAM\BAM\OracleBAMPlanMonitor.exe
    O23 - Service: Oracle BAM Report Cache - Oracle Corporation -

    D:\OracleBAM\BAM\OracleBAMReportCache.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracle\product\10.2.0

    \db_orcl\bin\nmesrvc.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Oracle\product\10.1.0

    \Client\bin\omtsreco.exe
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracle\product\10.2.0

    \db_orcl\bin\isqlplussvc.exe
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracle\product\10.2.0

    \db_orcl\bin\ORACLE.EXE
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program

    Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle -

    C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program

    Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Oracle BAM Data Flow Service (SADCSVC) - Group 1 Software, Inc. -

    D:\ORACLE~3\ENTERP~1\Sadcsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

    AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec

    AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

    Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program

    Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32

    \vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32

    \ZONELABS\vsmon.exe
     
  7. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Please download
    VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files,
      click YES
    • Once you click yes, your desktop will go blank as it starts removing
      Vundo.
    • When completed, it will prompt that it will shutdown your computer,
      click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt and a new
      HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not
    remove.
    In this case, VundoFix will run on reboot, simply follow the above
    instructions starting from "Click the Scan for

    Vundo
    button." when VundoFix appears at reboot.
     
  8. MelB

    MelB Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    7
    VundoFix.txt
    VundoFix V6.3.16

    Checking Java version...

    Java version is 1.4.2.5
    Old versions of java are exploitable and should be removed.

    Scan started at 2:09:15 PM 3/16/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\ihkmp.bak1
    C:\WINDOWS\system32\ihkmp.bak2
    C:\WINDOWS\system32\ihkmp.ini
    C:\WINDOWS\system32\ihkmp.ini2
    C:\WINDOWS\system32\ihkmp.tmp
    C:\WINDOWS\system32\pmkhi.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ihkmp.bak1
    C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihkmp.bak2
    C:\WINDOWS\system32\ihkmp.bak2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihkmp.ini
    C:\WINDOWS\system32\ihkmp.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihkmp.ini2
    C:\WINDOWS\system32\ihkmp.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ihkmp.tmp
    C:\WINDOWS\system32\ihkmp.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\pmkhi.dll
    C:\WINDOWS\system32\pmkhi.dll Has been deleted!

    Performing Repairs to the registry.
    Done!


    HighJackThis.log
    Logfile of HijackThis v1.99.1
    Scan saved at 2:48:21 PM, on 3/16/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
    C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\iPass\iPassConnect\iPCAgent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
    C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
    C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\WINDOWS\system32\MsPMSPSv.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\taskswitch.exe
    C:\Program Files\Zone Labs\Integrity Client\iclient.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
    C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    C:\Program Files\Apoint\Apntex.exe
    D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
    C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Oracle\Messenger\OracleMessenger.exe
    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Kodak EasyShare software\bin\EasyShare.exe
    D:\Program Files\Oracle\ODrive\ODrive.exe
    D:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    D:\Program Files\Interwise\Student\pull.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijackthis\vixvundo.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.oracle.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-proxy.us.oracle.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.oracle.com;*.oracleads.com;*.us.oracle.com;*.uk.oracle.com;*.ca.oracle.com;*.oraclecorp.com;*.oracleportal.com; ashah-us.us.oracle.com; ;<local>
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Oracle Drive Helper Object - {5D33B3E0-4FB3-4ED1-9106-B6EB06A3B7C2} - D:\Program Files\Oracle\ODrive\ODriveHelper.dll
    O2 - BHO: (no name) - {CEFD1CB1-9B96-46C0-A812-A450BD2AA57A} - C:\WINDOWS\system32\pmkhi.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
    O4 - HKLM\..\Run: [TweakAutomaticUpdates] C:\WINDOWS\orclobi\gdswsuspatch_soon.exe /s
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /OfficeXPHack
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
    O4 - HKLM\..\Run: [ntpgds] C:\WINDOWS\orclobi\synctime.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
    O4 - HKLM\..\Run: [AutoProfileRepair] "C:\Program Files\Oracle\Outlook Connector\profilerepair.exe" -msi
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKCU\..\Run: [Oracle RTC Messenger] C:\Program Files\Oracle\Messenger\OracleMessenger.exe -hidden
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
    O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Oracle Drive.lnk = ?
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Push Client.LNK = D:\Program Files\Interwise\Student\pull.exe
    O8 - Extra context menu item: Edit with Altova X&MLSpy - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
    O9 - Extra button: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra 'Tools' menuitem: Edit with Altova X&MLSpy - {2222EF56-F49E-4d07-A14E-8D2B08766958} - C:\Program Files\Altova\XMLSpy2006\spy.htm
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://my.oracle.com
    O15 - Trusted Zone: ashah-us.us.oracle.com
    O15 - Trusted Zone: ats-passport.us.oracle.com
    O15 - Trusted Zone: *.oracle.com
    O15 - Trusted Zone: *.oracleads.com
    O15 - Trusted Zone: *.oraclecorp.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.oracle.com
    O17 - HKLM\Software\..\Telephony: DomainName = us.oracle.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F6B39F20-83E5-480C-A7F8-3BB5199E0C65}: NameServer = 144.20.190.70,138.2.202.15
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.oracle.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.oracle.com
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - D:\PROGRA~1\QUESTS~1\TOADFO~1\RNetPin.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Array SSL VPN Service 3,2,2,33 (ArraySSL_VPN_Service3,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Array SSL VPN\3,2,2,33\arr_srvs3,2,2,33.exe
    O23 - Service: Array Utility Service 4,2,2,33 (Array_Utility_Service4,2,2,33) - Unknown owner - C:\Program Files\Array Networks\Common\4,2,2,33\arr_isrv4,2,2,33.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
    O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~2.EXE
    O23 - Service: Mediabee (MBXmlRpc) - Mediabee - C:\Program Files\Mediabee\src\py\dist\MediabeeService.exe
    O23 - Service: MyDesktopService (MyDesktopWindows) - Oracle Corporation - C:\WINDOWS\orclobi\MyDesktop\MyDesktopService.exe
    O23 - Service: Oracle Connector Automatic Updates Service (ocautoupds) - Oracle Corporation - C:\Program Files\Oracle\Outlook Connector\ocautoupds.exe
    O23 - Service: Oracle Lite Multiuser Service (OliteService) - Oracle Corporation - D:\oracle\product\10.1.3.1\OracleAS\Mobile\Sdk\BIN\olsv2040.exe
    O23 - Service: Oracle BAM Active Data Cache - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMActiveDataCache.exe
    O23 - Service: Oracle BAM Event Engine - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMEventEngine.exe
    O23 - Service: Oracle BAM Plan Monitor - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMPlanMonitor.exe
    O23 - Service: Oracle BAM Report Cache - Oracle Corporation - D:\OracleBAM\BAM\OracleBAMReportCache.exe
    O23 - Service: OracleDBConsoleorcl - Oracle Corporation - D:\oracle\product\10.2.0\db_orcl\bin\nmesrvc.exe
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - D:\Oracle\product\10.1.0\Client\bin\omtsreco.exe
    O23 - Service: OracleOraDb10g_home1iSQL*Plus - Oracle - D:\oracle\product\10.2.0\db_orcl\bin\isqlplussvc.exe
    O23 - Service: OracleServiceORCL - Oracle Corporation - d:\oracle\product\10.2.0\db_orcl\bin\ORACLE.EXE
    O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
    O23 - Service: QOS MyDesktop (QOSMyDesktop) - Oracle - C:\WINDOWS\orclobi\MyDesktop\MyDesktopQOS.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: Oracle BAM Data Flow Service (SADCSVC) - Group 1 Software, Inc. - D:\ORACLE~3\ENTERP~1\Sadcsvc.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe



    Thanks a million!!

    MelB
     
  9. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Just want to make sure everything is gone

    Download Combofix and save it to your desktop.
    http://download.bleepingcomputer.com/sUBs/ComboFix.exe


    Note: It is important that it is saved directly to your desktop

    Close any open browsers.

    Double click on combofix.exe & follow the prompts.
    When finished, it shall produce a log for you.

    Post the ComboFix.txt in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  10. MelB

    MelB Thread Starter

    Joined:
    Feb 7, 2007
    Messages:
    7
    ComboFix.txt

    "ashah" - 07-03-20 16:59:59 Service Pack 2
    ComboFix 07-03-20.2 - Running from: "C:\Documents and Settings\ashah\Desktop"

    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\DOWNLO~1\cnsload-3.0.3.406.dll
    C:\Program Files\install.log


    ((((((((((((((((((((((((((((((( Files Created from 2007-02-20 to 2007-03-20 ))))))))))))))))))))))))))))))))))


    2007-03-16 14:09 <DIR> d-------- C:\VundoFix Backups


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-03-20 16:52 -------- d-------- C:\DOCUME~1\ashah\APPLIC~1\tsvncache
    2007-03-20 16:51 -------- d-------- C:\Program Files\symantec antivirus
    2007-02-06 15:48 -------- d-------- C:\Program Files\lavasoft
    2007-02-06 15:02 -------- d-------- C:\Program Files\symantec
    2007-02-06 15:01 -------- d-------- C:\Program Files\Common Files\symantec shared
    2007-02-02 14:29 -------- d-------- C:\Program Files\google
    2007-02-02 13:52 -------- d-------- C:\Program Files\nortel networks
    2007-02-01 20:43 -------- d-------- C:\DOCUME~1\ashah\APPLIC~1\oracle
    2007-02-01 14:25 -------- d-------- C:\Program Files\wildtangent
    2007-01-27 15:02 -------- d-------- C:\DOCUME~1\ashah\APPLIC~1\weatherbug


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

    *Note* empty entries & legit default entries are not shown

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "Oracle RTC Messenger"="C:\\Program Files\\Oracle\\Messenger\\OracleMessenger.exe -hidden"
    "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""
    "Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
    "CoolSwitch"="C:\\WINDOWS\\System32\\taskswitch.exe"
    "TweakAutomaticUpdates"="C:\\WINDOWS\\orclobi\\gdswsuspatch_soon.exe /s"
    "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\Integrity Client\\iclient.exe\""
    "IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
    "MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
    "PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
    "PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /OfficeXPHack"
    "Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
    "Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
    @=""
    "IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
    "EOUApp"="C:\\Program Files\\Intel\\Wireless\\Bin\\EOUWiz.exe"
    "ntpgds"="C:\\WINDOWS\\orclobi\\synctime.exe"
    "AdaptecDirectCD"="\"D:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
    "ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
    "Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
    "HP Software Update"="D:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "WatchDog"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
    "SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_07\\bin\\jusched.exe"
    "AutoProfileRepair"="\"C:\\Program Files\\Oracle\\Outlook Connector\\profilerepair.exe\" -msi"
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "TSClientMSIUninstaller"="cmd.exe /C \"cscript %systemroot%\\Installer\\TSClientMsiTrans\\tscuinst.vbs\""
    "MPlayer2_FixUp"="C:\\WINDOWS\\inf\\unregmp2.exe /Fixups"
    "WMC_WMPDBExport"="C:\\Program Files\\Windows Media Player\\wmdbexport.exe"


    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
    "{C47B9ECE-41D4-4ECD-BDDA-E17D068D99C2}"=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
    "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0
    HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
    DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
    WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{133077a9-8aab-11db-b09e-005056c00008}]
    Shell\AutoRun\command E:\LaunchU3.exe -a

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{549024a0-6e93-11db-b06b-005056c00008}]
    Shell\AutoRun\command E:\JDSecure\Windows\JDSecure20.exe

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{70564075-ee33-11da-af85-005056c00008}]
    shell\open\command %SystemRoot%\Explorer.exe /idlist,%I,%L


    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-03-20 17:04:37
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/542192

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice