Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

winfixer got me [RESOLVED]

Started by gary oa , Oct 09 2005 11:32 AM

  • This topic is locked This topic is locked

#1
gary oa
Posted 09 October 2005 - 11:32 AM

gary oa

    Member

  • Member
  • PipPip
  • 12 posts
I hope I'm putting this in the right place. I posted somewhere about 4 hours ago and it seems there's a lot of folks with the same problem already getting help so I guess I may have put it in the wrong place. Sorry.

I'd give it a shot myself following the instructions for others but it seems the instructions are different for everyone. :tazz:

Anyway,

FWIW, IE crashed when trying to post this. It's getting really bad.

Tried microsofts spyware since they say the new version "may" take care of it. Didn't even sniff it.

BUT, getting into safe mode is hairy as well. The system restore option panel flashes on screen for a half second, then nothing but a blank screen with the "safe mode" in the four corners. No nothing. Had to CAD to get to the task manager and get to the MS spyware prog that way.

So, essentially, this thing is getting worse by the minute.

Logfile below. Hope you can help!





Logfile of HijackThis v1.99.1
Scan saved at 10:07:36 AM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\Explorer.EXE
D:\GRISOF~1\avgamsvr.exe
D:\GRISOF~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winpix\Winpix.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\GRISOF~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\GRISOF~1\avgemc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
D:\MAILWASHER\MailWasher Pro\MailWasher.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Powerdesk\PDExplo.exe
C:\Program Files\WinRAR\WinRAR.exe
D:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://gbp.net/gmo/"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://g%3A%5CNetscape%207%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Microsoft Money\System\mnyside.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ssttr.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winpix] C:\Program Files\Winpix\Winpix.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\GRISOF~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\GRISOF~1\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKCU\..\Run: [Anders Kjersem: TransBar] D:\TransBar\TransBar.exe /NoConfig
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\aol IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: cpcScanner - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000un...mCity3TeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128000616250
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.3DAppHook.dll
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\GRISOF~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\GRISOF~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Rpcibvc - Unknown owner - (no file)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
greyknight17
Posted 09 October 2005 - 12:07 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download VundoFix.exe at http://www.atribune....ds/VundoFix.exe to your desktop.

* Double-click VundoFix.exe to extract the files.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* Please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\ssttr.dll

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* When asked for a second path, enter -> C:\WINDOWS\system32\rttss.*
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://g%3A%5CNetscape%207%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\ssttr.dll
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: ssttr - C:\WINDOWS\system32\ssttr.dll
O23 - Service: Rpcibvc - Unknown owner - (no file)

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a 'Blue Screen of Death' this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp! http://www.greyknigh...spy/CleanUp.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click 'Options...'
Move the arrow down to 'Custom CleanUp!'
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK. Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.

Then, please run an online virus scan at ActiveScan http://www.pandasoft.../activescan.htm

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
gary oa
Posted 09 October 2005 - 12:42 PM

gary oa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Thanks A million GreyKnight. :tazz:

But I seemed to have run into a problem. When I got done with vundo it said there was a problem with vundo and couldn't open HJT and just rebooted.
Here's another log file but I'm guessing I still have a problem. I'm assuming I need to fix in hijack in safe mode but couldn't do it.






Logfile of HijackThis v1.99.1
Scan saved at 2:30:07 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winpix\Winpix.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\GRISOF~1\avgcc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
D:\GRISOF~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\GRISOF~1\avgamsvr.exe
C:\WINDOWS\system32\CTHELPER.EXE
D:\GRISOF~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\WINDOWS\System32\svchost.exe
D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://gbp.net/gmo/"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Microsoft Money\System\mnyside.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winpix] C:\Program Files\Winpix\Winpix.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\GRISOF~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\GRISOF~1\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKCU\..\Run: [Anders Kjersem: TransBar] D:\TransBar\TransBar.exe /NoConfig
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\aol IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: cpcScanner - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000un...mCity3TeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128000616250
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.3DAppHook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\GRISOF~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\GRISOF~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Rpcibvc - Unknown owner - (no file)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
greyknight17
Posted 09 October 2005 - 01:16 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you fix anything in HijackThis though? Looks like it's gone :tazz:

See if you can find these and delete them:

C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\rttss - look for any files that begin with rttss and delete them

Unless you known what this is for, fix it in HijackThis:

O23 - Service: Rpcibvc - Unknown owner - (no file)

If any of the above are giving you problems, try doing them in Safe Mode.
  • 0

#5
gary oa
Posted 09 October 2005 - 01:31 PM

gary oa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Did you fix anything in HijackThis though?  Looks like it's gone :)

See if you can find these and delete them:

C:\WINDOWS\system32\ssttr.dll
C:\WINDOWS\system32\rttss - look for any files that begin with rttss and delete them

Unless you known what this is for, fix it in HijackThis:

O23 - Service: Rpcibvc - Unknown owner - (no file)

If any of the above are giving you problems, try doing them in Safe Mode.

View Post


Nope, they're all gone but I was wondering if I screwed something up since I dumped them in windows, not safe mode.

Seems a lot more stable now. At least I can post here (knock on wood) without the browser screwing up. Sorry for all the posts I made, btw, but I kept getting a 404 and never realized it posted once. This is one wierd virus.

At any rate, I should run the cleanup now and the panda scan? I wasn't sure it was safe to do so since I got the error. And since I've been up now for over 30 hours my eyes are beginning to bleed and I'm not too coherent. :tazz:
  • 0

#6
greyknight17
Posted 09 October 2005 - 02:38 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, run CleanUp and the Panda scan. Sometimes these fixes don't always work as we post them since each user's machine may have a different reaction depending on what else is on the machine.

....get some shut eye for now. We'll defeat this beast once you get your rest :tazz:
  • 0

#7
gary oa
Posted 09 October 2005 - 03:03 PM

gary oa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Yes, run CleanUp and the Panda scan.  Sometimes these fixes don't always work as we post them since each user's machine may have a different reaction depending on what else is on the machine.

....get some shut eye for now.  We'll defeat this beast once you get your rest :)

View Post



Yeah I noticed this one was odd. As I said (unless I was dreaming and that's a good possibility) I don't usually need help with stuff like this but with all the posts here and virtually no two alike I was kind of snowed on this one.

I think I'll take you up on the rest. :tazz: I'd run the cleanup but I don't know if I'll handle waiting 90 hours for a full system scan from panda.

I'll post the results when I'm done and thanks again.

I'm also considering not taking this advice anymore....

Care and feeding

L8r
  • 0

#8
greyknight17
Posted 09 October 2005 - 03:12 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts

I'm also considering not taking this advice anymore....

Care and feeding

:tazz: I hope not. Run CleanUp first to clear out any temp files and then run Panda...sleep while it's running :)
  • 0

#9
gary oa
Posted 10 October 2005 - 12:44 AM

gary oa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, I got a few z's so I'm almost coherent. :tazz:


yawn...



ACTIVE SCAN...

Incident Status Location

Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0000199.~]
Virus:W32/Netsky.AE.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0000584.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0000600.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:W32/Netsky.B.dam.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[nomoney.txt.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0001283.~]
Virus:W32/Netsky.AE.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0001587.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0001607.~]
Virus:W32/Netsky.P.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0001777.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0002200.~]
Virus:W32/Netsky.AE.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0002269.~]
Virus:W32/Netsky.P.worm Renamed C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0002619.~]
Virus:W32/Netsky.AE.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0003005.~]
Virus:Trj/Citifraud.A Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0003531.~]
Virus:VBS/Bagle.Q Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0003648.~][your_file.pif]
Virus:VBS/Bagle.Q Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0003649.~][your_file.pif]
Virus:W32/Netsky.B.dam.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[ranking.pif]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0003724.~]
Virus:Exploit/iFrame Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[~0003846.~]
Virus:W32/Netsky.AE.worm Renamed C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:W32/Bagle.AH.worm Disinfected C:\Documents and Settings\GMO\Application Data\MailWasherPro\Training archive - legitimate.mbox[Doll.cpl]
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\awvvv.dll
Virus:W32/Bagle.pwdzip Disinfected E:\Eudora\Attach\Secret.zip
Virus:W97M/Marker.AO Disinfected E:\pmail\garyoa1\FOL0594B.PMM[National Day- invitation1.doc]
Virus:W97M/Class.D Disinfected E:\pmail\garyoa1\FOL06633.PMM[M Sebek Consulting operating CTF.doc]
Virus:W97M/Class.D Disinfected E:\pmail\garyoa1\FOL06633.PMM[Construction Trade Fair Program - letter to Can. Government.doc]
Virus:W97M/Class.D Disinfected E:\pmail\garyoa1\FOL06633.PMM[Preliminary.doc]
Virus:W97M/Class.D Disinfected E:\pmail\garyoa1\FOL06633.PMM[Text of Gateway Spring 99.doc]
Virus:W97M/Class.D Disinfected E:\pmail\garyoa1\FOL06633.PMM[Text of Canadian Gateway.doc]

Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0000199.~]
Virus:W32/Netsky.AE.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0000584.~]
Virus:W32/Netsky.P.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0000600.~]
Virus:W32/Netsky.P.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:W32/Netsky.B.dam.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[nomoney.txt.pif]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0001283.~]
Virus:W32/Netsky.AE.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0001587.~]
Virus:W32/Netsky.P.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0001607.~]
Virus:W32/Netsky.P.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Trj/Citifraud.A Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0001777.~]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0002200.~]
Virus:W32/Netsky.AE.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0002269.~]
Virus:W32/Netsky.P.worm Renamed H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0002619.~]
Virus:W32/Netsky.AE.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0003005.~]
Virus:Trj/Citifraud.A Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0003531.~]
Virus:VBS/Bagle.Q Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0003648.~][your_file.pif]
Virus:VBS/Bagle.Q Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0003649.~][your_file.pif]
Virus:W32/Netsky.B.dam.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[ranking.pif]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0003724.~]
Virus:Exploit/iFrame Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[~0003846.~]
Virus:W32/Netsky.AE.worm Renamed H:\1-backup gmo 2004\MailWasherPro\Training archive - junk.mbox[message.scr]
Virus:W32/Bagle.AH.worm Disinfected H:\1-backup gmo 2004\MailWasherPro\Training archive - legitimate.mbox[Doll.cpl]
Virus:W97M/Marker.AO Disinfected H:\PEG BACKUP\garyoa1\FOL0594B.PMM[National Day- invitation1.doc]
Virus:W97M/Class.D Disinfected H:\PEG BACKUP\garyoa1\FOL06633.PMM[M Sebek Consulting operating CTF.doc]
Virus:W97M/Class.D Disinfected H:\PEG BACKUP\garyoa1\FOL06633.PMM[Construction Trade Fair Program - letter to Can. Government.doc]
Virus:W97M/Class.D Disinfected H:\PEG BACKUP\garyoa1\FOL06633.PMM[Preliminary.doc]
Virus:W97M/Class.D Disinfected H:\PEG BACKUP\garyoa1\FOL06633.PMM[Text of Gateway Spring 99.doc]
Virus:W97M/Class.D Disinfected H:\PEG BACKUP\garyoa1\FOL06633.PMM[Text of Canadian Gateway.doc]
=======================================

HIJACK


Logfile of HijackThis v1.99.1
Scan saved at 2:04:19 AM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
D:\GRISOF~1\avgcc.exe
D:\GRISOF~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnd.exe
D:\GRISOF~1\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\GRISOF~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\WINDOWS\system32\rundll32.exe
D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\WINDOWS\system32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\FireFox Browser\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\MAILWASHER\MailWasher Pro\MailWasher.exe
E:\pmail\winpm-32.exe
E:\Eudora\Eudora.exe
C:\Documents and Settings\GMO\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://gbp.net/gmo/"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\GMO\Application Data\Mozilla\Profiles\default\c0z4qou8.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - D:\Microsoft Money\System\mnyside.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Winpix] C:\Program Files\Winpix\Winpix.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\GRISOF~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\GRISOF~1\avgemc.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] D:\hp [bleep]ing [bleep] printer\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKCU\..\Run: [Anders Kjersem: TransBar] D:\TransBar\TransBar.exe /NoConfig
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\espmain.exe
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\aol IM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - D:\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: cpcScanner - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000un...mCity3TeleX.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128000616250
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15016/CTPID.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.3DAppHook.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\GRISOF~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\GRISOF~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: Rpcibvc - Unknown owner - (no file)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

=======================================

VUNDOFIX



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 264 'smss.exe'
Threads [268][272][276]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 340 'winlogon.exe'
Killing PID 340 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
  • 0

#10
greyknight17
Posted 10 October 2005 - 11:31 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job :tazz:

I hope that cleared things up now :)

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#11
gary oa
Posted 10 October 2005 - 12:51 PM

gary oa

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hasn't run like this in ages. :) (I bought you a couple of beers) You guys are amazing! :tazz:
  • 0

#12
greyknight17
Posted 10 October 2005 - 01:10 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP