Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32.backdoor.hupigon (serious)


  • Please log in to reply

#1
Reign

Reign

    Member

  • Member
  • PipPip
  • 46 posts
I got a bad malware infection that Ad-aware caught and removed but im pretty sure it re-instals itself cuz i restarted the computer and it came back (part of it).

I'd like help removing it permanently

heres the log, i dont know if it will have anything since i cleaned up with ad-aware before i used hijackthis
please advise.

Logfile of HijackThis v1.99.1
Scan saved at 3:00:11 PM, on 1/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [dmpus.exe] C:\WINDOWS\system32\dmpus.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZJ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB254FBA-3C0F-4F41-9814-3A9D0BA4EDD2}: NameServer = 85.255.116.104,85.255.112.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download Fixwareout.exe by LonnyRJones from one of these two locations, and save it to your Desktop:

http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

2) Download the trial version of AVG Anti-Spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating AVG Anti-Spyware: below.

* Please note that this program was formerly known as Ewido anti-spyware 4.0. Taken from the Ewido website:

ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:

Highly improved cleaning
Lower resource usage
Additional languages supported

All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.

Double click the avgas-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.
  • Updating AVG Anti-Spyware:

    By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either AVG A-S will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed AVG A-S, double click avgas-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close AVG A-S.

AVG A-S is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG A-S will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.


3) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

Please Note: You will need to remain connected to the internet during this fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O4 - HKLM\..\Run: [dmpus.exe] C:\WINDOWS\system32\dmpus.exe

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Run HJT and click on Open the Misc Tools section.
Click on delete a file on reboot...
Copy and paste the following into the "File name:" text box and then click Open:

C:\WINDOWS\system32\dmpus.exe

When you are asked "Do you want to restart your computer now?", click OK.

Your PC MUST reboot fully to delete the file!

3) Double click Fixwareout.exe to start the Fixwareout Setup Wizard
  • Click Next > Install.
  • Ensure that the box to the left of Run fixit is checked.
  • Click on Finish.
  • Follow the prompts.
  • You will be asked to reboot your computer - please do so. Your system may take longer than usual to load - this is normal.
  • When your system reboots, follow the prompts.
Afterwards HijackThis should launch by itself - if it does not, start it manually.

Click on 'Do a system scan only' and place a checkmark in the boxes to the left of the following entries, by clicking on them:

O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB254FBA-3C0F-4F41-9814-3A9D0BA4EDD2}: NameServer = 85.255.116.104,85.255.112.229
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.104 85.255.112.229


CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

** If you have any problems running Fixwareout, try fixing the O17 lines with HJT and then rerun the fix. Make sure that you run HJT where indicated and ensure that the lines are gone before proceeding with the rest of the fix. **

4) Go to Start > Control Panel >Network Connections. Right click your default connection, usually Local Area Connection or Dial-up Connection if you are using dial-up, and left click on Properties.
* Make a note of the settings before you change them just in case you need to put them back how they were.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice.

5) Go to Start > Run, enter CMD and click OK.
  • At the Dos Prompt Screen, type in cd\ and then press <ENTER>.
  • Now type in ipconfig /flushdns and then press <ENTER>. (notice the space after ipconfig)
  • Close the command prompt window.
6) Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
7) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

8) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

9) Go to Start > Control Panel > Internet Options.

For I.E. 6 - under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

For I.E. 7 - under Browsing History, click delete...
Under Temporary Internet Files, click Delete files...

10) Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that AVG A-S has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When AVG A-S has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close AVG A-S.

11) Boot into Normal Mode.

Post a new HJT log, the Ewido log, the contents of the logfile C:\fixwareout\report.txt AND a description of how your PC is running.
Also, run HJT and click on Open the Misc Tools section.
  • Click Open Uninstall Manager...
  • Click Save list... and save it to your Desktop.
  • Copy and paste the file uninstall_list.txt into your next reply.


I've had to use the "quote" tags due to a forum software glitch which affects my posts - you shouldn't be affected by it, so please don't do the same.
  • 0

#3
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Thanks for the reply

The logs are at the bottom
*A few notes though:
-Since the first HJT log i posted a few things changed
-dmpus.exe was replaced by dmval.exe (so i just treated it like dmpus and continued with the instructions)
-one of the O17's at the time of cleaning wasnt there, in specific this one:
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229
-!!! BUT it's back now as i saw in the new HJT log
-My DNS thing was already set to automatic but i clicked ok anyway.

My computer seems normal, whats funny is that norton only noticed the dmval.exe virus when i opened AVG and couldn't delete it anyways (said it was a restricted file) but i tihnk it's gone now.

Logs:

Logfile of HijackThis v1.99.1
Scan saved at 6:43:11 PM, on 2/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZJ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:35:58 PM 2/13/2007

+ Scan result:



C:\Program Files\HQvideo -> Adware.HQvideo : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP287\A0025314.exe -> Downloader.Zlob.bjg : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP287\A0025315.exe -> Downloader.Zlob.bjg : Cleaned.
:mozilla.11:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.46:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.47:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.48:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.15:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.28:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.30:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.19:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.40:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.17:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.41:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.42:C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP279\A0024063.exe -> Trojan.DNSChanger.hk : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP279\A0024064.exe -> Trojan.DNSChanger.hk : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP279\A0024061.exe -> Trojan.DNSChanger.hm : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP279\A0024062.exe -> Trojan.DNSChanger.hm : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP279\A0024065.exe -> Trojan.DNSChanger.hm : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP250\A0018910.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP250\A0018942.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP251\A0019950.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP251\A0019964.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP252\A0019976.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP252\A0019987.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP253\A0020003.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP253\A0020023.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP254\A0020043.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP254\A0022045.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP255\A0022056.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP255\A0022093.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP256\A0022107.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP256\A0022125.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP256\A0022134.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP257\A0022160.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP257\A0022170.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP257\A0022179.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP258\A0022192.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP258\A0022210.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP258\A0022219.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP259\A0022232.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP259\A0022247.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP259\A0022256.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP260\A0022269.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP261\A0022285.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP261\A0022314.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP262\A0022323.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP264\A0022412.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP264\A0022421.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP264\A0022428.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP265\A0022454.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP266\A0022464.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP267\A0022477.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP268\A0022495.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP268\A0022517.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP268\A0022526.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP269\A0022537.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP269\A0022545.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP270\A0022628.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP271\A0022671.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP271\A0022682.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP272\A0022698.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP273\A0022713.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP274\A0022778.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP274\A0022792.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP275\A0022805.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP275\A0022814.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP276\A0022829.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP276\A0023830.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP276\A0023835.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP276\A0023844.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP277\A0024009.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP277\A0024018.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP278\A0024038.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP278\A0024045.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP280\A0024077.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP281\A0024099.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP281\A0024107.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP281\A0024121.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP282\A0024129.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP282\A0025129.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP282\A0025154.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP282\A0025164.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP282\A0025172.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP283\A0025180.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP285\A0025288.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP286\A0025308.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP287\A0025324.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP288\A0025338.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP289\A0025358.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP289\A0025365.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP289\A0025371.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP290\A0025387.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP290\A0025397.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP291\A0025404.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP291\A0025411.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP291\A0025425.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP291\A0025432.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP292\A0025444.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP293\A0025453.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP293\A0025469.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP293\A0025476.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP294\A0025503.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP294\A0025512.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP295\A0025528.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP295\A0025535.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP295\A0025555.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP297\A0025585.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP298\A0025602.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP298\A0025609.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP298\A0025620.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP298\A0025626.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP299\A0025641.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP299\A0025648.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP300\A0025671.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP300\A0025684.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP302\A0025698.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP304\A0025719.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP304\A0025737.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP305\A0025742.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP305\A0025761.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP305\A0025769.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP305\A0025775.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP306\A0025785.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP306\A0025790.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP307\A0025807.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP307\A0025827.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP307\A0026827.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP308\A0026835.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP308\A0026844.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP309\A0027845.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP309\A0027854.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP310\A0027866.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP310\A0027884.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP310\A0027893.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP311\A0027902.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP311\A0027908.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP312\A0027915.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP312\A0027923.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP312\A0027929.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP312\A0027937.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP313\A0027943.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP313\A0027951.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP313\A0027959.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP314\A0027972.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP314\A0027978.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP315\A0027989.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP315\A0027995.exe -> Trojan.Small.fb : Cleaned.
C:\System Volume Information\_restore{8FF9F956-2653-4BF1-85C6-9AAAF011EBEA}\RP315\A0028015.exe -> Trojan.Small.fb : Cleaned.
C:\WINDOWS\system32\dmval.exe -> Trojan.Small.fb : Cleaned.


::Report end

UNINSTAL LIST:

µTorrent
010 Editor 1.3
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
American Greetings CreataCard Select 6
Apophysis 2.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Auction Client
AVG Anti-Spyware 7.5
Barbie™ Fashion Show™ CD-ROM
BitTorrent 4.0.2
BroadJump Client Foundation
Counter-Strike: Condition Zero
DAEMON Tools
Diablo II
DivX
Dungeon Siege
Emperor: Battle For Dune
EPSON CardMonitor
EPSON PhotoStarter3.0
EPSON PictureMate User's Guide
EPSON Printer Software
Event Planner
ewido anti-malware
FEAR
Film Factory
GoGear Digital Audio Player SA250/255/260 Device Manager
Guild Wars
Hallmark Card Studio 3 Deluxe
Hero Editor V0.80
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Icy Tower v1.2 (11kHz)
ijji - Gunz
InterVideo WinDVD 4
iPod for Windows 2005-09-23
iTunes
J2SE Development Kit 5.0 Update 7
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2_06
JCreator LE 3.50
Kittens 2 Screen Saver
KKND Krossfire
Kohan
Kohan Ahriman's Gift
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX
MemoriesOnTV 2.2.0
Messenger Plus! 3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (1.5.0.9)
MP3 Rocket
MP3Rocket
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
Napster
Napster Burn Engine
Nero OEM
Nortel Networks Contivity VPN Client
Norton AntiVirus 2003
Norton WMI Update
Nox
NoxTools
NoxTools
Panda ActiveScan
Philips Device Transfer Pop-up
Puppy Luv (remove only)
Puzzle Pirates
Quake II
Quake II MP: Ground Zero
QuickTime
Rakion International
Red Alert Windows 95
Scrapbook Factory Deluxe
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Softnyx Launcher
SoulSeekkor's TQ Defiler (C:\Program Files\TQDefiler\)
SoulSeekkor's TQ Defiler (C:\Program Files\TQDefiler\) #3
SoulSeekkor's TQ Defiler (C:\Program Files\TQDefiler\) #4
SoundMAX
Spy Sweeper
Spybot - Search & Destroy 1.4
Starcraft
Steam
TeamSpeak 2 RC2
Titan Quest
Uninstall MPEG2 Plugin
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB CASIO Digital Camera Device Driver
Westwood Shared Internet Components
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
Yahoo! Browser Services
Yahoo! Mail
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csvwb.exe"

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}854338A6C716-8B9B-DA54-2683-D4EDED71{" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "lavmd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1trap" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2trap" Deleted
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

C:\WINDOWS\system32\dmval.exe 61012 08/04/2004


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"EPSON PictureMate"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2P1.EXE /P17 \"EPSON PictureMate\" /O6 \"USB001\" /M \"PictureMate\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"LaunchPDeviceConn"="\"C:\\Program Files\\Philips\\Philips Device Transfer Pop-up\\PDeviceConn.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\" /WinStart"
"Steam"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Thanks for the time.
  • 0

#4
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You need to uninstall ewido anti-malware as you now have AVG Anti-Spyware 7.5. Grisoft bought the company some months ago and released AVG A-S as a replacement for Ewido A-M.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Your log doesn't appear to show a software firewall installed - if you have one, and i've missed it, please ignore this.
If you are relying the firewall that comes with Service Pack 2, then you need to install one. While the SP2 firewall is better than nothing, it doesn't monitor outgoing traffic, so anything malicious on your computer can 'phone home' at will.

There are a few free firewalls available.
Zone Alarm: Available here.
Kerio: Available here.
Outpost: Available here.

It is important to note that you should only have one firewall installed at a time, but you can download both to your Desktop and install each in turn to see which one you prefer.

Understanding and Using Firewalls: http://www.bleepingc...tutorial60.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Go here and click the Kaspersky Online Scanner button.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer" and then put the kettle on!
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • 0

#5
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I have a few problems

When i "fix" The HJT entry you listed:

O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229

my internet connection goes out.

When i disconnect and then reconnect, that same O17 re-appears. If i don't fix it then, but i disconnect my connection, that O17 dissapears from the HJT log. And then it comes back again when i connect.

Maybe its doing this because i didnt remove it durring all those steps you did in your first post.

If you'd like me to redo those steps but get rid of this O17 too then i will. My thought is that i disconnected my connection when i was doing your steps becuase i saw it said "disconnected" at the top of your post or something.

Also, the kaspersky scanner isnt working for me. When i press that button in firfox, the warnings show up with the accept button, but pressing the accept button does nothing. When i try to open it in explorer, it just hangs and never loads the page with the accept button.
  • 0

#6
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Download AVG Anti-Rootkit Beta from here and save it to your Desktop.
  • Close all open programs as this will require a reboot.
  • Double click AVG_AntiRootkit_version number.exe to install the program.
    (By default this will be to C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta.)
  • Once the program has installed, you will be prompted to reboot - please allow this to happen.
  • When the PC has rebooted, click the AVG Anti-Rootkit Beta shortcut that is now on your desktop.
  • Click Perform in-depth search and put your feet up as this can take a while.
  • Once the scan has completed, if any files have been detected, right click the window and select Save results from the menu that appears.
    Save the file as "AVGRootkit.txt", including the quotation marks, to the location of your choice.
If anything has been detected, copy and paste the log into your next reply. If not, just let me know.

Download gmer.zip from here and save it to your Desktop.
You will need to unzip it before you run it.

To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


Double click gmer.exe to begin:
  • If you get a message about "system modification", click Yes and work through the rest of the instructions.
  • Ensure that the Rootkit Tab at the top is selected.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click the Scan button on the right.
  • When the scan has completed, (you'll have time for a snack and a cuppa!), click the Copy button underneath - this will save the report to your Clipboard.
  • Paste it into Notepad (Start > All Programs > Accessories > Notepad) and save it somewhere convenient.
  • Click the >>> Tab at the top and select the Autostart Tab.
  • Click the Scan button on the right - this one should only take seconds to complete.
  • Save the log as before.
Copy and paste both reports into your next reply - you may need to post them seperately.
The Preview option may show the whole logs being posted, but they sometimes get cut down when the actual post is made, so check the post once it is completed.
  • 0

#7
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
ok, AVG rootkit search didnt find anything.

here are the other two logs:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-15 19:06:18
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT d347bus.sys ZwClose
SSDT 81EB0A40 ZwConnectPort
SSDT d347bus.sys ZwCreateKey
SSDT d347bus.sys ZwCreatePagingFile
SSDT d347bus.sys ZwEnumerateKey
SSDT d347bus.sys ZwEnumerateValueKey
SSDT d347bus.sys ZwOpenKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT d347bus.sys ZwQueryKey
SSDT d347bus.sys ZwQueryValueKey
SSDT d347bus.sys ZwSetSystemPowerState
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[3888] WS2_32.dll!send 71AB428A 5 Bytes JMP 017548E8 C:\Program Files\Messenger Plus! 3\MsgPlusH.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3888] WS2_32.dll!recv 71AB615A 5 Bytes JMP 017548A6 C:\Program Files\Messenger Plus! 3\MsgPlusH.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3888] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01754408 C:\Program Files\Messenger Plus! 3\MsgPlusH.dll
.text C:\Program Files\MSN Messenger\msnmsgr.exe[3888] SHELL32.dll!Shell_NotifyIcon 7CA20C69 5 Bytes JMP 01751163 C:\Program Files\Messenger Plus! 3\MsgPlusH.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 8223D698
Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ 814383D0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 82052DF0
Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 82052DF0
Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 81FB2FB0
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 8204F168
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 8204F168
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 82052DF0
Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 82052DF0
Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 81726760
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 81E89458
Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 81E89458
Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 81EA8CE0
Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 81EFF1F0
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CREATE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CLOSE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_READ 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_WRITE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_EA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_EA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SHUTDOWN 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CLEANUP 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_SECURITY 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_POWER 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_QUOTA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_PNP 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 81F20240
Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 81F20240
Device \FileSystem\Fastfat \Fat IRP_MJ_READ 814383D0
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 81F08400
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 81F08400
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 81F08400
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 81F08400
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 81F08400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 81EA8A80

---- Modules - GMER 1.0.12 ----

Module _________ F8454000

---- EOF - GMER 1.0.12 ----



GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-02-15 19:07:45
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected] = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>
[email protected] = Ati2evxx.dll
[email protected] = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey [email protected] = %SystemRoot%\system32\Ati2evxx.exe
ATI Smart /*ATI Smart*/@ = C:\WINDOWS\system32\ati2sgag.exe
Automatic LiveUpdate Scheduler /*Automatic LiveUpdate Scheduler*/@ = "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
ccEvtMgr /*Symantec Event Manager*/@ = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
navapsvc /*Norton AntiVirus Auto Protect Service*/@ = "C:\Program Files\Norton AntiVirus\navapsvc.exe"
SBService /*ScriptBlocking Service*/@ = C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[email protected] = %SystemRoot%\system32\drivers\scsiport.sys
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
SymWSC /*SymWMI Service*/@ = "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@BJCFDC:\Program Files\BroadJump\Client Foundation\CFD.exe = C:\Program Files\BroadJump\Client Foundation\CFD.exe
@MessengerPlus3"C:\Program Files\Messenger Plus! 3\MsgPlus.exe" = "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
@ccAppC:\Program Files\Common Files\Symantec Shared\ccApp.exe = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
@ccRegVfyC:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
@Symantec NetDriver MonitorC:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
@EPSON PictureMateC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate" = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
@NeroFilterCheckC:\WINDOWS\system32\NeroCheck.exe = C:\WINDOWS\system32\NeroCheck.exe
@DAEMON Tools-1033"C:\Program Files\D-Tools\daemon.exe" -lang 1033 = "C:\Program Files\D-Tools\daemon.exe" -lang 1033
@LaunchPDeviceConn"C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe" = "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@ATICCC"C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" = "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
@!AVG Anti-Spyware"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MessengerPlus3"C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart = "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
@Steam /*file not found*/ = /*file not found*/
@Yahoo! Pager"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
@MSMSGS"C:\Program Files\Messenger\msmsgs.exe" /background = "C:\Program Files\Messenger\msmsgs.exe" /background
@msnmsgr"C:\Program Files\MSN Messenger\msnmsgr.exe" /background = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\[email protected]{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{32683183-48a0-441b-a342-7c2a440a9478} /*Media Band*/(null) =
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll = C:\WINDOWS\System32\twext.dll
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
@{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll = C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
AVG [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
[email protected]{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll /*file not found*/
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! [email protected]{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
[email protected]{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll /*file not found*/
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
[email protected]{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}C:\Program Files\Yahoo!\Common\yiesrvc.dll = C:\Program Files\Yahoo!\Common\yiesrvc.dll
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

HKCU\Control Panel\[email protected] = C:\WINDOWS\System32\ssstars.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\[email protected] = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft....k/?LinkId=69157
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.com/ = http://www.google.com/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/[email protected] = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = C:\WINDOWS\system32\msvidctl.dll
[email protected] = C:\WINDOWS\System32\itss.dll
[email protected] = C:\WINDOWS\System32\msvidctl.dll
[email protected] = %SystemRoot%\System32\inetcomm.dll
[email protected] = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
[email protected] = "C:\PROGRA~1\MSNMES~1\msgrapp.dll"
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
[email protected] = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\[email protected] = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\J\Start Menu\Programs\Startup = Scheduler.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Adobe Gamma Loader.lnk = Adobe Gamma Loader.lnk
Event Planner Reminders Tray Icon.lnk = Event Planner Reminders Tray Icon.lnk
Forget Me Not.lnk = Forget Me Not.lnk
InterVideo WinCinema Manager.lnk = InterVideo WinCinema Manager.lnk
VIA RAID TOOL.lnk = VIA RAID TOOL.lnk
WinZip Quick Pick.lnk = WinZip Quick Pick.lnk

---- EOF - GMER 1.0.12 ----
  • 0

#8
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Will you run through the Fixwareout removal steps again and then post a fresh HJT log, AVG A-S log, Fixwareout log etc... and let me know if things are back to normal regarding the O17.
  • 0

#9
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Sure il have to do that tomorrow though as it takes time and i have almost none right now.

Sorry this is taking so long and thanks for sticking around
  • 0

#10
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
When you get time - i'll still be around. I've not come across this type of thing before, Wareout always goes very happily, so if this doesn't solve the problem, i'll get the great and good to have a look and see if there's something else that needs to be done.
  • 0

Advertisements


#11
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
i redid the steps and the 017 is still there

i am going to try one of those free firewalls and see if that helps

Logfile of HijackThis v1.99.1
Scan saved at 8:04:58 PM, on 2/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LaunchPDeviceConn] "C:\Program Files\Philips\Philips Device Transfer Pop-up\PDeviceConn.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebse...arch.jhtml?p=ZJ
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EF3BC42-EF3F-4D97-976D-9392EECCB8E3}: NameServer = 85.255.116.104 85.255.112.229
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

The system cannot find the file specified.


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"EPSON PictureMate"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2P1.EXE /P17 \"EPSON PictureMate\" /O6 \"USB001\" /M \"PictureMate\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"LaunchPDeviceConn"="\"C:\\Program Files\\Philips\\Philips Device Transfer Pop-up\\PDeviceConn.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MessengerPlus3"="\"C:\\Program Files\\Messenger Plus! 3\\MsgPlus.exe\" /WinStart"
"Steam"=""
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
  • 0

#12
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
I installed ZonaAlarm and am goign through the process i went through with windows firewall of allowing programs access to internet activity.

BUT! as soon as i connected to the internet through the dsl connection zone alarm blocked something and gave me a messege that said:

"The firewall has blocked routed traffic from [an ip adress] (UDP Port ####) to [That very address found in the O17]!!! (DNS)."

so i pressed ok.

so it is a hijacking attempt i guess, just what to do about it...
  • 0

#13
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
We'll have one last try at getting this slime removed automatically, and then we'll have to go hunting for it -

Run the following online scan: Panda ActiveScan.
  • Please note that IE is required to run this scan.
  • You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
  • Decide whether you want to click the radio button underneath this part that says -
    "I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable." - it's your choice!
  • When you are asked to "Select a device to scan...", click on "My Computer".
When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.
  • 0

#14
Reign

Reign

    Member

  • Topic Starter
  • Member
  • PipPip
  • 46 posts
Incident Status Location

Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Dialer:dialer.abr Not disinfected c:\windows\downloaded program files\startbf.inf
Dialer:dialer.xd Not disinfected c:\windows\switchagreement.txt
Potentially unwanted tool:application/funweb Not disinfected hkey_classes_root\clsid\{00A6FAF6-072E-44cf-8957-5838F569A31D}
Adware:adware/comet Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt[media.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\J\Application Data\Mozilla\Firefox\Profiles\sgdpa1i7.default\cookies.txt[.perf.overture.com/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\J\Desktop\Desktop Cleanup\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\J\Desktop\Desktop Cleanup\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
Dialer:Dialer.XD Not disinfected C:\Program Files\HJT\backups\backup-20060122-224832-876.inf
Dialer:Dialer.ABR Not disinfected C:\Program Files\HJT\backups\backup-20060122-224832-941.inf
Dialer:Dialer.ABR Not disinfected C:\Program Files\HJT\backups\backup-20060204-133813-262.inf
Dialer:Dialer.XD Not disinfected C:\Program Files\HJT\backups\backup-20060204-133813-815.inf
Dialer:Dialer.ABR Not disinfected C:\Program Files\HJT\backups\backup-20060209-174543-121.inf
Dialer:Dialer.XD Not disinfected C:\Program Files\HJT\backups\backup-20060209-174543-456.inf
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MSN Messenger\msimg32.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem\Process.exe


My computer seems to be running fine. Of course my internet connection drags sometimes (especialy when playing diablo2). At times it loads slowly though like after im done using a large program, takes a while for memory to allocate... dunno if thats normal

Is it normal for ZoneAlarm to block 2000+ access attempts on my computer in the first 48 hours of running?
  • 0

#15
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts

Is it normal for ZoneAlarm to block 2000+ access attempts on my computer in the first 48 hours of running?

That seems high, but I couldn't say if it was indicative of anything - you could just be unlucky.
The Panda scan shows very little to worry about, but I don't like the idea of that O17 lurking and I don't know what to do about it. Run through the following which will create a log and i'll get someone to take a look and see if they can see something i'm missing.

Download WinPFind2.exe by OldTimer from here and save it to your Desktop.
  • Double click it and then click Extract.
  • When the files have been extracted, click OK.
  • Open the WinPFind2 folder that has been created on the Desktop and double click winpfind2.exe
  • In the AddOn Options column, on the right, check the following:
    • HKCU_IEDesktop.def
    • Jobs.def
    • Policies.def
    • SID_Run_Policies.def
  • Click Run All Scans - you can monitor the progress of the scan in the bottom left hand corner of the window.
  • When the scans have completed, click Simple Report in the bottom right hand corner and a Notepad window will open containing the report - there will also be a copy saved into the WinPFind2 folder as WinPFind2.txt.
  • Click Format at the top and ensure that Wordwrap is unchecked.
Copy and paste this report into your next reply.

Will you also through in a fresh HJT log as well and let me know if they O17 is still popping up as before.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP