Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ads by Adzgalore infected PC owner... Logs inside [RESOLVED]


  • This topic is locked This topic is locked

#1
Franck L.

Franck L.

    New Member

  • Member
  • Pip
  • 7 posts
Hi Guys,

Hope you can help me.

I ran ATF, the ComboFix and Highjackthis and am posting logs of the two latter ones....

Please help me remove this VERY annoying Ads by Adzgalore thingy !!

ComboFix:

Attached File  log_ComboFix_060708.txt   16KB   302 downloads

Highjack This:

Attached File  hijackthis_log_060708.txt   15.95KB   328 downloads

Edited by BHowett, 28 June 2008 - 09:20 AM.

  • 0

Advertisements


#2
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.

The fixes may take several attempts and my replies may take some time but stick with it, and we will be sure to get you sorted.

Please post your logs directly in your reply it makes reading them much easier :) Also Combofix can be a very dangerous tool if used unsupervised, so please don’t run any tools on your own. I will advise you of what we need to do next, after I review your logs.

Thanks
  • 0

#3
Franck L.

Franck L.

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks !! Look forward to hearing (reading!) from you....
  • 0

#4
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Please post your logs directly in your reply it makes reading them much easier :)
  • 0

#5
Franck L.

Franck L.

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here are the logs:

Combofix log:



ComboFix 08-06-07.3 - FL 2008-06-07 22:50:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2035 [GMT -4:00]
Running from: C:\Documents and Settings\FL\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cpmsky-uninst.exe
C:\WINDOWS\system32\nsi266.dll
C:\WINDOWS\system32\nsl67.dll
C:\WINDOWS\system32\nsw8E.dll

----- BITS: Possible infected sites -----

hxxp://WWSMS01
hxxp://USSMS01
.
((((((((((((((((((((((((( Files Created from 2008-05-08 to 2008-06-08 )))))))))))))))))))))))))))))))
.

2008-06-07 22:52 . 2008-06-07 22:52 53,248 --a------ C:\Temp\catchme.dll
2008-06-05 18:06 . 2008-06-07 22:52 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0002
2008-06-05 18:05 . 2008-06-07 22:52 <DIR> d-------- C:\Temp\Adobelm_Cleanup.0001.dir.0000
2008-06-05 15:53 . 2008-06-05 15:53 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_10_130_1_93.dll
2008-06-05 15:37 . 2008-06-05 15:37 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_10_144_1_93.dll
2008-06-05 12:44 . 2008-02-08 20:08 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-05 10:41 . 2008-06-05 10:42 <DIR> d-------- C:\Documents and Settings\FL\.SunDownloadManager
2008-06-04 17:31 . 2008-06-04 17:31 372,736 --a------ C:\WINDOWS\system32\AppShare-6-7-4.dll
2008-06-04 17:03 . 2008-06-04 17:03 208 --a------ C:\WINDOWS\system32\EACuninstbbbbbbbbbbbb.xml
2008-06-04 17:01 . 2006-05-09 17:31 32,837 --------- C:\WINDOWS\system32\exthook.dll
2008-06-04 17:01 . 2006-05-09 17:47 24,521 --a------ C:\WINDOWS\system32\drivers\eacfilt.sys
2008-06-04 16:44 . 2008-06-04 16:44 208 --a------ C:\WINDOWS\system32\EACuninstbbbbbbbbbbb.xml
2008-06-04 16:43 . 2006-05-09 17:46 155,216 --a------ C:\WINDOWS\system32\drivers\ipsecw2k.sys
2008-05-30 15:52 . 2008-05-30 15:52 <DIR> d-------- C:\Converted
2008-05-30 15:45 . 2008-05-30 15:48 <DIR> d-------- C:\Program Files\SoundTaxi
2008-05-30 15:45 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-05-30 15:45 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-05-30 15:45 . 2008-03-12 14:35 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-05-30 15:45 . 2008-03-13 16:10 10,936 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-05-30 15:45 . 2008-03-13 16:10 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-05-30 15:45 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-05-30 15:45 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-05-30 15:45 . 2008-03-13 16:10 2,618 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-05-29 00:39 . 2008-05-29 01:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-05-18 19:08 . 2008-05-18 19:08 <DIR> d-------- C:\Documents and Settings\FL\Application Data\TuneUp Software
2008-05-18 19:08 . 2008-05-18 19:08 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-18 19:08 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-18 19:07 . 2008-05-18 19:07 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software
2008-05-18 19:06 . 2008-05-18 19:09 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-18 14:08 . 2008-05-18 14:08 32 --a------ C:\WINDOWS\WININIT.INI
2008-05-18 14:06 . 2008-05-18 14:06 <DIR> d-------- C:\Program Files\Sonic
2008-05-16 21:29 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 21:29 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 08:54 . 2008-05-16 08:54 <DIR> d-------- C:\Program Files\PCXViewer
2008-05-15 18:54 . 2008-05-15 18:54 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_57_251_249_195.dll
2008-05-15 18:36 . 2008-05-15 18:36 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_57_251_249_198.dll
2008-05-12 08:56 . 2008-02-15 11:12 206,256 --a------ C:\WINDOWS\system32\idmmbc.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 02:48 --------- d-----w C:\Documents and Settings\FL\Application Data\DMCache
2008-06-07 16:40 --------- d-----w C:\Documents and Settings\FL\Application Data\Juniper Networks
2008-06-06 00:57 --------- d-----w C:\Program Files\YPOPs
2008-06-05 17:56 98,304 ----a-w C:\Documents and Settings\FL\ProcessInfoWIN.dll
2008-06-05 17:30 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-05 17:28 --------- d-----w C:\Program Files\Password Safe
2008-06-05 16:45 --------- d-----w C:\Program Files\Java
2008-06-04 21:31 242,200 ----a-w C:\WINDOWS\java\Packages\PJ71NVV3.ZIP
2008-06-04 21:03 --------- d-----w C:\Program Files\Nortel Networks
2008-06-04 20:57 16,000 ----a-w C:\WINDOWS\system32\drivers\eqdrv5.sys
2008-06-04 20:41 --------- d-----w C:\Program Files\Equant
2008-05-29 04:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-22 12:29 --------- d-----w C:\Documents and Settings\FL\Application Data\IDM
2008-05-18 23:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 23:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 18:07 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-05-16 00:19 --------- d-----w C:\Documents and Settings\FL\Application Data\AdobeUM
2008-05-10 02:57 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-08 13:55 --------- d-----w C:\Documents and Settings\FL\Application Data\Apple Computer
2008-05-08 00:30 --------- d-----w C:\Program Files\ISS
2008-05-05 13:44 --------- d-----w C:\Program Files\Orca
2008-05-01 19:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-01 17:27 80,512 ----a-w C:\WINDOWS\system32\drivers\isskboep.sys
2008-05-01 17:27 548,864 ----a-w C:\WINDOWS\system32\msvcp80.dll
2008-05-01 17:27 50,163 ----a-w C:\WINDOWS\system32\drivers\RapDrv.sys
2008-05-01 17:27 205,938 ----a-w C:\WINDOWS\system32\drivers\Blackcat.sys
2008-05-01 14:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates
2008-05-01 14:26 --------- d-----w C:\Program Files\Network Associates
2008-05-01 14:26 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-05-01 14:25 --------- d-----w C:\Program Files\McAfee
2008-05-01 14:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-04-14 19:59 --------- d-----w C:\Program Files\j2 Messenger 4.2
2008-04-14 19:59 --------- d-----w C:\Documents and Settings\FL\Application Data\j2 Messenger
2008-04-14 19:59 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\j2 Messenger 4.2 Setup
2008-04-12 02:13 --------- d-----w C:\Program Files\Gadwin Systems
2008-04-09 09:02 --------- d-----w C:\Program Files\Eyeball
2008-04-04 15:57 316,928 ----a-w C:\WINDOWS\system32\SICLT32.EXE
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 18:05 202,323 ----a-w C:\WINDOWS\system32\atasnt40.dll
2008-03-20 17:50 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-03-20 17:50 107,936 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{994B5FB4-0103-44A6-B6B3-C73572B362BC}]
2008-02-06 13:21 233472 --a------ C:\WINDOWS\system32\nsf165.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 04:51 3897040]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-12 09:03 2594224]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-04-22 14:17 154880]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 17:07 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 17:08 118784]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 11:24 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 11:22 970752]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40 124656]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-11-08 15:38 136512]
"ShStatEXE"="c:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 08:00 98304]
"Network Associates Error Reporting Service"="c:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48 147514]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe" [2008-02-08 20:08 32881]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 04:51 3897040]

C:\Documents and Settings\FL\Start Menu\Programs\Startup\
Password Safe.lnk - C:\Program Files\Password Safe\pwsafe.exe [2007-11-25 16:28:36 1470464]
YPOPs.lnk - C:\Program Files\YPOPs\YPOPs.exe [2008-01-08 10:22:00 1331200]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-09-24 09:53:10 25214]
Proventia Desktop Agent.lnk - C:\Program Files\ISS\Proventia Desktop\blackice.exe [2008-05-07 20:30:50 2179072]
TunnelGuard Tray Monitor.lnk - C:\WINDOWS\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2008-05-15 19:06:41 8192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.vbs"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\FLaburthe Documents\\My Docs - Perso\\My Software\\FTPServer.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamUI.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Nortel\\IP Softphone 2050\\i2050.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R1 Neofltr;Neoteris TDI Filter - Layered Version;C:\WINDOWS\system32\drivers\Neofltr.sys [2005-03-10 17:47]
R2 APSMDrv;Intranet Server Client Software Usage driver;C:\WINDOWS\system32\DRIVERS\APSMDrv.sys [2003-04-02 09:53]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
R2 i2050QoSSvc;Nortel IP Softphone 2050 QoS;"C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe" [2007-12-24 17:36]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-05-09 17:47]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-05-09 17:46]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2008-03-13 16:10]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2008-03-13 16:10]
R3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-18 19:08]
S0 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2008-05-01 13:27]
S2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2008-05-01 13:27]
S3 APSINV;APSINV;C:\WINDOWS\system32\DRIVERS\APSINV.SYS [2004-11-10 20:07]
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-07-11 01:11]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-07-11 01:11]
S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-07-11 01:11]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-05-09 17:46]
S3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2008-05-01 13:27]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 20:01]
S3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 01:00]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2008-05-01 13:27]
S3 SoundMovieServer;SoundMovieServer;"C:\WINDOWS\system32\snmvtsvc.exe" [2008-03-12 14:35]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - ENTDRV51
.
Contents of the 'Scheduled Tasks' folder
"2008-06-08 02:00:00 C:\WINDOWS\Tasks\Maintenance en 1 clic.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 22:52:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-07 22:56:16
ComboFix-quarantined-files.txt 2008-06-08 02:55:10

Pre-Run: 4,070,034,944 bytes free
Post-Run: 4,182,185,984 bytes free

223 --- E O F --- 2008-04-21 18:30:46






HIJACKTHIS LOGS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:07 PM, on 06/07/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\APSmscan.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Equant\Dialer\EACSvrMngr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_17\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Equant\Dialer\EACSys.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Orange Business Services\Corporate V6 trial\downloader\iPCCheck.exe
C:\Program Files\TuneUp Utilities 2008\RegistryCleaner.exe
C:\WINDOWS\System32\TuneUpDefragService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\FL\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myconnection..../DesktopServlet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {377f6841-9beb-5441-79a1-b373b8c19146} - (no file)
O2 - BHO: (no name) - {50470403-6df1-ab44-e20f-efe2395db6b7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: adzgalore - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - C:\WINDOWS\system32\nsf165.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "c:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe"
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Proventia Desktop Agent.lnk = C:\Program Files\ISS\Proventia Desktop\blackice.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://fileade.equant.com
O15 - Trusted Zone: http://fileadeadmin.equant.com
O15 - Trusted Zone: http://fileadeadminatl.equant.com
O15 - Trusted Zone: http://fileadeadminbck.equant.com
O15 - Trusted Zone: http://fileadeadminete.equant.com
O15 - Trusted Zone: http://fileadeadminsyd.equant.com
O15 - Trusted Zone: http://fileadeatl.equant.com
O15 - Trusted Zone: http://fileadebck.equant.com
O15 - Trusted Zone: http://fileadeete.equant.com
O15 - Trusted Zone: http://fileadesyd.equant.com
O15 - Trusted IP range: http://195.95.*.*
O15 - Trusted IP range: http://70.84.*.*
O15 - Trusted IP range: http://81.9.3.*
O15 - Trusted IP range: http://81.95.*.*
O15 - Trusted IP range: http://82.179.*.*
O15 - Trusted IP range: http://216.195.*.*
O15 - Trusted IP range: http://209.160.73.132
O15 - Trusted IP range: http://202.71.102.101
O15 - Trusted IP range: http://195.225.*.*
O15 - Trusted IP range: http://205.177.*.*
O15 - Trusted IP range: http://205.188.*.*
O15 - Trusted IP range: http://216.239.*.*
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O16 - DPF: Netspoke AppShare 2006 - https://meeting2.pre...Share-6-7-4.cab
O16 - DPF: vzTCPConfig - http://www2.verizon....vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www.teamspac...com.com/qp2.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://dico.equant.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184126714109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1184160059343
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://hrlv02.equant...iator/jinit.exe
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediaz...69/MZPlayer.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://orangebusine...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://esp.avaya.co...perSetupSP1.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intranet Server Client Software Usage (APSMScan) - Unknown owner - C:\WINDOWS\SYSTEM32\APSmscan.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Program Files\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Program Files\Equant\Dialer\EACSys.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 16333 bytes



END !!
  • 0

#6
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Franck L,

Sorry for the delay, I got a little tied up at work. Please do the following:

It looks you are running two Anti-Virus at the same time (Symantec/ Norton & / McAfee). It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory can cause system crashes, high system usage and/or conflicts with each other. So please decide witch one you want to keep then simply uninstall the other one.

===============================================

Move HijackThis

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file, Temporary folders, or desktop because the backups will/could be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

  • Please go to Start > My Computer > C:\
  • right-click and select New > Folder then name the folder 'HJT'.
  • Copy and paste HijackThis.exe to the new folder.
Next launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then notepad will open up.
  • Click file>save as and save it to your desktop.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Now post a new HJT log and we will begin cleaning your system.

===============================================


Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:
*Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
*Choose Exit Spybot S&D Resident

Second:
*Open Spybot S&D
*Click Mode, check Advanced Mode
*Go To Left Panel, Click Tools, then also in left panel, click Resident
*If your firewall raises a question, say OK
*Uncheck the box labeled Resident Tea-Timer and OK any prompts.
*Use File, Exit to terminate Spybot
*Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.

===============================================

Unwanted Site or IP Address in IE Trusted Zone

It appears that you have an unwanted site or IP address in your IE Trusted Zone

Site / address goes here

To reset these zones please download Deldomains from HERE.
1. Save it to your desktop.
2. Right-click DelDomains.inf and select: Install (no need to restart)
3. You may not see any noticeable changes or prompts; this is normal.

Note: The DelDomains.inf file will remove ALL entries in the Trusted, Restricted, and Enhanced Security Configuration Zones. Any entries that you had will need to be entered again. You will have to reimmunize with SpywareBlaster, and/or Spybot after doing this, and reinstall IESpyads if you use any of these programs.

===============================================

Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {377f6841-9beb-5441-79a1-b373b8c19146} - (no file)
O2 - BHO: (no name) - {50470403-6df1-ab44-e20f-efe2395db6b7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: adzgalore - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - C:\WINDOWS\system32\nsf165.dll
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.aka...vex-2.2.2.1.cab


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

After that, Reboot, and post a new HijackThis log here in your reply, and let me know how your system is running.

===============================================


Combofix Script.txt
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\nsf165.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{994B5FB4-0103-44A6-B6B3-C73572B362BC}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

===============================================


Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Needed in your next reply:

Combofix.txt
Malwarebytes' Anti-Malware Log
A new HijackThis log

Also let me know how your system is running now :)
  • 0

#7
Franck L.

Franck L.

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
BHowett,

Thanks very much. :) I did what you asked for - The only think that did not work is the DelDomains.inf - do not have a Install/Run option when I rightclick on it... just opens as a notepad...

and here are the logs:

COMBOFIX:

ComboFix 08-06-19.4 - FL 2008-06-20 15:26:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2271 [GMT -4:00]
Running from: C:\Documents and Settings\FL\Desktop\geeks to go folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\FL\Desktop\geeks to go folder\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\nsf165.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Mozilla Firefox\components\nsBrowserGal.dll
C:\WINDOWS\system32\adzgalore-remove.exe
C:\WINDOWS\system32\nsi43B.dll

----- BITS: Possible infected sites -----

hxxp://USSMS01
.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-20 15:33 . 2008-06-20 15:33 28 --a------ C:\Temp\ExchangePerflog_8484fa31e09356ac79eae33d.dat
2008-06-20 15:32 . 2008-06-20 15:32 53,248 --a------ C:\Temp\catchme.dll
2008-06-20 15:02 . 2008-06-20 15:16 <DIR> d-------- C:\HJT
2008-06-18 10:00 . 2007-07-05 00:00 327,680 --a------ C:\WINDOWS\system32\js32.dll
2008-06-18 09:59 . 2007-07-05 00:00 7,503,872 --a------ C:\WINDOWS\system32\nnotes.dll
2008-06-18 09:58 . 2008-06-18 09:49 2,027,520 --a------ C:\WINDOWS\system32\lcppn30.dll
2008-06-11 13:06 . 2008-06-11 13:06 256 --a------ C:\Documents and Settings\FL\pool.bin
2008-06-05 15:53 . 2008-06-05 15:53 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_10_130_1_93.dll
2008-06-05 15:37 . 2008-06-05 15:37 98,304 --a------ C:\Documents and Settings\FL\ProcessInfoWIN_10_144_1_93.dll
2008-06-05 12:44 . 2008-02-08 20:08 61,555 --a------ C:\WINDOWS\system32\jpicpl32.cpl
2008-06-05 10:41 . 2008-06-05 10:42 <DIR> d-------- C:\Documents and Settings\FL\.SunDownloadManager
2008-06-04 17:31 . 2008-06-04 17:31 372,736 --a------ C:\WINDOWS\system32\AppShare-6-7-4.dll
2008-06-04 17:03 . 2008-06-04 17:03 208 --a------ C:\WINDOWS\system32\EACuninstbbbbbbbbbbbb.xml
2008-06-04 17:01 . 2006-05-09 17:31 32,837 --------- C:\WINDOWS\system32\exthook.dll
2008-06-04 17:01 . 2006-05-09 17:47 24,521 --a------ C:\WINDOWS\system32\drivers\eacfilt.sys
2008-06-04 16:44 . 2008-06-04 16:44 208 --a------ C:\WINDOWS\system32\EACuninstbbbbbbbbbbb.xml
2008-06-04 16:43 . 2006-05-09 17:46 155,216 --a------ C:\WINDOWS\system32\drivers\ipsecw2k.sys
2008-05-30 15:52 . 2008-05-30 15:52 <DIR> d-------- C:\Converted
2008-05-30 15:45 . 2008-05-30 15:48 <DIR> d-------- C:\Program Files\SoundTaxi
2008-05-30 15:45 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\SndTDriverV32.sys
2008-05-30 15:45 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-05-30 15:45 . 2008-03-12 14:35 184,320 --a------ C:\WINDOWS\system32\snmvtsvc.exe
2008-05-30 15:45 . 2008-03-13 16:10 10,936 --a------ C:\WINDOWS\system32\MovRVDrv32.dll
2008-05-30 15:45 . 2008-03-13 16:10 3,993 --a------ C:\WINDOWS\system32\SndTDriverV32.inf
2008-05-30 15:45 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\MovRVDrv32.sys
2008-05-30 15:45 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-05-30 15:45 . 2008-03-13 16:10 2,618 --a------ C:\WINDOWS\system32\MovRVDrv32.inf
2008-05-29 00:39 . 2008-05-29 01:20 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 19:23 --------- d-----w C:\Documents and Settings\FL\Application Data\DMCache
2008-06-20 18:54 --------- d-----w C:\Program Files\Common Files\Network Associates
2008-06-20 18:51 --------- d-----w C:\Program Files\Dell
2008-06-18 18:57 --------- d-----w C:\Program Files\YPOPs
2008-06-16 18:56 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-06-16 18:55 --------- d-----w C:\Program Files\Password Safe
2008-06-15 05:05 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-06-15 05:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Roxio
2008-06-15 00:09 --------- d-----w C:\Program Files\Roxio
2008-06-12 20:19 --------- d-----w C:\Documents and Settings\FL\Application Data\Juniper Networks
2008-06-12 03:33 --------- d-----w C:\Documents and Settings\FL\Application Data\Blackberry Desktop
2008-06-11 07:52 --------- d-----w C:\Program Files\PCXViewer
2008-06-05 17:56 98,304 ----a-w C:\Documents and Settings\FL\ProcessInfoWIN.dll
2008-06-05 16:45 --------- d-----w C:\Program Files\Java
2008-06-04 21:31 242,200 ----a-w C:\WINDOWS\java\Packages\PJ71NVV3.ZIP
2008-06-04 21:03 --------- d-----w C:\Program Files\Nortel Networks
2008-06-04 20:57 16,000 ----a-w C:\WINDOWS\system32\drivers\eqdrv5.sys
2008-06-04 20:41 --------- d-----w C:\Program Files\Equant
2008-05-29 04:40 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-22 12:29 --------- d-----w C:\Documents and Settings\FL\Application Data\IDM
2008-05-18 23:09 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-05-18 23:08 354,560 ----a-w C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-18 23:08 --------- d-----w C:\Documents and Settings\FL\Application Data\TuneUp Software
2008-05-18 23:07 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\TuneUp Software
2008-05-18 23:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 23:02 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-05-18 18:06 --------- d-----w C:\Program Files\Sonic
2008-05-16 00:19 --------- d-----w C:\Documents and Settings\FL\Application Data\AdobeUM
2008-05-15 22:54 98,304 ----a-w C:\Documents and Settings\FL\ProcessInfoWIN_57_251_249_195.dll
2008-05-15 22:36 98,304 ----a-w C:\Documents and Settings\FL\ProcessInfoWIN_57_251_249_198.dll
2008-05-10 02:57 --------- d-----w C:\Program Files\Internet Download Manager
2008-05-08 13:55 --------- d-----w C:\Documents and Settings\FL\Application Data\Apple Computer
2008-05-08 00:30 --------- d-----w C:\Program Files\ISS
2008-05-06 00:46 27,048 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 00:46 15,864 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-05-05 13:44 --------- d-----w C:\Program Files\Orca
2008-05-01 19:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-01 17:27 80,512 ----a-w C:\WINDOWS\system32\drivers\isskboep.sys
2008-05-01 17:27 548,864 ----a-w C:\WINDOWS\system32\msvcp80.dll
2008-05-01 17:27 50,163 ----a-w C:\WINDOWS\system32\drivers\RapDrv.sys
2008-05-01 17:27 205,938 ----a-w C:\WINDOWS\system32\drivers\Blackcat.sys
2008-05-01 14:25 --------- d-----w C:\Program Files\McAfee
2008-05-01 14:25 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\McAfee
2008-04-04 18:51 28,416 ----a-w C:\WINDOWS\system32\uxtuneup.dll
2008-04-04 15:57 316,928 ----a-w C:\WINDOWS\system32\SICLT32.EXE
2008-03-20 17:50 44,360 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-03-20 17:50 107,936 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.

((((((((((((((((((((((((((((( [email protected]_22.54.40.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 17:25:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 18:49:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-02-18 21:26:23 65,536 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\DesktopMgr.exe
+ 2008-06-15 04:47:12 65,536 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\DesktopMgr.exe
- 2008-02-18 21:26:23 26,694 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-15 04:47:12 26,694 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\NewShortcut60_C6ABA3677F944B9FBB00F060701B0B5A.exe
- 2008-02-18 21:26:23 6,502 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2008-06-15 04:47:12 6,502 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\RedirectorEXE_770DFD1204C24F4DA163D64FACCB5CBD.exe
- 2008-02-18 21:26:23 6,502 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2008-06-15 04:47:12 6,502 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\RedirectorEXE1_770DFD1204C24F4DA163D64FACCB5CBD.exe
- 2008-02-18 21:26:23 6,502 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2008-06-15 04:47:12 6,502 ----a-r C:\WINDOWS\Installer\{0725C68F-FD3A-4476-BDA0-C002C7FE307C}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2008-06-15 05:04:55 38,400 ----a-r C:\WINDOWS\Installer\{0D397393-9B50-4C52-84D5-77E344289F87}\RoxioCentral.exe
+ 2008-06-15 05:04:47 38,400 ----a-r C:\WINDOWS\Installer\{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}\RoxioCentral.exe
- 2008-02-03 02:30:16 38,400 ----a-r C:\WINDOWS\Installer\{2BE0C605-9BEC-434D-9FAE-931194E72414}\RoxioCentral.exe
+ 2008-06-11 18:53:54 38,400 ----a-r C:\WINDOWS\Installer\{2BE0C605-9BEC-434D-9FAE-931194E72414}\RoxioCentral.exe
- 2008-02-17 22:30:23 25,214 ----a-r C:\WINDOWS\Installer\{303379C9-8610-4CCF-AF37-C4BF8998C591}\NewShortcut24_8E832933A07340209FB8DBADC480B69B_1.exe
+ 2008-06-11 18:53:32 25,214 ----a-r C:\WINDOWS\Installer\{303379C9-8610-4CCF-AF37-C4BF8998C591}\NewShortcut24_8E832933A07340209FB8DBADC480B69B_1.exe
- 2008-02-17 22:30:23 3,638 ----a-r C:\WINDOWS\Installer\{303379C9-8610-4CCF-AF37-C4BF8998C591}\NewShortcut38_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-11 18:53:32 3,638 ----a-r C:\WINDOWS\Installer\{303379C9-8610-4CCF-AF37-C4BF8998C591}\NewShortcut38_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:05:27 38,400 ----a-r C:\WINDOWS\Installer\{619CDD8A-14B6-43A1-AB6C-0F4EE48CE048}\RoxioCentral.exe
+ 2008-06-15 05:04:35 25,214 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\ARPPRODUCTICON.exe
+ 2008-06-15 05:04:35 25,214 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\EmailWizardShortcut_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:04:35 25,214 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\MediaManager8.exe_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:04:35 25,214 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\NewShortcut23_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:04:35 25,214 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\NewShortcut33_8E832933A07340209FB8DBADC480B69B.exe
- 2007-07-11 15:45:42 3,638 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\NewShortcut38_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:04:35 3,638 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\NewShortcut38_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:04:35 25,214 ----a-r C:\WINDOWS\Installer\{66D171AA-670F-4309-9C74-5BA7F7DBA0B3}\NewShortcut4_8E832933A07340209FB8DBADC480B69B.exe
+ 2008-06-15 05:05:38 38,400 ----a-r C:\WINDOWS\Installer\{83FFCFC7-88C6-41C6-8752-958A45325C82}\RoxioCentral.exe
- 2007-07-11 15:46:00 38,400 ----a-r C:\WINDOWS\Installer\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}\RoxioCentral.exe
+ 2008-06-15 05:05:20 38,400 ----a-r C:\WINDOWS\Installer\{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}\RoxioCentral.exe
- 2008-02-17 22:22:54 69,632 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\DesktopMgr.exe
+ 2008-06-11 18:40:56 69,632 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\DesktopMgr.exe
- 2008-02-17 22:22:55 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:56 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut12_C6ABA3677F944B9FBB00F060701B0B5A.exe
- 2008-02-17 22:22:55 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:56 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut3_C6ABA3677F944B9FBB00F060701B0B5A.exe
- 2008-02-17 22:22:55 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:56 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut4_C6ABA3677F944B9FBB00F060701B0B5A.exe
- 2008-02-17 22:22:55 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:56 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut5_C6ABA3677F944B9FBB00F060701B0B5A.exe
- 2008-02-17 22:22:56 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:57 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut6_C6ABA3677F944B9FBB00F060701B0B5A.exe
- 2008-02-17 22:22:56 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:57 26,694 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\NewShortcut600_C6ABA3677F944B9FBB00F060701B0B5A.exe
+ 2008-06-11 18:40:57 6,502 ----a-r C:\WINDOWS\Installer\{D793A12F-E362-48BB-B332-1DA5E936B52D}\RedirectorEXE2_770DFD1204C24F4DA163D64FACCB5CBD.exe
+ 2007-02-02 07:00:00 9,336 ----a-w C:\WINDOWS\system32\drivers\cdr4_xp.sys
+ 2007-02-02 07:00:00 9,464 ----a-w C:\WINDOWS\system32\drivers\cdralw2k.sys
+ 2007-03-23 07:00:00 43,528 ----a-w C:\WINDOWS\system32\drivers\pxhelp20.sys
- 2007-01-18 15:24:58 26,496 ----a-r C:\WINDOWS\system32\drivers\RimSerial.sys
+ 2007-01-18 14:24:58 26,496 ----a-r C:\WINDOWS\system32\drivers\RimSerial.sys
- 2006-11-08 00:02:04 22,272 ----a-w C:\WINDOWS\system32\drivers\RimUsb.sys
+ 2006-11-07 23:02:04 22,272 ----a-w C:\WINDOWS\system32\drivers\RimUsb.sys
- 2007-05-01 21:48:34 68,344 ----a-w C:\WINDOWS\system32\drvins64.exe
+ 2007-05-01 20:48:34 68,344 ----a-w C:\WINDOWS\system32\drvins64.exe
- 2007-05-09 14:15:18 555,768 ----a-w C:\WINDOWS\system32\Px.dll
+ 2007-05-09 13:15:18 555,768 ----a-w C:\WINDOWS\system32\Px.dll
+ 2007-04-04 21:08:48 129,784 ----a-w C:\WINDOWS\system32\PxAFS.DLL
- 2007-05-01 21:48:40 66,296 ----a-w C:\WINDOWS\system32\pxcpya64.exe
+ 2007-05-01 20:48:40 66,296 ----a-w C:\WINDOWS\system32\pxcpya64.exe
- 2007-05-01 21:48:40 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
+ 2007-05-01 20:48:40 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
- 2007-06-07 06:02:00 535,288 ----a-w C:\WINDOWS\system32\pxdrv.dll
+ 2007-06-07 05:02:00 535,288 ----a-w C:\WINDOWS\system32\pxdrv.dll
- 2007-05-01 21:48:36 64,760 ----a-w C:\WINDOWS\system32\pxinsa64.exe
+ 2007-05-01 20:48:36 64,760 ----a-w C:\WINDOWS\system32\pxinsa64.exe
- 2007-05-01 21:48:38 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
+ 2007-05-01 20:48:38 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
- 2007-05-09 14:15:18 187,128 ----a-w C:\WINDOWS\system32\PxMas.dll
+ 2007-05-09 13:15:18 187,128 ----a-w C:\WINDOWS\system32\PxMas.dll
+ 2007-04-04 21:08:52 1,628,920 ----a-w C:\WINDOWS\system32\PxSFS.DLL
- 2007-05-09 14:15:22 379,640 ----a-w C:\WINDOWS\system32\PxWave.dll
+ 2007-05-09 13:15:22 379,640 ----a-w C:\WINDOWS\system32\PxWave.dll
- 2007-04-04 22:08:56 158,456 ----a-w C:\WINDOWS\system32\pxwma.dll
+ 2007-04-04 21:08:56 158,456 ----a-w C:\WINDOWS\system32\pxwma.dll
+ 2007-01-18 15:24:58 26,496 ----a-r C:\WINDOWS\system32\ReinstallBackups\0044\DriverFiles\RimSerial.sys
+ 2007-01-18 14:24:58 26,496 ----a-r C:\WINDOWS\system32\ReinstallBackups\0045\DriverFiles\RimSerial.sys
- 2007-03-26 06:00:00 88,824 ----a-w C:\WINDOWS\system32\vxblock.dll
+ 2007-03-26 05:00:00 88,824 ----a-w C:\WINDOWS\system32\vxblock.dll
+ 2008-06-15 05:01:30 82,432 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
- 2006-12-02 03:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2006-12-02 02:56:00 96,256 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
- 2006-12-02 03:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 02:54:32 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
- 2006-12-02 03:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 02:54:34 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
- 2006-12-02 03:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 02:54:32 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
- 2006-12-02 05:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-12-02 04:25:52 1,101,824 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
- 2006-12-02 05:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 04:25:56 1,093,120 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
- 2006-12-02 05:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 04:25:58 69,632 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
- 2006-12-02 05:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 04:26:00 57,856 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
- 2006-12-02 05:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 04:08:00 40,960 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
- 2006-12-02 05:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 04:08:00 45,056 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
- 2006-12-02 05:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 04:08:00 65,536 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
- 2006-12-02 05:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 04:08:00 57,344 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
- 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 04:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
- 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 04:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
- 2006-12-02 05:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 04:08:00 61,440 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
- 2006-12-02 05:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 04:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
- 2006-12-02 05:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 04:08:00 49,152 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 04:51 3897040]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-12 09:03 2594224]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-04-22 14:17 154880]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl,,BluetoothAuthenticationAgent" []
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-14 17:07 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-14 17:08 118784]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 11:24 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 11:22 970752]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40 124656]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2007-11-08 15:38 136512]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe" [2008-02-08 20:08 32881]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 11:43 228088]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2005-11-30 04:51 3897040]

C:\Documents and Settings\FL\Start Menu\Programs\Startup\
Password Safe.lnk - C:\Program Files\Password Safe\pwsafe.exe [2007-11-25 16:28:36 1470464]
YPOPs.lnk - C:\Program Files\YPOPs\YPOPs.exe [2008-01-08 10:22:00 1331200]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-09-24 09:53:10 25214]
Proventia Desktop Agent.lnk - C:\Program Files\ISS\Proventia Desktop\blackice.exe [2008-05-07 20:30:50 2179072]
TunnelGuard Tray Monitor.lnk - C:\WINDOWS\Installer\{5650A422-0789-473F-B2C7-6C3D10CC9FFB}\Icon079d381e2.exe [2008-05-15 19:06:41 8192]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Communicator"="C:\Program Files\Microsoft Office Communicator\Communicator.vbs"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"j2 4.2"="C:\Program Files\j2 Messenger 4.2\J2GDllCmd.exe" /R
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Nortel Networks\\Extranet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"D:\\FLaburthe Documents\\My Docs - Perso\\My Software\\FTPServer.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamProxy.exe"=
"C:\\Program Files\\Neoteris\\Secure Application Manager\\dsSamUI.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Nortel\\IP Softphone 2050\\i2050.exe"=
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R1 Neofltr;Neoteris TDI Filter - Layered Version;C:\WINDOWS\system32\drivers\Neofltr.sys [2005-03-10 17:47]
R2 APSMDrv;Intranet Server Client Software Usage driver;C:\WINDOWS\system32\DRIVERS\APSMDrv.sys [2003-04-02 09:53]
R2 i2050QoSSvc;Nortel IP Softphone 2050 QoS;"C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe" [2007-12-24 17:36]
R2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [2008-03-09 11:20]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]
R2 VPatch;ISS Buffer Overflow Exploit Prevention;"C:\Program Files\ISS\Proventia Desktop\vpatch.exe" [2008-05-01 13:27]
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys [2006-05-09 17:47]
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-05-09 17:46]
R3 MakoNT;MakoNT;C:\WINDOWS\system32\drivers\isskboep.sys [2008-05-01 13:27]
R3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2008-03-13 16:10]
R3 P1171VID;Creative WebCam Notebook #2;C:\WINDOWS\system32\DRIVERS\P1171Vid.sys [2004-03-19 01:00]
R3 rap;rap;C:\WINDOWS\system32\drivers\RapDrv.sys [2008-05-01 13:27]
R3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2008-03-13 16:10]
R4 black;black;C:\WINDOWS\system32\drivers\BlackCat.sys [2008-05-01 13:27]
S2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe [2007-04-13 03:50]
S3 APSINV;APSINV;C:\WINDOWS\system32\DRIVERS\APSINV.SYS [2004-11-10 20:07]
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2007-07-11 01:11]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2007-07-11 01:11]
S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2007-07-11 01:11]
S3 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys [2006-05-09 17:46]
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-06-28 20:01]
S3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\system32\CCM\prepdrv.sys [2007-04-13 03:50]
S3 SoundMovieServer;SoundMovieServer;"C:\WINDOWS\system32\snmvtsvc.exe" [2008-03-12 14:35]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-18 19:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 19:00:01 C:\WINDOWS\Tasks\Maintenance en 1 clic.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 15:32:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-20 15:37:55
ComboFix-quarantined-files.txt 2008-06-20 19:36:31
ComboFix2.txt 2008-06-08 02:56:17

Pre-Run: 3,126,182,912 bytes free
Post-Run: 3,221,542,400 bytes free

331 --- E O F --- 2008-04-21 18:30:46

MALWAREBYTES:

Malwarebytes' Anti-Malware 1.18
Database version: 872

4:00:00 PM 06/20/08
mbam-log-6-20-2008 (16-00-00).txt

Scan type: Quick Scan
Objects scanned: 44833
Time elapsed: 12 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:07:58 PM, on 06/20/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\APSmscan.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\Equant\Dialer\EACSvrMngr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SICLT32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myconnection..../DesktopServlet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {377f6841-9beb-5441-79a1-b373b8c19146} - (no file)
O2 - BHO: (no name) - {50470403-6df1-ab44-e20f-efe2395db6b7} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Proventia Desktop Agent.lnk = C:\Program Files\ISS\Proventia Desktop\blackice.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://fileade.equant.com
O15 - Trusted Zone: http://fileadeadmin.equant.com
O15 - Trusted Zone: http://fileadeadminatl.equant.com
O15 - Trusted Zone: http://fileadeadminbck.equant.com
O15 - Trusted Zone: http://fileadeadminete.equant.com
O15 - Trusted Zone: http://fileadeadminsyd.equant.com
O15 - Trusted Zone: http://fileadeatl.equant.com
O15 - Trusted Zone: http://fileadebck.equant.com
O15 - Trusted Zone: http://fileadeete.equant.com
O15 - Trusted Zone: http://fileadesyd.equant.com
O15 - Trusted IP range: http://195.95.*.*
O15 - Trusted IP range: http://70.84.*.*
O15 - Trusted IP range: http://81.9.3.*
O15 - Trusted IP range: http://81.95.*.*
O15 - Trusted IP range: http://82.179.*.*
O15 - Trusted IP range: http://216.195.*.*
O15 - Trusted IP range: http://209.160.73.132
O15 - Trusted IP range: http://202.71.102.101
O15 - Trusted IP range: http://195.225.*.*
O15 - Trusted IP range: http://205.177.*.*
O15 - Trusted IP range: http://205.188.*.*
O15 - Trusted IP range: http://216.239.*.*
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*
O15 - Trusted IP range: http://69.50.*.*
O16 - DPF: Netspoke AppShare 2006 - https://meeting2.pre...Share-6-7-4.cab
O16 - DPF: vzTCPConfig - http://www2.verizon....vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www.teamspac...com.com/qp2.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://dico.equant.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184126714109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1184160059343
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://hrlv02.equant...iator/jinit.exe
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediaz...69/MZPlayer.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://orangebusine...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://esp.avaya.co...perSetupSP1.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intranet Server Client Software Usage (APSMScan) - Unknown owner - C:\WINDOWS\SYSTEM32\APSmscan.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Program Files\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Program Files\Equant\Dialer\EACSys.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 16259 bytes


LET ME KNOW HOW THIS LOOKS !!!

THANKS AGAIN

Franck.

Edited by Franck L., 20 June 2008 - 02:16 PM.

  • 0

#8
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Franck L,

Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

First:
*Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
*Choose Exit Spybot S&D Resident

Second:
*Open Spybot S&D
*Click Mode, check Advanced Mode
*Go To Left Panel, Click Tools, then also in left panel, click Resident
*If your firewall raises a question, say OK
*Uncheck the box labeled Resident Tea-Timer and OK any prompts.
*Use File, Exit to terminate Spybot
*Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings.

===============================================


Fix with HijackThis

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {377f6841-9beb-5441-79a1-b373b8c19146} - (no file)
O2 - BHO: (no name) - {50470403-6df1-ab44-e20f-efe2395db6b7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {994B5FB4-0103-44A6-B6B3-C73572B362BC} - (no file)
O15 - Trusted IP range: http://195.95.*.*
O15 - Trusted IP range: http://70.84.*.*
O15 - Trusted IP range: http://81.9.3.*
O15 - Trusted IP range: http://81.95.*.*
O15 - Trusted IP range: http://82.179.*.*
O15 - Trusted IP range: http://216.195.*.*
O15 - Trusted IP range: http://209.160.73.132
O15 - Trusted IP range: http://202.71.102.101
O15 - Trusted IP range: http://195.225.*.*
O15 - Trusted IP range: http://205.177.*.*
O15 - Trusted IP range: http://205.188.*.*
O15 - Trusted IP range: http://216.239.*.*
O15 - Trusted IP range: http://66.230.*.*
O15 - Trusted IP range: http://66.235.*.*
O15 - Trusted IP range: http://69.31.*.*


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

After that, Reboot, and post a new HijackThis log here in your reply, and let me know how your system is running.

===============================================


Update Java


Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
===============================================

ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
===============================================

Needed in your next reply:

Kaspersky WebScanner results
New HijackThis log

Also let me know how your system is running :) … are you still getting pop ups or Ads by Adzgalore ?
  • 0

#9
Franck L.

Franck L.

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
HEllo and again, thanks so much for your time.

I did what you asked for - well, mostly. For my job, I need to configure Nortel appliances that require java 1.4.2 so i cannot upgrade yet, also the Kaspersky requires java 1.5 or higher so could not do that either. Did all the rest and here is my latest HJT report.

My system has been AdsGalore free now for a few days - thanks to you !!

LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:11 PM, on 06/22/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\system32\APSmscan.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISS\Proventia Desktop\blackd.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ISS\Proventia Desktop\blackice.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Nortel Networks\TunnelGuard\platforms\win32\TGIconApp.EXE
C:\Program Files\Password Safe\pwsafe.exe
C:\Program Files\YPOPs\YPOPs.exe
C:\Program Files\Equant\Dialer\EACSvrMngr.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISS\Proventia Desktop\RapApp.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\SICLT32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
C:\Program Files\ISS\Proventia Desktop\vpatch.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ISS\Proventia Desktop\RapUISvc.exe
C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myconnection..../DesktopServlet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_17\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Proventia Desktop Agent.lnk = C:\Program Files\ISS\Proventia Desktop\blackice.exe
O4 - Global Startup: TunnelGuard Tray Monitor.lnk = ?
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://fileade.equant.com
O15 - Trusted Zone: http://fileadeadmin.equant.com
O15 - Trusted Zone: http://fileadeadminatl.equant.com
O15 - Trusted Zone: http://fileadeadminbck.equant.com
O15 - Trusted Zone: http://fileadeadminete.equant.com
O15 - Trusted Zone: http://fileadeadminsyd.equant.com
O15 - Trusted Zone: http://fileadeatl.equant.com
O15 - Trusted Zone: http://fileadebck.equant.com
O15 - Trusted Zone: http://fileadeete.equant.com
O15 - Trusted Zone: http://fileadesyd.equant.com
O16 - DPF: Netspoke AppShare 2006 - https://meeting2.pre...Share-6-7-4.cab
O16 - DPF: vzTCPConfig - http://www2.verizon....vzTCPConfig.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://www.teamspac...com.com/qp2.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - http://dico.equant.com/iNotes.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1184126714109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1184160059343
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://hrlv02.equant...iator/jinit.exe
O16 - DPF: {B69B0694-EB7C-4468-B572-B781062A1EF2} (KooPlayer Control) - http://static.mediaz...69/MZPlayer.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://orangebusine...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://esp.avaya.co...perSetupSP1.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Intranet Server Client Software Usage (APSMScan) - Unknown owner - C:\WINDOWS\SYSTEM32\APSmscan.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: (Equant Access Companion) Services Manager (EACSvrMngr) - Equant - C:\Program Files\Equant\Dialer\EACSvrMngr.exe
O23 - Service: (Equant Access Companion) Devices and Services Monitoring (EACSys) - Equant - C:\Program Files\Equant\Dialer\EACSys.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Nortel IP Softphone 2050 QoS (i2050QoSSvc) - Nortel - C:\Program Files\Nortel\IP Softphone 2050\i2050QosSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\Orange Business Services\Corporate V6 trial\iPassPeriodicUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\RapApp.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Intranet Server Client (SicltNT) - Apsynet - C:\WINDOWS\SYSTEM32\SICLT32.EXE
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Nortel Networks TunnelGuard (tunnelguardservice) - Alexandria Software Consulting - C:\Program Files\Nortel Networks\TunnelGuard\CueAgent_srv.exe
O23 - Service: ISS Buffer Overflow Exploit Prevention (VPatch) - Internet Security Systems, Inc. - C:\Program Files\ISS\Proventia Desktop\vpatch.exe

--
End of file - 15174 bytes
  • 0

#10
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts

I did what you asked for - well, mostly. For my job, I need to configure Nortel appliances that require java 1.4.2 so i cannot upgrade yet, also the Kaspersky requires java 1.5 or higher so could not do that either.


Is this a business computer or your personal computer? Also just so you know; older versions of Java have vulnerabilities that malicious sites can use to infect your system, so you might want to test a little and see if you can configure Nortel appliances with the most updated version installed, just to help you stay safe.

You’re looking pretty clean, but I would really like to use an online scanner just to make sure, so lets try Panda.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

Advertisements


#11
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#12
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Re - opened user returned
  • 0

#13
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
PLease post your logs, and let me know how your systenm is running :)
  • 0

#14
Franck L.

Franck L.

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
HI and thank you!

My system is running ok, as far as Ads by Adsgalore, no more instance of that.

Here is the log from Panda's Active Scan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-06-27 23:02:28
PROTECTIONS: 2
MALWARE: 19
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
ISS Proventia 9.0.226.2075 9.0.226.2075 Yes No
Symantec AntiVirus Corporate Edition 10.1.4.4000 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00029422 W32/Mytob.EB.worm Virus/Worm No 1 Yes No C:\Documents and Settings\FL\Local Settings\Application Data\Microsoft\Windows Live Mail\Yahoo (flab 2c1\Inbox\72232DC4-00000758.eml[INFO.zip][INFO.txt .scr]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\FL\Cookies\[email protected][2].txt
00288208 Application/HideWindow.S HackTools No 0 No No C:\Documents and Settings\FL\Desktop\UMG BEW\MsiBep_UMG_2008-02-29.msi[unk_0040][cmdow.exe]
00288208 Application/HideWindow.S HackTools No 0 No No C:\Documents and Settings\FL\MsiBep_UMG.msi[unk_0040][cmdow.exe]
01176994 Bck/VB.XB Virus/Trojan No 0 No No D:\FLaburthe Documents\geeks to go folder\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
02918165 Adware/DollarRevenue Adware No 1 Yes No C:\HJT\backups\backup-20080620-151659-851.dll
02983811 Adware/BHO Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nsi43B.dll.vir
02983811 Adware/BHO Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nsl67.dll.vir
02983811 Adware/BHO Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nsw8E.dll.vir
02983811 Adware/BHO Adware No 0 Yes No C:\QooBox\Quarantine\C\WINDOWS\system32\nsi266.dll.vir
02983811 Adware/BHO Adware No 0 Yes No C:\HJT\backups\backup-20080620-151658-225.dll
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
  • 0

#15
BHowett

BHowett

    OT Moderator

  • Moderator
  • 4,642 posts
Hi Franck L.

Thanks alot for coming back and finishing up :) Looks good except for this C:\Documents and Settings\FL\Local Settings\Application Data\Microsoft\Windows Live Mail\Yahoo (flab 2c1\Inbox\72232DC4-00000758.eml[INFO.zip][INFO.txt .scr] it looks like an email in your inbox, just delete it then empty your deleted items.

Lets do a little clean up……

ComboFix Removal
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image

===============================================

Reset your restore points

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


===============================================



This is my standard post for when you are clear - which you now are - or seem to be. Please advise me of any problems you still have.

I know you all ready have some of these items but I still like to share them incase you ever need them, or want to change them.


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Posted Image 1.) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

Posted Image 2.) Go to Intenet Explorer > Tools > Windows Update > Product Updates, and install ALL High-Priority Security Updates listed. If you're running Windows XP, that of course includes the Service Pack 2! If you suspect your computer is infected with Malware of any type, we advise you to not install SP2 if you don't already have it. You can post a HijackThis log on our Forums to get free Expert help cleaning your machine. Once you are sure you have a clean system, it is highly recommended to install SP2 to help prevent against future infections.

It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Posted Image 3.) Open Intenet Explorer and go to Internet Options > Security > Internet, then press "Default Level", then OK. Now press "Custom Level." In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option > Security.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

Posted Image 4.) Install Javacool's SpywareBlaster

It will protect you from most spy/foistware in it's database by blocking installation of their ActiveX objects.

Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer) Press "Enable All Protection", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so.

Posted Image 5.) Let's also not forget that Spybot Search & Destroy has the Immunize feature which works roughly the same way. Another feature within Spybot is the TeaTimer option. This option immediately detects known malicious processes wanting to start and terminates them. TeaTimer also detects when something wants to change some critical registry keys and gives you an option to allow them or not.

Posted Image 6.) Microsoft now offers their own free malicious software blocking tool. Windows Defender improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC.

Posted Image 7.) Another excellent program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

Posted Image 8.) IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

*It is important to note that all of the above programs/files can be run simultaneously on your system. They will work together in layers, so to speak, to help protect your computer. However, the following suggestions are designed to only run one of each. It is not a good idea to run more than one firewall, and one anti-virus program. Running more than one of these at a time can cause system crashes, high system usage and/or conflicts with each other.*

Posted Image 9.) It is critical that you use a firewall to protect your computer from hackers. We don't recommend the firewall that comes built in to Windows. It doesn't block everything that may try to get in, and the entire firewall is written to the registry. As various kinds of malware hack the Registry in order to disable the Windows firewall, it's far preferable to install one of the excellent third party solutions. Three good ones that are freeware to boot are ZoneAlarm, Kerio and Sygate

Posted Image 10.) An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible. Some very good and easy-to-use free A/V programs are AVG, Avast, and AntiVir. It's a good idea to set these to receive automatic updates so you are always as fully protected as possible from the newest virus threats.

NOTE: DO NOT install more than one anti-virus program. They will conflict, and provide less protection, not more.


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP