Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

multiple repeat infections of trojans generic9, virtumunde, winfixer,


  • This topic is locked This topic is locked

#1
kenc

kenc

    Member

  • Member
  • PipPip
  • 24 posts
Guys (and Gals)
I am experiencing multiple repeat infections of various virus and trojans. For example the Lop virus, vundo, winfixer, downloader.agent.14.a0
virtumunde, generic.aqn0.....the list goes on! These all seem to invoke one of several bogus antispyware tools.
I have fully updated XP, and the latest Java release.
I have Zonealarm installed, and have run cleanup! followed by multiple AVG virus scans along with spybot S&D, Adaware, SuperAntispyware, AVG anti-spyware and vundofix.
I have the latest update of spywareblaster supposedly "protecting" my system, however it was very outdated until today.
System restore is turned off.
Several times over the last week I had thought I had licked it, only to be disappointed later.
My HJT log follows after the latest round of cleanings.
I run Firefox 99% of the time, and IE the remaining 1%.
Any help would be very gratefully received.........
Ken


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:01 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://employee.nat..._16/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A8A48B5-0025-4782-A21F-29ACDA6643CB} - (no file)
O2 - BHO: (no name) - {0FB3752E-DF5B-49D7-AA54-A6DEB660F1E4} - (no file)
O2 - BHO: (no name) - {10911E0A-4AB8-44FB-B744-7D2ED7FFC7F1} - (no file)
O2 - BHO: (no name) - {49C828CF-202D-4D30-B963-F46B707DA62D} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {5E7DDB56-22B5-4099-B8BE-AD722E52947C} - (no file)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {cef3c5db-bc32-9298-07a4-58bb7a16e0e8} - {8e0e61a7-bb85-4a70-8929-23cbbd5c3fec} - C:\WINDOWS\system32\akbrnhmw.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\urqqqrr.dll (file missing)
O2 - BHO: (no name) - {E00CA836-6B73-44F8-9A4A-BFA735A19042} - (no file)
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /M "Stylus Photo RX600" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://employee.nat...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 11640 bytes
  • 0

Advertisements


#2
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Please download the following & save to your Desktop:
ComboFix

Run ComboFix:
  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply
Log file will be C:\Combofix.txt

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Cheers,

sage5
  • 0

#3
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage5,
Thanks for your help!

Here's the result of the Combofix run.
ken


ComboFix 08-02-25.3 - Ken 2008-02-25 15:46:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.197 [GMT -8:00]
Running from: C:\Documents and Settings\Ken\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Barbara\Application Data\macromedia\Flash Player\#SharedObjects\TCWYSVJG\www.broadcaster.com
C:\Documents and Settings\Barbara\Application Data\macromedia\Flash Player\#SharedObjects\TCWYSVJG\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Barbara\Application Data\macromedia\Flash Player\#SharedObjects\TCWYSVJG\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Barbara\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Barbara\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\SYSTEM32\ciwdggsu.ini
C:\WINDOWS\SYSTEM32\fhhkj.ini
C:\WINDOWS\SYSTEM32\fhhkj.ini2
C:\WINDOWS\SYSTEM32\hjllm.ini
C:\WINDOWS\SYSTEM32\hjllm.ini2
C:\WINDOWS\system32\MabryObj.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\SYSTEM32\oqtss.ini
C:\WINDOWS\SYSTEM32\oqtss.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\tstwa.ini
C:\WINDOWS\SYSTEM32\tstwa.ini2
C:\WINDOWS\SYSTEM32\wneivxwu.ini
C:\WINDOWS\SYSTEM32\wvvwa.ini
C:\WINDOWS\SYSTEM32\wvvwa.ini2
C:\WINDOWS\SYSTEM32\yccdd.ini
C:\WINDOWS\SYSTEM32\yccdd.ini2

.
((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))
.

2008-02-25 09:24 . 2008-02-25 09:24 <DIR> d-------- C:\Documents and Settings\Barbara\Application Data\Grisoft
2008-02-24 12:38 . 2008-02-24 12:38 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\Grisoft
2008-02-24 12:37 . 2007-05-30 04:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-02-23 11:44 . 2008-02-25 15:54 2,056,224 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat
2008-02-23 11:44 . 2008-02-25 15:54 25,040 --ahs---- C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx
2008-02-23 11:42 . 2008-02-23 11:42 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-02-23 11:40 . 2008-02-23 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-02-23 11:40 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-02-23 11:40 . 2008-02-23 11:42 4,212 --ah----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2008-02-23 11:34 . 2008-02-25 16:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-23 11:34 . 2008-02-25 15:53 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-23 11:29 . 2008-02-23 11:29 <DIR> d-------- C:\Program Files\Zone Labs
2008-02-23 11:25 . 2008-02-25 15:57 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-02-23 10:55 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-23 00:05 . 2008-02-23 00:05 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-02-22 23:01 . 2008-02-23 20:18 <DIR> d-------- C:\VundoFix Backups
2008-02-22 18:58 . 2008-02-23 11:33 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 17:13 . 2008-02-24 12:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-02-22 17:13 . 2008-02-24 12:19 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-02-22 17:13 . 2008-02-24 12:19 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-22 17:13 . 2008-02-24 12:19 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-22 16:46 . 2008-02-22 16:46 <DIR> d-------- C:\Program Files\CleanUp!
2008-02-22 08:48 . 2008-02-22 08:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-21 19:53 . 2008-02-21 19:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-21 18:26 . 2008-02-23 18:37 70,829 --a------ C:\WINDOWS\BM7f0b3045.xml
2008-02-21 18:26 . 2008-02-23 18:48 22 --a------ C:\WINDOWS\pskt.ini
2008-02-21 17:38 . 2008-02-21 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-02-21 17:38 . 2008-02-21 17:38 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2008-02-21 17:33 . 2008-02-21 17:33 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-21 16:55 . 2008-02-21 16:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-21 16:54 . 2008-02-24 14:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-02-21 16:54 . 2008-02-22 08:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 16:54 . 2008-02-21 16:54 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\SUPERAntiSpyware.com
2008-02-20 08:41 . 2008-02-20 08:39 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-20 08:41 . 2008-02-20 08:41 2,541 --a------ C:\WINDOWS\unins000.dat
2008-02-19 17:41 . 2008-02-22 16:50 <DIR> d-------- C:\Temp
2008-02-13 17:24 . 2008-02-14 07:46 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-02-05 08:30 . 2008-02-05 08:30 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\DivX
2008-02-04 21:28 . 2008-01-04 13:58 129,784 --a------ C:\WINDOWS\SYSTEM32\pxafs.dll
2008-02-04 21:28 . 2008-01-04 13:58 120,056 --a------ C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2008-02-04 21:28 . 2008-01-04 13:58 118,520 --a------ C:\WINDOWS\SYSTEM32\pxinsi64.exe
2008-02-04 21:27 . 2008-02-04 21:28 <DIR> d-------- C:\Program Files\DivX
2008-02-04 19:57 . 2008-02-04 19:57 <DIR> d-------- C:\Program Files\uTorrent
2008-02-04 19:57 . 2008-02-19 17:38 <DIR> d-------- C:\Documents and Settings\Ken\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 23:44 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-02-25 23:35 --------- d-----w C:\Documents and Settings\Ken\Application Data\OpenOffice.org2
2008-02-25 17:25 --------- d-----w C:\Documents and Settings\Barbara\Application Data\OpenOffice.org2
2008-02-25 02:43 --------- d-----w C:\Documents and Settings\Ken\Application Data\AVG7
2008-02-24 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-24 20:23 --------- d-----w C:\Program Files\QuickTime
2008-02-24 20:23 --------- d-----w C:\Program Files\Digital Line Detect
2008-02-23 19:31 --------- d-----w C:\Program Files\Java
2008-02-23 19:14 --------- d-----w C:\Program Files\SpywareBlaster
2008-02-22 16:49 --------- d-----w C:\Program Files\Lavasoft
2008-02-20 19:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-20 17:19 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-15 03:09 --------- d-----w C:\Documents and Settings\Ken\Application Data\GrabIt
2008-02-14 01:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-06 16:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-01-15 06:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 06:45 --------- d-----w C:\Program Files\LizardTech
2008-01-15 04:29 --------- d-----w C:\Program Files\GrabIt
2008-01-04 21:58 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
2008-01-04 21:10 --------- d-----w C:\Program Files\Google
2008-01-04 20:52 --------- d-----w C:\Program Files\PostReader
2007-10-22 21:05 68,472 ----a-w C:\Documents and Settings\Barbara\Application Data\GDIPFONTCACHEV1.DAT
2007-01-04 06:59 66,616 ----a-w C:\Documents and Settings\Ken\Application Data\GDIPFONTCACHEV1.DAT
2002-10-20 19:17 8,981,440 ----a-w C:\Program Files\ar505enu.exe
2002-11-23 06:07 92 --sha-w C:\WINDOWS\SYSTEM32\sysukd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49C828CF-202D-4D30-B963-F46B707DA62D}]
C:\WINDOWS\system32\jkhhf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8e0e61a7-bb85-4a70-8929-23cbbd5c3fec}]
C:\WINDOWS\system32\akbrnhmw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-02-23 11:42 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88}
{327C2873-E90D-4C37-AA9D-10AC9BABA46C}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24 1694208]
"Yahoo! Pager"="1" []
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-04-10 13:44 679936]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-01-07 21:37 77824]
"EPSON Stylus Photo RX600"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 20:26 368706]
"YBrowser"="C:\Program Files\Yahoo!\browser\ybrwicon.exe" [2003-07-11 12:51 57344]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-22 08:50 579072]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-24 17:03 185784]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09 63712]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 12:16 185896]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 11:45 75304]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35 20480]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 01:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-22 08:50 219136]

C:\Documents and Settings\Barbara\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-07-14 21:26:34 393216]

C:\Documents and Settings\Ken\Start Menu\Programs\Startup\
OpenOffice.org 2.0.lnk - C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe [2006-07-14 21:26:34 393216]
PowerReg Scheduler.exe [2002-12-06 16:58:53 189952]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2002-10-10 16:44:19 45056]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 00:15:54 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 14:06:54 24633]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\ws_ftp\\WS_FTP32.EXE"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"C:\\sopcast\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 ATMhelpr;ATMhelpr;C:\WINDOWS\system32\drivers\ATMhelpr.sys [1997-06-17 04:00]
R1 NEOFLTR_530_11159;Juniper Networks TDI Filter Driver (NEOFLTR_530_11159);C:\WINDOWS\system32\Drivers\NEOFLTR_530_11159.SYS [2006-09-14 21:10]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 07:54]
S3 ati2mpaa;ati2mpaa;C:\WINDOWS\system32\DRIVERS\ati2mpaa.sys [2001-08-17 09:48]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 11:48]
S3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-05-03 08:30]
S3 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-05-03 08:29]
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys [2001-08-17 10:52]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 16:12:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
.
**************************************************************************
.
Completion time: 2008-02-25 16:18:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-26 00:18:23
.
2008-02-13 16:44:32 --- E O F ---
  • 0

#4
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

I see you have uTorrent installed on your system.
While the program itself is legal, most of the files downloaded with it, are not.
These programs can also be one of the major infection routes for an otherwise secure PC, because you might be unknowingly downloading infected files.
I highly recommend uninstalling uTorrent as outlined below.


Please download the following & save to your Desktop:
OTMoveIt2 by OldTimer.


Remove programs:
  • Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
    uTorrent
    Please take note of any other programs that you don't recognise in that list, and include them in your next response


Run OTMoveIt2:
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\BM7f0b3045.xml
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\unins000.exe
    C:\WINDOWS\unins000.dat
    C:\Program Files\ar505enu.exe
    C:\WINDOWS\SYSTEM32\sysukd.dll
    C:\Program Files\uTorrent
    C:\Documents and Settings\Ken\Application Data\uTorrent
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Open Notepad
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  • Paste the text into the Notepad file, click in the window and press Ctrl + V.
  • Click "Exit" to close OTMoveIt.
  • Save the text file as C:\otmove.txt
(If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.)

Run HijackThis.
  • Click the Do a system scan only button.
  • Check the boxes for the all the entries listed below:
O2 - BHO: (no name) - {0A8A48B5-0025-4782-A21F-29ACDA6643CB} - (no file)
O2 - BHO: (no name) - {0FB3752E-DF5B-49D7-AA54-A6DEB660F1E4} - (no file)
O2 - BHO: (no name) - {10911E0A-4AB8-44FB-B744-7D2ED7FFC7F1} - (no file)
O2 - BHO: (no name) - {49C828CF-202D-4D30-B963-F46B707DA62D} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {5E7DDB56-22B5-4099-B8BE-AD722E52947C} - (no file)
O2 - BHO: {cef3c5db-bc32-9298-07a4-58bb7a16e0e8} - {8e0e61a7-bb85-4a70-8929-23cbbd5c3fec} - C:\WINDOWS\system32\akbrnhmw.dll (file missing)
O2 - BHO: (no name) - {D85530E8-D39D-49D0-9F36-300D594556D2} - C:\WINDOWS\system32\urqqqrr.dll (file missing)
O2 - BHO: (no name) - {E00CA836-6B73-44F8-9A4A-BFA735A19042} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab

  • Now close all windows other than HijackThis and click Fix Checked.
  • Close HijackThis.


Shut down & Reboot normally:

Run HijackThis again:
  • Select the Run a system scan and save a logfile button. The logfile will open in Notepad.
  • Start your Web Browser and navigate back to this thread.
  • Click the Add Reply button
  • Copy and Paste the text into the Reply window.
Please include a note to tell me how your PC is running now.

Cheers,

sage5
  • 0

#5
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
This is what I have after following your instructions.

I found two items in the add/remove window worth noting

1) Broadjump client foundation - I think this is related to the ISP or network access - it always fires off a couple of internet accesses when teh browser is started - CFD.exe I think it is.
2) getPlus®_dll


OTMoveIt2 flashed up a window with this message:

The application or DLL C:\WINDOWS\SYSTEM32\sysukd.dll is not a valid Windows image.
Please check this against your installation diskette.


otmove Log:



C:\WINDOWS\BM7f0b3045.xml moved successfully.
C:\WINDOWS\pskt.ini moved successfully.
C:\WINDOWS\unins000.exe moved successfully.
C:\WINDOWS\unins000.dat moved successfully.
C:\Program Files\ar505enu.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\SYSTEM32\sysukd.dll
C:\WINDOWS\SYSTEM32\sysukd.dll NOT unregistered.
C:\WINDOWS\SYSTEM32\sysukd.dll moved successfully.
File/Folder C:\Program Files\uTorrent not found.
File/Folder C:\Documents and Settings\Ken\Application Data\uTorrent not found.

OTMoveIt2 v1.0.20 log created on 02262008_171944


****************************
Only three of the BHOs that you identified were in the hijack this log when I went to fix them.
Here's the log after fixing them
**************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:22 PM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://employee.nat..._16/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /M "Stylus Photo RX600" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://employee.nat...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8751 bytes

Will let you know how the machine is running!
Cheers,
Ken
  • 0

#6
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

Let's get an online scan done as a check.

Please go HERE to run Panda's TotalScan
  • Select the bubble for Full scan
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Then the scan will begin
  • When the scan completes, click the Save button on the right of Scan details
  • Save it to a convenient location. Post the contents of the TotalScan report

Cheers,

sage5
  • 0

#7
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage5

Here's the result:
ken

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-02-28 07:00:45
PROTECTIONS: 1
MALWARE: 34
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG 7.5.516 7.5.516 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00013869 adware/cydoor Adware No 0 Yes No c:\windows\system32\cd_clint.dll
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000196.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000223.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000296.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000361.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000379.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000389.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000435.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000460.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000695.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000734.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000817.~]
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: Stanley Bedrock 604 1/2C Type 3 plane Beauty! EBAY Item # 2115966655
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: Stanley Bedrock 604 1/2C Type 3 plane Beauty! EBAY Item # 2115966655
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: Let's be friends
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: Let's be friends
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: Fw:welcome to my hometown
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: ISP for Acme Computers
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: W.link.W3o!
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\Sent Items\Re: Re: MORRIS MINOR - Paul Skilleter EBAY Item # 1495133350
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0015031.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0023534.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0023936.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0033736.~]
00024402 Exploit/iFrame HackTools No 0 Yes No Local Folders\keep\FoolWatch: What I Learned From the Nasdaq
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Trash[~0005825.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Trash[~0005702.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0033814.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\keep[~0000029.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0002903.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0004205.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0005311.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0006048.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000162.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0006051.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0006068.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0006134.~]
00024402 Exploit/iFrame HackTools No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0006138.~]
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\savenow
00029459 spyware/betterinet Spyware No 1 Yes No c:\windows\inf\biini.inf
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011095.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011138.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011164.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011401.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011435.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0001789.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0000279.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0000272.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0000167.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011452.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011092.~]
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Ebay auction 374566367 (Claim Number eb16834)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: ebay Norris A5
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: ebay Norris A5
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\WHERE'S MY ITEM OR MONEY? SWINDLER!!!!!
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Bedrock Plane (Item #374566367)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Bedrock Plane (Item #374566367)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Bedrock Plane (Item #374566367)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Bedrock Plane (Item #374566367)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Bedrock Plane (Item #374566367)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Bedrock Plane (Item #374566367)
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Brdrock Plane
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011455.~]
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: Stanley #604 Brdrock Plane
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Re: planes
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011081.~]
00031932 JS/Kak.Worm Virus No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Sent Items[~0011111.~]
00031932 JS/Kak.Worm Virus No 0 Yes No Local Folders\Sent Items\Item
00040297 adware/blazefind Adware No 0 Yes No c:\windows\key2.txt
00040297 adware/blazefind Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\windows sr 2.0
00048371 Trj/Citifraud.A Virus/Trojan No 1 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\Mail\mail.earthlink.net\Trash[~0002522.~]
00048371 Trj/Citifraud.A Virus/Trojan No 1 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\Mail\mail.earthlink.net\Trash[~0000956.~]
00048371 Trj/Citifraud.A Virus/Trojan No 1 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\Mail\mail.earthlink.net\Trash[~0000331.~]
00061590 W32/Bugbear Virus/Worm No 1 Yes No Local Folders\keep\FoolWatch: What I Learned From the Nasdaq\dbrownn's MIS Boise Account Info.txt.exe
00061590 W32/Bugbear Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\keep[dbrownn's MIS Boise Account Info.txt.exe]
00097492 W32/Netsky.J.worm Virus/Worm No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[~0000508.~][message_part2.pif]
00098232 W32/Netsky.P.worm Virus/Worm No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\Mail\mail.earthlink.net\Trash[~0000137.~][abuses.zip][data.rtf .scr]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\cookies.txt[.atdmt.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.mediaplex.com/]
00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.mysearch.com/]
00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.mysearch.com/]
00145758 Cookie/Mysearch TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.mysearch.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[.com.com/]
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.club.cdfreaks.com/]
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.club.cdfreaks.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[ad.yieldmanager.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.cdfreaks.com/]
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.cdfreaks.com/]
00169009 W32/Sober.V.worm!CME-456 Virus/Worm No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\Mail\mail.earthlink.net\Trash[account_info.zip][Winzipped-Text_Data.txt .pif]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.advertising.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.realmedia.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.zedo.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.adrevolver.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.adrevolver.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Thunderbird\Profiles\default.6ar\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.go.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.target.com/]
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Barbara\Application Data\Mozilla\Firefox\Profiles\default.ln2\cookies.txt[.target.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.did-it.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.did-it.com/]
00519527 W32/Nurech.U.worm Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Trash[Click Me.exe]
00519527 W32/Nurech.U.worm Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[Click Me.exe]
00520451 W32/Nurech.Y.worm Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Trash[Love Card.exe]
00520451 W32/Nurech.Y.worm Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[Love Card.exe]
00520451 W32/Nurech.Y.worm Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Trash[Love Card.exe]
00520451 W32/Nurech.Y.worm Virus/Worm No 1 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[Love Card.exe]
00980565 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Inbox[News.exe]
00980565 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Ken\Application Data\Thunderbird\Profiles\default.18o\Mail\mail.earthlink.net\Trash[News.exe]
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000006.EXE
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\WINDOWS\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Ken\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
01262593 Application/NirCmd.A HackTools No 0 No No C:\Documents and Settings\Ken\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1\A0000038.com
01692698 Generic Malware Virus/Trojan No 0 Yes No C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\Xtras\download\TheGrooveAlliance\3DGrooveXtrav181\groove.x32
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.advancedcleaner.com/]
02887528 Cookie/AdvancedCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\Ken\Application Data\Mozilla\Firefox\Profiles\default.edd\cookies.txt[.advancedcleaner.com/]
;===============================================================================
=================================================================================
===================
SUSPECTS
Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

#8
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

There seems to be a bit of an issue with your Anti-virus. Either it is not functioning properly, or the email scanner is not up to the task.
Nearly all of those infections, apart from the cookies, are in the storage folders of your email program.
Can you get a full system scan of your PC done, using AVG, and send me the text of the log produced.

Cheers,

sage5
  • 0

#9
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
I updated and ran a full AVG (free version) virus scan. It found no problems.
I am not sure about the log, I then hit SERVICE- event history log and it produces a txt file supposedly, but it is kind of garbled in notepad,
and while more readable in Word, it is 24 pages long.
Perhaps there is no useful log in AVG Free edition? Please advise,
Thanks!
Ken
  • 0

#10
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

Sorry for the delay with this, I missed the email notification of your reply.
Can you do another online scan, this time with F-Secure:

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Read the FAQ and information about Supported Browsers
  • Click the Start Scanning button
  • If you get a Security warning, or the Information Bar at the top of the IE7 page flashes, Allow permission for the ActiveX to run
  • click the Accept button
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy & Paste the entire report into a new Notepad file, saved as C:\ f_secure.txt

Cheers,

sage5
  • 0

Advertisements


#11
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,

Here you go:
Thanks,
Ken


Scanning Report
Sunday, March 09, 2008 21:07:43 - 07:57:46

Computer name: D6KG9Z11
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 1 malware found
Tracking Cookie (spyware)

* System

Statistics
Scanned:

* Files: 58651
* System: 4789
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 2.20.0
* F-Secure Hydra: 2.6.7470, 2008-03-10
* F-Secure AVP: 7.0.171, 2008-03-10
* F-Secure Pegasus: 1.20.0, 2008-02-03
* F-Secure Blacklight: 1.0.64

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics
  • 0

#12
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Hi kenc,

It seems that I may have used the wrong scanner then, let's try one that gets along with Thunderbird.
Dowload the following & save to your Desktop:
Kaspersky Virus Removal Tool (Pick the most recent version)

Install & run:
  • Double click the setup file to install, and allow default folder.
  • When the window opens, on the Automatic Scan tab, tick the following:
    • System Memory
    • Startup objects
    • Disk boot sectors
    • My Documents
    • Mail databases
    • My Computer
    • C:\ drive
  • Click the Scan button. (Be patient, this scan can take some time).
  • When finished click the Reports button, then on Save to file.
  • Save as C:\kasperscan.txt
Post the text from that file as your next Reply

Cheers,

sage5
  • 0

#13
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
No luck.
Kaspersky refuses to install and run. Not only that, the second time I installed it, I am unable to remove the non functional Kaspersky files. I check that the Kaspersky setup.exe is not running in Task manager (first time two "invisible" copies were left running and I eventually was able to remover the files after closing them in T.M. )

Second time, I simply cannot remove the Kaspersky file on my desktop. The file attributes are set to "read", I unset that but still the files refuse to uninstall claiming that the files are write protected. Lo and behold, the attribute has magically rset itself to "read only".

ken
  • 0

#14
sage5

sage5

    RIP 10/2009

  • Retired Staff
  • 2,646 posts
Please send me a fresh HijackThis log, so I can instruct you on how to remove that scanner.

Cheers,

sage5
  • 0

#15
kenc

kenc

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Hi Sage,
Kasperskys setup.exe still pops up in task manager as a running process. I kill it, but still can't seem to overrride the read only access of the kaspersky files.
Ken


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:49 AM, on 3/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://employee.nat..._16/welcome.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_1_6_0.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB002" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX600] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /M "Stylus Photo RX600" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1599196801-163748893-4247568029-1007\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Barbara')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://employee.nat...perSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{5E188631-5C17-4551-8993-EEAEDC10E0DF}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: setup_7.0.0.180_14.03.2008_07-23 - Kaspersky Lab - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_14.03.2008_07-23.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 8325 bytes
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP