Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help! WinFixer Popups (VX2)

Started by al.motion , Sep 28 2005 08:26 AM

  • Please log in to reply

#1
al.motion
Posted 28 September 2005 - 08:26 AM

al.motion

    Member

  • Member
  • PipPip
  • 20 posts
Please help!!! I am being bombarded with winfixer popups. I guess i have some variant of VX2 going. Below is the log file from HijackThis. I have already tried Trend Micro, Ad-Aware, SpyBot, XoftSoy to no avail. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:22:13 AM, on 9/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\apps\ugs\TCVISL~1\Lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\apps\ugs\TCVISL~1\vpdaemon05.exe
C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe
c:\program files\mobile automation\rstate.exe
C:\Program Files\tmosce\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\tmosce\OfcPfwSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\TEMP\JBAC04.EXE
C:\apps\oracle\ora92\BIN\TNSLSNR.exe
C:\Program Files\Apoint\Apoint.exe
c:\apps\oracle\ora92\bin\ORACLE.EXE
C:\Program Files\tmosce\pccntmon.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
c:\apps\oracle\ora92\bin\ORACLE.EXE
C:\apps\Winamp\winampa.exe
C:\apps\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\MOBILE~1\rstate.exe
C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_QVPDB\QVPDB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINNT\system32\MSTask.exe
C:\apps\TCPROJ\bin\Wrapper.exe
C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\apps\TCENT\4_1\server\ootb\config\lmgrd.exe
C:\Program Files\tmosce\tmlisten.exe
C:\apps\TCENT\4_1\server\ootb\install\mtid.exe
C:\apps\TCPROJ\bin\tomcat\bin\tomcat5.exe
C:\apps\ugs\License Servers\UGNXFLEXlm\lmgrd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\apps\ugs\License Servers\UGNXFLEXlm\uglmd.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\apps\TCPROJ\bin\java\bin\java.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\apps\Winamp\Winamp.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\system32\cmd.exe
C:\apps\TCENT\4_1\server\ootb\bin\muxd.exe
C:\apps\TCENT\4_1\server\ootb\bin\dspserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\mloader.exe
C:\apps\TCENT\4_1\server\ootb\bin\lamserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\mserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\uidserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\nlsserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\objserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\rserv.exe
C:\apps\TCENT\4_1\server\ootb\bin\msqlora.exe
C:\apps\jsdk1_4_1\bin\java.exe
C:\apps\Deskanker 1.5\deskanker.exe
C:\apps\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\essah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = svnsfp06:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINNT\system32\rqoop.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\tmosce\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RealVNC Setup] C:\WINNT\SYSTEM32\fmenass.exe
O4 - HKLM\..\Run: [ICQMsn] C:\WINNT\SYSTEM32\cbfks.exe
O4 - HKLM\..\Run: [msnplus] C:\WINNT\SYSTEM32\nnbbf.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] **"c:\program files\roxio\easy cd creator 5\directcd\directcd.exe"
O4 - HKLM\..\Run: [WinampAgent] **c:\apps\winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] **c:\apps\zone labs\zonealarm\zlclient.exe
O4 - HKLM\..\Run: [Mobile Automation Agent] **c:\progra~1\mobile~1\rstate.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload Picture - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O9 - Extra 'Tools' menuitem: Upload Picture to Mobile Phone - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O16 - DPF: CCWebV6Client - http://sunpdm7/ccweb...s/ccwebv6cl.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://ugsuniv.ugs.c...cab/awswaxd.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124827686565
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37320.cab
O16 - DPF: {8B4067F6-E530-4312-9FC6-970D3FADE6A8} (OSSCtrl Class) - http://localhost/KDK...s/OSSPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ugs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ugs.com
O20 - Winlogon Notify: rqoop - C:\WINNT\system32\rqoop.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EDS TcVis License Server - Macrovision Corporation - C:\apps\ugs\TCVISL~1\Lmgrd.exe
O23 - Service: kodakdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_kodakdb\kodakdb.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: mackdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe
O23 - Service: Mobile Automation Agent (MobileAutmationAgentService) - Mobile Automation, Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\tmosce\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\tmosce\OfcPfwSvc.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\apps\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\apps\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMSGLOG - Oracle Corporation - c:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceTCENG - Oracle Corporation - C:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceTCENT - Oracle Corporation - c:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceTCPROJ - Oracle Corporation - c:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: qvpdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_QVPDB\QVPDB.exe
O23 - Service: Teamcenter Project Server (TCP JDOT Server) - Unknown owner - C:\apps\TCPROJ\bin\Wrapper.exe
O23 - Service: Teamcenter Flex Manager - Macrovision Corporation - C:\apps\TCENT\4_1\server\ootb\config\lmgrd.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\tmosce\tmlisten.exe
O23 - Service: Teamcenter Project Tomcat Server (Tomcat5) - Apache Software Foundation - C:\apps\TCPROJ\bin\tomcat\bin\tomcat5.exe
O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\apps\ugs\License Servers\UGNXFLEXlm\lmgrd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe
  • 0

Advertisements

#2
tampabelle
Posted 28 September 2005 - 12:51 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINNT\system32\rqoop.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINNT\system32\pooqr.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINNT\system32\rqoop.dll
    O20 - Winlogon Notify: rqoop - C:\WINNT\system32\rqoop.dll
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
al.motion
Posted 28 September 2005 - 08:09 PM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks ... I performed all the specified procedures and listed below are the requested log files. The system is already showing signs of improvement. ActiveScan found no viruses/spyware etc.

Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 192 'smss.exe'
Threads [188][196][200][204][152][208]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 520 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 212 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.



Logfile of HijackThis v1.99.1
Scan saved at 9:57:04 PM, on 9/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\apps\ugs\TCVISL~1\Lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\apps\ugs\TCVISL~1\vpdaemon05.exe
C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe
c:\program files\mobile automation\rstate.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\tmosce\pccntmon.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\tmosce\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\tmosce\OfcPfwSvc.exe
C:\apps\oracle\ora92\bin\agntsrvc.exe
C:\apps\oracle\ora92\BIN\TNSLSNR.exe
C:\WINNT\system32\cmd.exe
C:\apps\oracle\ora92\bin\dbsnmp.exe
c:\apps\oracle\ora92\bin\ORACLE.EXE
c:\apps\oracle\ora92\bin\ORACLE.EXE
C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_QVPDB\QVPDB.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\TEMP\FXE83B.EXE
C:\apps\TCPROJ\bin\Wrapper.exe
C:\apps\TCENT\4_1\server\ootb\config\lmgrd.exe
C:\Program Files\tmosce\tmlisten.exe
C:\apps\TCENT\4_1\server\ootb\install\mtid.exe
C:\apps\TCPROJ\bin\tomcat\bin\tomcat5.exe
C:\apps\ugs\License Servers\UGNXFLEXlm\lmgrd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\apps\ugs\License Servers\UGNXFLEXlm\uglmd.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\apps\TCPROJ\bin\java\bin\java.exe
C:\WINNT\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\apps\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\essah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = svnsfp06:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\tmosce\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [RealVNC Setup] C:\WINNT\SYSTEM32\fmenass.exe
O4 - HKLM\..\Run: [ICQMsn] C:\WINNT\SYSTEM32\cbfks.exe
O4 - HKLM\..\Run: [msnplus] C:\WINNT\SYSTEM32\nnbbf.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] **"c:\program files\roxio\easy cd creator 5\directcd\directcd.exe"
O4 - HKLM\..\Run: [WinampAgent] **c:\apps\winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] **c:\apps\zone labs\zonealarm\zlclient.exe
O4 - HKLM\..\Run: [Mobile Automation Agent] **c:\progra~1\mobile~1\rstate.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload Picture - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O9 - Extra 'Tools' menuitem: Upload Picture to Mobile Phone - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O16 - DPF: CCWebV6Client - http://sunpdm7/ccweb...s/ccwebv6cl.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://ugsuniv.ugs.c...cab/awswaxd.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124827686565
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37320.cab
O16 - DPF: {8B4067F6-E530-4312-9FC6-970D3FADE6A8} (OSSCtrl Class) - http://localhost/KDK...s/OSSPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ugs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ugs.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EDS TcVis License Server - Macrovision Corporation - C:\apps\ugs\TCVISL~1\Lmgrd.exe
O23 - Service: kodakdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_kodakdb\kodakdb.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: mackdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe
O23 - Service: Mobile Automation Agent (MobileAutmationAgentService) - Mobile Automation, Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\tmosce\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\tmosce\OfcPfwSvc.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\apps\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\apps\oracle\ora92\BIN\TNSLSNR.exe
O23 - Service: OracleServiceMSGLOG - Oracle Corporation - c:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceTCENG - Oracle Corporation - C:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceTCENT - Oracle Corporation - c:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: OracleServiceTCPROJ - Oracle Corporation - c:\apps\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: qvpdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_QVPDB\QVPDB.exe
O23 - Service: Teamcenter Project Server (TCP JDOT Server) - Unknown owner - C:\apps\TCPROJ\bin\Wrapper.exe
O23 - Service: Teamcenter Flex Manager - Macrovision Corporation - C:\apps\TCENT\4_1\server\ootb\config\lmgrd.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\tmosce\tmlisten.exe
O23 - Service: Teamcenter Project Tomcat Server (Tomcat5) - Apache Software Foundation - C:\apps\TCPROJ\bin\tomcat\bin\tomcat5.exe
O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\apps\ugs\License Servers\UGNXFLEXlm\lmgrd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINNT\System32\wltrysvc.exe
  • 0

#4
tampabelle
Posted 29 September 2005 - 10:39 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.


2. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O4 - HKLM\..\Run: [RealVNC Setup] C:\WINNT\SYSTEM32\fmenass.exe
O4 - HKLM\..\Run: [ICQMsn] C:\WINNT\SYSTEM32\cbfks.exe
O4 - HKLM\..\Run: [msnplus] C:\WINNT\SYSTEM32\nnbbf.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following files -

Files
C:\WINNT\SYSTEM32\fmenass.exe
C:\WINNT\SYSTEM32\cbfks.exe
C:\WINNT\SYSTEM32\nnbbf.exe

Run Ewido full scan. Let it fix any items it finds.

Run CleanUp and delete all temp files including temporary internet files

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

Edited by tampabelle, 29 September 2005 - 10:40 AM.

  • 0

#5
al.motion
Posted 29 September 2005 - 08:12 PM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Once again thanks.
I could not locate the file
c:\winnt\system32\nnbbf.exe
The files fmenass.exe and cbfks.exe showed up ad fmenass.vir and cbfks.vir respectively. I deleted both. Below are the logs you requested.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:50:52 PM, 9/29/2005
+ Report-Checksum: 540AE0C4

+ Scan result:

:mozilla.8:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.18:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.19:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.20:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.21:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.22:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.23:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.24:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.25:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.26:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.34:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.35:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.36:C:\Documents and Settings\smith\Application Data\Mozilla\Profiles\Victor.Smith\wpbj8ams.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.6:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.7:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.8:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.9:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.10:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.11:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.12:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.13:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.14:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.15:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.16:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.17:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.18:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.25:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.31:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.47:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.49:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.50:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.65:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.66:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.68:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.126:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.128:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.131:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.138:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.139:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.141:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.142:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.143:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.144:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.263:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.267:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.272:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.273:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.284:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.X10 : Cleaned with backup
:mozilla.286:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.291:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.292:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.293:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.294:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.321:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.352:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.353:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.354:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.355:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.356:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.386:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.387:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.388:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.389:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.390:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.391:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.410:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.411:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.414:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.429:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.470:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.471:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.475:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.476:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.489:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.490:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.498:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.499:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.510:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.518:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.557:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.558:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.559:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.562:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.563:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.564:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.565:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.566:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.567:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.568:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.571:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.572:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.574:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.578:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.579:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.580:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.585:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.586:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.588:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.596:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.613:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.616:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.621:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.641:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.642:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.643:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.644:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.647:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.648:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.649:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.650:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.651:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.652:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.653:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.655:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.661:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.663:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.664:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.666:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.667:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.676:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.677:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.678:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.680:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Excite : Cleaned with backup
:mozilla.683:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.687:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.690:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.692:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.711:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.715:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.720:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.721:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.722:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.723:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.750:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.760:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.761:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.767:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.768:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.771:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.778:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.781:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.807:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.816:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.817:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.818:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.819:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.823:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.832:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.833:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.834:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.836:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.838:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.839:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.841:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.848:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.850:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.858:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.859:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.860:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.861:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.868:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.869:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.870:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.871:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.872:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.873:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.874:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.875:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.876:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.877:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.878:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.879:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.880:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.881:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.882:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.883:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.884:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.885:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.886:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.896:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.901:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.903:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.904:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.906:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.907:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.908:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.909:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.910:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.911:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.916:C:\Documents and Settings\smith\Application Data\Netscape\NSB\Profiles\nuycs7bu.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\smith\Cookies\smith@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\smith\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\smith\Cookies\smith@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\smith\Cookies\smith@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\smith\Cookies\smith@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\smith\Cookies\smith@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\smith\Cookies\smith@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\smith\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\smith\winnt21.exe/WINNT\shost.exe -> Backdoor.ServU-based : Cleaned with backup
C:\WINNT\dat32.dll -> Backdoor.Subot.a : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 10:05:24 PM, on 9/29/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\apps\ugs\TCVISL~1\Lmgrd.exe
C:\WINNT\System32\svchost.exe
C:\apps\ewido\security suite\ewidoctrl.exe
C:\apps\ugs\TCVISL~1\vpdaemon05.exe
C:\apps\ewido\security suite\ewidoguard.exe
C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe
c:\program files\mobile automation\rstate.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\tmosce\pccntmon.exe
C:\WINNT\system32\carpserv.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\tmosce\ntrtscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\tmosce\OfcPfwSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\apps\oracle\ora92\bin\agntsrvc.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\apps\oracle\ora92\BIN\TNSLSNR.exe
C:\WINNT\system32\cmd.exe
C:\apps\oracle\ora92\bin\dbsnmp.exe
C:\WINNT\TEMP\RY4CCE.EXE
c:\apps\oracle\ora92\bin\ORACLE.EXE
c:\apps\oracle\ora92\bin\ORACLE.EXE
C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_QVPDB\QVPDB.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\apps\TCPROJ\bin\Wrapper.exe
C:\apps\TCENT\4_1\server\ootb\config\lmgrd.exe
C:\Program Files\tmosce\tmlisten.exe
C:\apps\TCENT\4_1\server\ootb\install\mtid.exe
C:\apps\TCPROJ\bin\tomcat\bin\tomcat5.exe
C:\apps\ugs\License Servers\UGNXFLEXlm\lmgrd.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\apps\ugs\License Servers\UGNXFLEXlm\uglmd.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\apps\TCPROJ\bin\java\bin\java.exe
C:\apps\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\smith\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.../winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape...nsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.../winsearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = svnsfp06:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\tmosce\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] **"c:\program files\roxio\easy cd creator 5\directcd\directcd.exe"
O4 - HKLM\..\Run: [WinampAgent] **c:\apps\winamp\winampa.exe
O4 - HKLM\..\Run: [Zone Labs Client] **c:\apps\zone labs\zonealarm\zlclient.exe
O4 - HKLM\..\Run: [Mobile Automation Agent] **c:\progra~1\mobile~1\rstate.exe /logon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Picture to Mobile Phone - C:\Program Files\Pix2Fone\p2fd.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload Picture - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O9 - Extra 'Tools' menuitem: Upload Picture to Mobile Phone - {A2F93841-DEAB-0392-4958-BA333CF05732} - C:\Program Files\Pix2Fone\p2fup.html (HKCU)
O16 - DPF: CCWebV6Client - http://sunpdm7/ccweb...s/ccwebv6cl.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {15B782AF-55D8-11D1-B477-006097098764} (Macromedia Authorware Web Player Control) - http://ugsuniv.ugs.c...cab/awswaxd.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://vapwcc.ops.pl...quicksilver.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124827686565
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37320.cab
O16 - DPF: {8B4067F6-E530-4312-9FC6-970D3FADE6A8} (OSSCtrl Class) - http://localhost/KDK...s/OSSPlugin.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ugs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = net.plm.eds.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ugs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ugs.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EDS TcVis License Server - Macrovision Corporation - C:\apps\ugs\TCVISL~1\Lmgrd.exe
O23 - Service: ewido security suite control - ewido networks - C:\apps\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\apps\ewido\security suite\ewidoguard.exe
O23 - Service: kodakdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_kodakdb\kodakdb.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: mackdb - Unknown owner - C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe
O23 - Service: Mobile Automation Agent (MobileAutmationAgentService) - Mobile Automation, Inc. - c:\program files\mobile automation\rstate.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\tmosce\ntrtscan.exe
O23 - Service: NVIDIA Display Dr

Edited by al.motion, 29 September 2005 - 08:14 PM.

  • 0

#6
tampabelle
Posted 30 September 2005 - 07:36 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
How is your PC behaving now ????
  • 0

#7
al.motion
Posted 30 September 2005 - 07:45 AM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The winfixer popups are gone. The PC is running faster. The only thing i am worried about is this randomly generated exe file that is created in my temp folder anytime i log in. I have a scheduled task that runs at startup to clean my temp files, but this exe file gets regenerated. I know it is the same file being given different names because the time stamp is always the same. I think it is some variant of VX2. What do you think?
Thanks
  • 0

#8
tampabelle
Posted 30 September 2005 - 08:08 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Can you give me some examples of the names of such files ???

Also why do you think its the VX2 infection ??

Ewido scan didnt find any such file !!!
  • 0

#9
al.motion
Posted 30 September 2005 - 08:12 AM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
The current exe is SGBD35.EXE. I have no reason for thinking it is VX2, but based on the fact that it keeps regenerating itself and i can't associate it with any installed programs i am a bit worried.
Thanks again
  • 0

#10
tampabelle
Posted 30 September 2005 - 08:14 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please upload the exe file here - http://virusscan.jotti.org/ - and get the file scanned.

Please post back the scan results.
  • 0

Advertisements

#11
al.motion
Posted 30 September 2005 - 08:31 AM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Here are the results from the online scan ... Found nothing

File: SGBD35.EXE
Status: OK
MD5 3f39881820bdd7bdb842af37224daedc
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing


I forgot to tell you that XoftSpy scanner by ParetoLogic flagged this file as VX2 ... See attachment

Attached Thumbnails

  • XoftSpy.gif

Edited by al.motion, 30 September 2005 - 08:35 AM.

  • 0

#12
tampabelle
Posted 30 September 2005 - 11:28 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip

Unzip it to the desktop and double-click on it.

If you get any kind of warning message about scripts, please choose to allow the script to run.

When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile for me to see.
  • 0

#13
al.motion
Posted 30 September 2005 - 11:36 AM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks ... Here you go


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"OfficeScanNT Monitor" = ""C:\Program Files\tmosce\pccntmon.exe" -HideWindow" ["Trend Micro Inc."]
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"PRPCMonitor" = "PRPCUI.exe" ["Intel Corporation"]
"CreateCD50" = ""C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r" ["Roxio"]
"AdaptecDirectCD" = "**"c:\program files\roxio\easy cd creator 5\directcd\directcd.exe"" [file not found]
"service" = (empty string)
"WinampAgent" = "**c:\apps\winamp\winampa.exe" [file not found]
"Zone Labs Client" = "**c:\apps\zone labs\zonealarm\zlclient.exe" [file not found]
"Mobile Automation Agent" = "**c:\progra~1\mobile~1\rstate.exe /logon" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = "AcroIEToolbarHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{764BF0E1-F219-11ce-972D-00AA00A14F56}" = "Shell extensions for file compression"
-> {CLSID}\InProcServer32\(Default) = "shcompui.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{DCED20BE-3645-11D4-BC95-00C04F0E0588}" = "InoShell"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [file not found]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{2F25CF20-C569-11D1-B94C-00608CB45480}" = "TextPad"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TextPad 4\System\shellext.dll" ["Helios Software Solutions"]
"{B4579AA5-E3A0-49A1-AC0B-5112AFBD215B}" = "iSQL*Plus Servers"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\isqlext.dll" ["Oracle Corporation"]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "C:\apps\Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "C:\apps\Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\apps\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! ScCertProp\DLLName = "wlnotify.dll" [MS]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\apps\ewido\security suite\context.dll" ["ewido networks"]
ExplorerCompressionMenu\(Default) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}"
-> {CLSID}\InProcServer32\(Default) = "shcompui.dll" [file not found]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [file not found]
TextPad\(Default) = "{2F25CF20-C569-11D1-B94C-00608CB45480}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TextPad 4\System\shellext.dll" ["Helios Software Solutions"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\apps\ewido\security suite\context.dll" ["ewido networks"]
ExplorerCompressionMenu\(Default) = "{764BF0E1-F219-11ce-972D-00AA00A14F56}"
-> {CLSID}\InProcServer32\(Default) = "shcompui.dll" [file not found]
InoShell\(Default) = "{DCED20BE-3645-11D4-BC95-00C04F0E0588}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\CA\eTrust Antivirus\InoShell.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\system32\ssflwbox.scr" [MS]


Startup items in "smith" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]
"Picture Package Menu" -> shortcut to: "C:\apps\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe" ["Sony Corporation"]
"Picture Package VCD Maker" -> shortcut to: "C:\apps\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe -h" ["Sony Corporation."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 14 - 15


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{A2F93841-DEAB-0392-4958-BA333CF05732}\
"ButtonText" = "Upload Picture"
"MenuText" = "Upload Picture to Mobile Phone"
"Script" = "C:\Program Files\Pix2Fone\p2fup.html" [null data]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

EDS TcVis License Server, EDS TcVis License Server, "C:\apps\ugs\TCVISL~1\Lmgrd.exe" ["Macrovision Corporation"]
ewido security suite control, ewido security suite control, "C:\apps\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\apps\ewido\security suite\ewidoguard.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
mackdb, mackdb, ""C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_mackdb\mackdb.exe"" [null data]
Mobile Automation Agent, MobileAutmationAgentService, "c:\program files\mobile automation\rstate.exe" ["Mobile Automation, Inc."]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
OfficeScanNT Listener, tmlisten, "C:\Program Files\tmosce\tmlisten.exe" ["Trend Micro Inc."]
OfficeScanNT Personal Firewall, OfcPfwSvc, "C:\Program Files\tmosce\OfcPfwSvc.exe" ["Trend Micro Inc."]
OfficeScanNT RealTime Scan, ntrtscan, "C:\Program Files\tmosce\ntrtscan.exe" ["Trend Micro Inc."]
OracleOraHome92Agent, OracleOraHome92Agent, "C:\apps\oracle\ora92\bin\agntsrvc.exe" ["Oracle Corporation"]
OracleOraHome92TNSListener, OracleOraHome92TNSListener, "C:\apps\oracle\ora92\BIN\TNSLSNR " [null data]
OracleServiceTCENT, OracleServiceTCENT, "c:\apps\oracle\ora92\bin\ORACLE.EXE TCENT" ["Oracle Corporation"]
OracleServiceTCPROJ, OracleServiceTCPROJ, "c:\apps\oracle\ora92\bin\ORACLE.EXE TCPROJ" ["Oracle Corporation"]
qvpdb, qvpdb, ""C:\apps\TCENT\4_1\server\ootb\autonomy\DRE_QVPDB\QVPDB.exe"" [null data]
Teamcenter Flex Manager, Teamcenter Flex Manager, "C:\apps\TCENT\4_1\server\ootb\config\lmgrd.exe" ["Macrovision Corporation"]
Teamcenter Project Server, TCP JDOT Server, "C:\apps\TCPROJ\bin\Wrapper.exe -s C:\apps\TCPROJ\conf\wrapper.conf" [null data]
Teamcenter Project Tomcat Server, Tomcat5, "C:\apps\TCPROJ\bin\tomcat\bin\tomcat5.exe //RS//Tomcat5" ["Apache Software Foundation"]
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Unigraphics License Server (uglmd), Unigraphics License Server (uglmd), "C:\apps\ugs\License Servers\UGNXFLEXlm\lmgrd.exe" ["Macrovision Corporation"]
WLTRYSVC, WLTRYSVC, "C:\WINNT\System32\wltrysvc.exe C:\WINNT\System32\bcmwltry.exe" [null data]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 36 seconds, including 18 seconds for message boxes)
  • 0

#14
tampabelle
Posted 30 September 2005 - 11:57 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
  • Download finditnt2000xp.zip.
  • Unzip the contents of finditnt2000xp.zip to a convenient location.
  • Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
  • A command prompt will open and it will search your computer for malicious files.
  • Once it has finished a Notepad window will pop up with output.txt.
  • Copy the entire contents of output.txt into your next post.
  • Download VX2Finder.
  • Double-click on VX2Finder.exe.
  • Click on "Click to find VX2.BetterInternet"
  • Click on "Make log".
  • Copy the entire contents of log file into your next post.

  • 0

#15
al.motion
Posted 30 September 2005 - 12:11 PM

al.motion

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Once again thanks ... Here you go


Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\smith\Desktop\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38C5-ABBA

Directory of C:\WINNT\System32

09/19/2005 10:41p 26,125 rqoom.dll
09/19/2005 10:38p 80 529D3DD81A.dll
08/23/2005 04:46p <DIR> dllcache
2 File(s) 26,205 bytes
1 Dir(s) 24,299,192,320 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 38C5-ABBA

Directory of C:\WINNT\System32

09/30/2005 09:07a 31,762 vsconfig.xml
09/24/2005 10:46a 4,212 zllictbl.dat
09/19/2005 10:41p 26,125 rqoom.dll
09/19/2005 10:38p 80 529D3DD81A.dll
08/23/2005 04:46p <DIR> dllcache
08/15/2003 11:13a <DIR> GroupPolicy
08/15/2003 11:07a 21,692 folder.htt
08/15/2003 11:07a 271 desktop.ini
6 File(s) 84,142 bytes
2 Dir(s) 24,299,192,320 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 38C5-ABBA

Directory of C:\WINNT\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 38C5-ABBA

Directory of C:\WINNT\System32

09/28/2005 04:07p 97 mcrh.tmp
12/12/2002 04:14a 284,160 SET20.tmp
12/12/2002 04:14a 355,328 SET3A.tmp
12/07/1999 08:00a 2,577 CONFIG.TMP
4 File(s) 642,162 bytes
0 Dir(s) 24,299,192,320 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


------------- Locate.com Results -------------

C:\WINNT\SYSTEM32\
529d3d~1.dll Mon Sep 19 2005 10:38:30p ..SHR 80 0.08 K
rqoom.dll Mon Sep 19 2005 10:41:28p ..SH. 26,125 25.51 K
vsconfig.xml Fri Sep 30 2005 9:07:10a A..H. 31,762 31.02 K
zllictbl.dat Sat Sep 24 2005 10:46:02a ...H. 4,212 4.11 K

4 items found: 4 files, 0 directories.
Total of file sizes: 62,179 bytes 60.72 K

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINNT\system32\MRT.exe: (ASPack)
C:\WINNT\system32\MRT.exe: (AsPack2k)
C:\WINNT\system32\MRT.exe: (ASPack 1.00b)
C:\WINNT\system32\MRT.exe: (ASPack 2.1)
C:\WINNT\system32\MRT.exe: (ASPack 2.12)
C:\WINNT\system32\MRT.exe: (ASPack 2.11)
C:\WINNT\system32\MRT.exe: (ASPack 2.000)
C:\WINNT\system32\MRT.exe: (ASPack 2.001)
C:\WINNT\system32\MRT.exe: (ASPack 2.11x)
C:\WINNT\system32\MRT.exe: ASPack2000
C:\WINNT\system32\MRT.exe: ASPack 1.61
C:\WINNT\system32\MRT.exe: ASPack 1.084
C:\WINNT\system32\MRT.exe: ASPack 1.083
C:\WINNT\system32\MRT.exe: ASPack 1.08.02b
C:\WINNT\system32\MRT.exe: ASPack 1.07b
C:\WINNT\system32\MRT.exe: ASPack 1.05b
C:\WINNT\system32\MRT.exe: ASPack 1.02
C:\WINNT\system32\MRT.exe: ASPACK

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe /logon"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINNT\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"OfficeScanNT Monitor"="\"C:\\Program Files\\tmosce\\pccntmon.exe\" -HideWindow"
"CARPService"="carpserv.exe"
"PRPCMonitor"="PRPCUI.exe"
"CreateCD50"="\"C:\\Program Files\\Common Files\\Adaptec Shared\\CreateCD\\CreateCD50.exe\" -r"
"AdaptecDirectCD"="**\"c:\\program files\\roxio\\easy cd creator 5\\directcd\\directcd.exe\""
"service"=""
"WinampAgent"="**c:\\apps\\winamp\\winampa.exe"
"Zone Labs Client"="**c:\\apps\\zone labs\\zonealarm\\zlclient.exe"
"Mobile Automation Agent"="**c:\\progra~1\\mobile~1\\rstate.exe /logon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"






Log for VX2.BetterInternet File Finder (ALL)

Files Found---

Additional Files---

Keys Under Notify---
crypt32chain
cryptnet
cscdll
ScCertProp
sclgntfy
SensLogn
wzcnotif


Guardian Key--- is called:

Guardian Key--- :

User Agent String---
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP