Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Winfix [RESOLVED]

Started by moon_eyes , Nov 30 2005 04:31 PM

  • This topic is locked This topic is locked

#1
moon_eyes
Posted 30 November 2005 - 04:31 PM

moon_eyes

    Member

  • Member
  • PipPip
  • 11 posts
Winfix pop-up has taken over my computer. Also, there is something else strange coming up when I shut my computer down: Dr. Watson's Postmortem Debugger. I didn't install this!

Here is my Hijack This log, and thank you in advance!

Logfile of HijackThis v1.99.1
Scan saved at 4:08:02 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Allison71\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byvvw.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: SQL Server.lnk = C:\MSSQL7\Binn\scm.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://samsar.qti.ne...eX/TegoLoad.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.arcountydata.com/wfica.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://nwa.mlxchange...ectComboBox.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v11/ticker.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://nwa.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://nwa.mlxchange...ol/IRCSharc.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: byvvw - C:\WINDOWS\system32\byvvw.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by moon_eyes, 05 December 2005 - 02:47 PM.

  • 0

Advertisements

#2
andydf
Posted 05 December 2005 - 03:20 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi, moon_eyes
Welcome to Geeks to go :)

Sorry about the delay in replying to your post, the forums have been very busy lately. As it's been a few days since your origional post, please could you post a new HJT log for me to see.

If you have resolved your issues, please let us know.

Andy :tazz:

Edited by andydf, 05 December 2005 - 03:21 PM.

  • 0

#3
moon_eyes
Posted 05 December 2005 - 04:29 PM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Andy-

Thanks for your help!

Here is my new Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 4:27:07 PM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Allison71\Desktop\Al Computer help\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byvvw.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://samsar.qti.ne...eX/TegoLoad.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.arcountydata.com/wfica.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://nwa.mlxchange...ectComboBox.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v11/ticker.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://nwa.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://nwa.mlxchange...ol/IRCSharc.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: byvvw - C:\WINDOWS\system32\byvvw.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#4
andydf
Posted 06 December 2005 - 01:20 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi moon eyes

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\byvvw.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\wvvyb.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byvvw.dll
    O20 - Winlogon Notify: byvvw - C:\WINDOWS\system32\byvvw.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Andy :tazz:
  • 0

#5
moon_eyes
Posted 06 December 2005 - 04:20 PM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Andy-

Here are my results. I hope that I did this properly! Thanks again for all of your help!

Logfile of HijackThis v1.99.1
Scan saved at 4:16:14 PM, on 12/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\HPZinw12.exe
C:\Documents and Settings\Allison71\Desktop\Al Computer help\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byvvw.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://samsar.qti.ne...eX/TegoLoad.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.arcountydata.com/wfica.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://nwa.mlxchange...ontrol/SISC.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://nwa.mlxchange...ectComboBox.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v11/ticker.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://nwa.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://nwa.mlxchange...ol/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: byvvw - C:\WINDOWS\system32\byvvw.dll (file missing)
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Incident Status Location

Spyware:spyware/virtumonde Not disinfected Windows Registry

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\byvvw.dll

The second filepath entered was C:\WINDOWS\system32\wvvyb.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 124 'smss.exe'

Killing PID 788 'explorer.exe'
Killing PID 788 'explorer.exe'
Killing PID 788 'explorer.exe'
Killing PID 788 'explorer.exe'


Killing PID 200 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\byvvw.dll Deleted sucessfully.
C:\WINDOWS\system32\wvvyb.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------
  • 0

#6
andydf
Posted 06 December 2005 - 04:37 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi moon eyes

Need to see the active scan log aswell :)

Andy :tazz:
  • 0

#7
moon_eyes
Posted 06 December 2005 - 10:17 PM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Andy-

How do I make Activescan continue when it found a virus? I posted what it found. Thank you again, you are wonderful! :tazz:
  • 0

#8
moon_eyes
Posted 07 December 2005 - 08:28 AM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I figured it out. Here is the Active Scan report:

Also, I haven't opened any of those worm e-mail, just deleted them.



Incident Status Location

Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ssqqr.dll
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\*DETECTED* Online User Violation\account-report.zip[account-report.doc .scr]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\Important Notification\email-details.zip[email-details.htm .scr]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\Security measures\important-details.zip[important-details.htm .pif]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\Your Account is Suspended For Security Reasons\account-report.zip[account-report.htm .scr]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\Your password has been successfully updated\accepted-password.zip[accepted-password.txt .exe]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\Your password has been successfully updated\updated-password.zip[updated-password.htm .pif]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\*DETECTED* Online User Violation\document.zip[document.txt .scr]
Virus:W32/Mytob.JE.worm Not disinfected Personal Folders\Deleted Items\Your new account password is approved\updated-password.zip[updated-password.txt .pif]
Virus:W32/Mytob.EG.worm Not disinfected Personal Folders\Deleted Items\*WARNING* Your Email Account Will Be Closed\dpl.zip[dpl.txt .pif]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_IP_was_logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list120.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list188.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You_visit_illegal_websites\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_IP_was_logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_IP_was_logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris_Hilton_&_Nicole_Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\question_list744.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp_mail_failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris_Hilton_&_Nicole_Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list411.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You_visit_illegal_websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You_visit_illegal_websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You_visit_illegal_websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail_delivery_failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\You visit illegal websites\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris_Hilton_&_Nicole_Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp_mail_failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list196.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Mail delivery failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi,_ive_a_new_mail_address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your_IP_was_logged\list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration_Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\question_list.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your IP was logged\list293.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\hi, ive a new mail address\mailtext.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail_body.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp mail failed\mail.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm Not disinfected Personal Folders\Deleted Items\smtp_mail_failed\mail.zip[File-packed_dataInfo.exe]
  • 0

#9
andydf
Posted 07 December 2005 - 01:33 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi moon eyes

The Active scan result seems to be in complete, if it was a big log you may have to post it in more than one reply.

I suggest you empty your "deleted items" folder :)
Could you tell me if there is more than one user account on this PC?

OK
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: MSEvents Object - {CE70731D-F28D-4D81-9D61-C8EE60378401} - C:\WINDOWS\system32\byvvw.dll (file missing)
O20 - Winlogon Notify: byvvw - C:\WINDOWS\system32\byvvw.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under to "SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
If you would please, rescan with HijackThis and post a fresh log along with the Spysweeper log in this same topic, and let us know how your system's working. :)

Andy :tazz:
  • 0

#10
moon_eyes
Posted 08 December 2005 - 07:36 PM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Andy-

Thanks again for all of your help!

Sorry this took so long, but SpySweeper wouldn't give me a report for the results. Do you recommend that I subscribe? That's the only way to get the results. I did run it, though.

Here is my latest Hijack This log, and I just am confused as to what to do about the SpySweeper. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 7:33:33 PM, on 12/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Allison71\Desktop\Al Computer help\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://samsar.qti.ne...eX/TegoLoad.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.arcountydata.com/wfica.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://nwa.mlxchange...ontrol/SISC.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://nwa.mlxchange...ectComboBox.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v11/ticker.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://nwa.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://nwa.mlxchange...ol/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#11
andydf
Posted 09 December 2005 - 02:12 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi moon eyes

Sorry about the spysweeper link, webroot moved the software I wanted you to use :)
Delete/uninstall the version you downloaded and use this link

http://www.download....4-10405877.html

Follow my previous instructions on setting up and using spysweeper and post the required logs :)

Andy :tazz:
  • 0

#12
moon_eyes
Posted 09 December 2005 - 03:06 PM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi, Andy-

The new link wouldn't work either. It did take me to download.com, but the page said that download couldn't find the link.

After that, I searched for Webroot Spy Sweeper in Download, and three matches came up.

Which would you like me to use?

Here is the link:

http://www.download.....x=0&search.y=0

Sorry to be such a pain for you.

You have been really nice to help me, and I really appreciate it.

Thanks so much-
  • 0

#13
andydf
Posted 09 December 2005 - 03:13 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi moon eyes

You need to download spysweeper 4.5 it is on the page your link goes to.

Andy :tazz:
  • 0

#14
moon_eyes
Posted 09 December 2005 - 05:23 PM

moon_eyes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Andy-

Here we go:

Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:49 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Allison71\Desktop\Al Computer help\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.co...laxoInstall.cab
O16 - DPF: {1C960AA3-FAEE-11D0-9262-00A0243D2412} (TegoSoft SmartLoader ActiveX Control) - http://samsar.qti.ne...eX/TegoLoad.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.arcountydata.com/wfica.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://nwa.mlxchange...ontrol/SISC.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.co...ALStreaming.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://nwa.mlxchange...ectComboBox.cab
O16 - DPF: {53A1630A-DB38-4316-B18F-911719E1F66E} (MSN Money Ticker) - http://fdl.msn.com/p.../v11/ticker.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://nwa.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://nwa.mlxchange...ol/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

SpySweeper:
********
4:40 PM: | Start of Session, Friday, December 09, 2005 |
4:40 PM: Spy Sweeper started
4:40 PM: Sweep initiated using definitions version 582
4:40 PM: Starting Memory Sweep
4:44 PM: Memory Sweep Complete, Elapsed Time: 00:03:55
4:44 PM: Starting Registry Sweep
4:45 PM: Registry Sweep Complete, Elapsed Time:00:00:16
4:45 PM: Starting Cookie Sweep
4:45 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
4:45 PM: Starting File Sweep
5:15 PM: Warning: Unhandled Archive Type
5:15 PM: Warning: Unhandled Archive Type
5:15 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Unhandled Archive Type
5:16 PM: Warning: Invalid file - not a PKZip file
5:16 PM: File Sweep Complete, Elapsed Time: 00:31:36
5:16 PM: Full Sweep has completed. Elapsed time 00:35:53
5:16 PM: Traces Found: 0


I hope I did it right!

Thanks again!
  • 0

#15
andydf
Posted 10 December 2005 - 01:06 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi moon eyes

Ok your log is looking good :)

Please let me know how your system is running? If all is ok I will supply a few tips on safe surfing.

Andy :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP