Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

sharkie510

14 Posts

879

February 7th, 2007 04:00

hijack log first timer - computer infected with winantivirus/errorsafe malware

Hello everyone! This is my first time having to resort to this method, but I see no other option. My dad opened an e-mail from his Yahoo! account today and inadvertenly unleashed this virus on our computer. Now I'm getting all of these pop-ups/notifications advertising WinAntiVirus, ErrorSafe, SystemDoctor, etc. I've experienced this problem before, and I've generally had no problem removing them, but this infliction seems to be more resilient than ever. I've already try the methods I know of (running spyware/virus scans and VundoFix) but to no avail. Can someone please help me out? Here's my HiJack This log:
 
 
Logfile of HijackThis v1.99.1
Scan saved at 22:27:49, on 2/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mbti.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vrss.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Default\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Default\LOCALS~1\Temp\Rar$EX00.079\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\mbti.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus] C:\WINDOWS\system32\vrss.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Latency Controller] C:\WINDOWS\system32\mbti.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [232A8E5B] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe
 
 
Help would be very much appreciated. Thanks in advance!
 
sharkie510

1972vet

3.3K Posts

February 7th, 2007 05:00

Uhmmm wow lol you have a Qoologic and Vundo infection...I haven't seen this in a while. Please do this first:

Rename your HijackThis.exe application to "Analyze.exe". Run a scan and save THAT log to your Desktop. It's important to save that particular log in a different location from your HijackThis application. The reason is because, the next time you run it, that log will be replaced with the newer one if it remains in the HijackThis folder so, please keep them seperate for the time being. We will need that log to compare with your next one.

Next, please download combofix.exe and save it to your desktop.

Open a blank Notepad. Save the command below in Bold text in the blank Notepad as a text file so that you can copy/paste it while in safe mode because you won't be able to read these instructions from your browser.
"%userprofile%\desktop\combofix.exe" /wow

Reboot the computer into Safe mode.

once in safe mode and logged in as an Administrator, please continue with the instructions below:

Go to start-->run
Copy/paste the data you saved in the Notepad from the earlier instruction into the run box and click "OK":

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

When finished, it will produce a log for you. Save the log to your Desktop and post that log in your next reply. Boot back into your normal user mode.

In your next post, please include:
Your hijackthis log from the beginning of these instructions
Another fresh hijackthis log after running the combofix
Combofix log

Thanks!

sharkie510

14 Posts

February 7th, 2007 23:00

Ok, I've followed your instructions, (hopefully, I've done it accurately lol) and here's what we've got:
 
1st HijackThis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 16:25:13, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mbti.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vrss.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Default\Desktop\hijackthis\Analyze.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\mbti.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {01C54550-1EE2-453C-B98B-641CC9788749} - C:\WINDOWS\system32\fccbc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {47282951-1F2B-4A13-ABB5-ADB29F43D3BB} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {4DF75823-458D-41B3-B76F-041E04A3ABFA} - C:\WINDOWS\system32\ddcdc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dqeivaej.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\byxvtqp.dll (file missing)
O2 - BHO: (no name) - {813B0799-1BBC-4C46-96A6-DD0C56F26F8B} - C:\WINDOWS\system32\byxyx.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A578B7C4C417} - C:\WINDOWS\system32\hggdday.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ECCA7110-3966-46FF-B4BA-E45D72F39520} - C:\WINDOWS\system32\wvuvu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus] C:\WINDOWS\system32\vrss.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Latency Controller] C:\WINDOWS\system32\mbti.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [232A8E5B] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe

sharkie510

14 Posts

February 7th, 2007 23:00

continued..........
 
 
2nd HijackThis log (after running ComboFix):
Logfile of HijackThis v1.99.1
Scan saved at 16:51:13, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mbti.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vrss.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Default\Desktop\hijackthis\Analyze.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\mbti.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {01C54550-1EE2-453C-B98B-641CC9788749} - C:\WINDOWS\system32\fccbc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {47282951-1F2B-4A13-ABB5-ADB29F43D3BB} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {4DF75823-458D-41B3-B76F-041E04A3ABFA} - C:\WINDOWS\system32\ddcdc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dqeivaej.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\byxvtqp.dll (file missing)
O2 - BHO: (no name) - {813B0799-1BBC-4C46-96A6-DD0C56F26F8B} - C:\WINDOWS\system32\byxyx.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A578B7C4C417} - C:\WINDOWS\system32\hggdday.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ECCA7110-3966-46FF-B4BA-E45D72F39520} - C:\WINDOWS\system32\wvuvu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus] C:\WINDOWS\system32\vrss.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Latency Controller] C:\WINDOWS\system32\mbti.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [232A8E5B] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe

1972vet

3.3K Posts

February 7th, 2007 23:00

OK, still need the combofix log. You actually posted your second hjt log twice.

sharkie510

14 Posts

February 7th, 2007 23:00

continued..........
 
 
ComboFix log:
Logfile of HijackThis v1.99.1
Scan saved at 16:25:13, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\mbti.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\vrss.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Documents and Settings\Default\Desktop\hijackthis\Analyze.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\mbti.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {01C54550-1EE2-453C-B98B-641CC9788749} - C:\WINDOWS\system32\fccbc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O2 - BHO: (no name) - {47282951-1F2B-4A13-ABB5-ADB29F43D3BB} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {4DF75823-458D-41B3-B76F-041E04A3ABFA} - C:\WINDOWS\system32\ddcdc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dqeivaej.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\byxvtqp.dll (file missing)
O2 - BHO: (no name) - {813B0799-1BBC-4C46-96A6-DD0C56F26F8B} - C:\WINDOWS\system32\byxyx.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A578B7C4C417} - C:\WINDOWS\system32\hggdday.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ECCA7110-3966-46FF-B4BA-E45D72F39520} - C:\WINDOWS\system32\wvuvu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Anti-Virus] C:\WINDOWS\system32\vrss.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Network Latency Controller] C:\WINDOWS\system32\mbti.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [232A8E5B] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe

sharkie510

14 Posts

February 8th, 2007 03:00

Oops! Sorry about that! Here's the combofix log:
 
"Default" - 07-02-07 16:37:33    Service Pack 2
ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Default\desktop"
Command switches used :: /wow
((((((((((   Other Deletions   ))))))))))
C:\WINDOWS\start.exe
C:\DOCUME~1\DEFAULT\Application Data\SearchToolbarCorp
((((((((((((   Files Created from 2007-01-07 to 2007-02-07  ))))))))))))
2007-02-06 21:33 975,211 ---hs---- C:\WINDOWS\SYSTEM32\ststv.bak1
2007-02-06 19:39 975,211 ---hs---- C:\WINDOWS\SYSTEM32\cbccf.bak1
2007-02-06 18:44 76,412 --a------ C:\WINDOWS\SYSTEM32\eivxsice.dll
2007-01-31 21:43 66,560 --a------ C:\WINDOWS\SYSTEM32\rsbmsc.exe
2007-01-31 21:23 70,656 --a------ C:\WINDOWS\SYSTEM32\cjnr4r43010425.exe
2007-01-30 21:31   d-------- C:\VundoFix Backups
2007-01-29 21:30 70,656 --a------ C:\WINDOWS\SYSTEM32\mcesvi.exe
2007-01-29 21:27 76,412 --a------ C:\WINDOWS\SYSTEM32\anbyefkf.dll
2007-01-25 16:38 70,656 --a------ C:\WINDOWS\SYSTEM32\mscivc.exe
2007-01-11 20:41 66,560 --a------ C:\WINDOWS\SYSTEM32\mgosvc.exe
2007-01-10 22:16   d-------- C:\WINDOWS\ie7updates
2007-01-09 18:34   d--hs---- C:\FOUND.026
2007-01-09 06:54 987 --a------ C:\WINDOWS\SYSTEM32\wvmsi.exe
((((((((((((((   Find3M Report   )))))))))))))
2007-02-05 21:46 89600 --a------ C:\DOCUME~1\Default\Application Data\dcbc2a71-70d8-4dan-ehr8-e0d61dea3fdf.ini
2007-01-25 23:31 1852 --a------ C:\WINDOWS\SYSTEM32\d3d9caps.dat
2007-01-08 06:00 5868 --a------ C:\WINDOWS\SYSTEM32\svmbi.exe
2006-12-29 21:19 70656 --a------ C:\WINDOWS\SYSTEM32\mvcrs.exe
2006-12-14 14:37 66560 --a------ C:\WINDOWS\SYSTEM32\psmvc.exe
2006-12-11 21:07 66560 --a------ C:\WINDOWS\SYSTEM32\mivss.exe
2006-12-10 21:15 66560 --a------ C:\WINDOWS\SYSTEM32\mbsg.exe
2006-12-07 18:43 66560 --a------ C:\WINDOWS\SYSTEM32\mpiss.exe
2006-12-07 06:04 70656 --a------ C:\WINDOWS\SYSTEM32\rsmg.exe
2006-12-06 22:40 2362184 --a------ C:\WINDOWS\SYSTEM32\wmvcore.dll
2006-12-06 16:22 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev71283617.exe
2006-12-06 09:22 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r42440480.exe
2006-12-06 06:37 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h8562564.exe
2006-12-05 21:03 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev78402662.exe
2006-12-03 21:22 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev75997707.exe
2006-12-02 21:51 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h2194179.exe
2006-12-01 06:01 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f43717221.exe
2006-12-01 06:00 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev71823917.exe
2006-12-01 05:59 70656 --a------ C:\WINDOWS\SYSTEM32\rssp.exe
2006-11-30 19:28 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev75187527.exe
2006-11-30 19:01 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f49649681.exe
2006-11-29 21:18 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h3028244.exe
2006-11-29 20:09 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r47853620.exe
2006-11-29 15:33 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev7151252.exe
2006-11-29 06:05 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h2132634.exe
2006-11-28 18:07 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f46254006.exe
2006-11-27 18:23 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev7398757.exe
2006-11-27 06:08 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f41941476.exe
2006-11-26 18:45 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f48050476.exe
2006-11-25 21:02 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r46091005.exe
2006-11-25 20:56 407 --a------ C:\WINDOWS\SYSTEM32\tmbs.exe
2006-11-25 19:14 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f42034241.exe
2006-11-25 16:37 66560 --a------ C:\WINDOWS\SYSTEM32\sklrr7y6566833.exe
2006-11-25 05:57 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev76110007.exe
2006-11-24 20:16 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r44743565.exe
2006-11-24 17:58 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r45427930.exe
2006-11-24 16:21 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h6842994.exe
2006-11-24 16:21 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h2542814.exe
2006-11-24 16:21 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r49097045.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\sklrr7y8525138.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\sklrr7y5904418.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev76438112.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev76242077.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\nlkfev76016397.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h9625069.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h9061224.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h1888744.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f49846876.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\dior4f47856576.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r47209065.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r42876715.exe
2006-11-24 16:20 66560 --a------ C:\WINDOWS\SYSTEM32\cjnr4r41971220.exe
2006-11-24 05:59 54272 --a------ C:\WINDOWS\SYSTEM32\nlkfev72424172.exe
2006-11-23 21:31 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r47187435.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\sklrr7y64233.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\sklrr7y1311713.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\nlkfev78734867.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\nlkfev76499152.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\dior4f46870436.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\dior4f4676951.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\dior4f43432306.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r48386925.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r44919290.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r44575885.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r43548285.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r43348520.exe
2006-11-23 21:30 54272 --a------ C:\WINDOWS\SYSTEM32\cjnr4r41373525.exe
2006-11-23 21:29 35840 --a------ C:\WINDOWS\SYSTEM32\mpreg.exe
2006-11-23 17:53 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r47149765.exe
2006-11-23 15:33 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h7559509.exe
2006-11-23 11:09 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h130864.exe
2006-11-22 23:08 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r49306195.exe
2006-11-22 18:03 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y1742148.exe
2006-11-22 16:25 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f42451301.exe
2006-11-21 21:34 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f47339591.exe
2006-11-21 17:34 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h5414614.exe
2006-11-21 17:34 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f48520086.exe
2006-11-21 17:34 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f43247791.exe
2006-11-21 17:33 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y2800138.exe
2006-11-21 17:33 136192 --a------ C:\WINDOWS\SYSTEM32\nlkfev72138007.exe
2006-11-21 11:51 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y1593073.exe
2006-11-20 20:59 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h1864089.exe
2006-11-20 17:41 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y8905978.exe
2006-11-20 17:41 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y3023533.exe
2006-11-20 17:41 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h4864429.exe
2006-11-20 17:41 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r42701390.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y9268018.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y912918.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y5129948.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y4930468.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y3910613.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y2915543.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\nlkfev71880787.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h2365204.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f47662081.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f47553896.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f47107056.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f41125346.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r46540375.exe
2006-11-20 17:40 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r43854645.exe
2006-11-20 15:55 136192 --a------ C:\WINDOWS\SYSTEM32\nlkfev77580737.exe
2006-11-20 12:46 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y7911468.exe
2006-11-20 07:51 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f48527706.exe
2006-11-20 06:39 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y8315408.exe
2006-11-19 21:44 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f49219821.exe
2006-11-19 18:55 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f48336766.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y6455548.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y3883688.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y2356648.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\nlkfev73178852.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h8408604.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h2339034.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f4831901.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r49810730.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r49180950.exe
2006-11-19 18:53 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r48610385.exe
2006-11-18 21:52 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r49841670.exe
2006-11-18 06:00 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r45559070.exe
2006-11-17 21:41 136192 --a------ C:\WINDOWS\SYSTEM32\cjnr4r43648730.exe
2006-11-17 19:57 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f47078496.exe
2006-11-17 18:30 136192 --a------ C:\WINDOWS\SYSTEM32\nlkfev77625507.exe
2006-11-17 06:10 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h9309314.exe
2006-11-16 19:48 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h9929674.exe
2006-11-16 18:59 35840 --a------ C:\WINDOWS\SYSTEM32\mbti.exe
2006-11-16 18:33 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y2646038.exe
2006-11-16 16:47 136192 --a------ C:\WINDOWS\SYSTEM32\sklrr7y9911748.exe
2006-11-16 16:47 136192 --a------ C:\WINDOWS\SYSTEM32\mlsdf8h5160749.exe
2006-11-16 16:47 136192 --a------ C:\WINDOWS\SYSTEM32\dior4f49146066.exe
2006-11-11 23:00 48640 --a------ C:\WINDOWS\SYSTEM32\vpms.exe
2006-11-10 08:34 48640 --a------ C:\WINDOWS\SYSTEM32\vrss.exe
2006-11-07 22:25 128000 --a------ C:\WINDOWS\SYSTEM32\snvc.exe
2006-11-07 21:06 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
(((((((((((   Reg Loading Points   )))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"DVDUpgrade"="DVDUpgrd.exe /async9x"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Anti-Virus"="C:\\WINDOWS\\system32\\vrss.exe"
"Microsoft (R) Windows Network Latency Controller"="C:\\WINDOWS\\system32\\mbti.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"232A8E5B"="C:\\WINDOWS\\system32\\rsbmsc.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"CPQInet"="c:\\compaq\\CPQInet\\CpqInet.exe"
"CountrySelection"="pctptt.exe"
"PTSNOOP"="ptsnoop.exe"
"cpqns"="c:\\compaq\\cpqinet\\cpqnpcss.exe"
"Service Connection"="c:\\cpqs\\bwtools\\sccenter.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\MotiveAssistant\\motmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"McAfeeWebScanX"="C:\\PROGRAM FILES\\NETWORK ASSOCIATES\\MCAFEE VIRUSSCAN\\WebScanX.exe"
"LWBMOUSE"="C:\\Program Files\\Browser Mouse\\Browser Mouse\\1.1\\MOUSE32A.EXE"
"POINTER"="point32.exe"
"kkgwsen"="C:\\WINDOWS\\SYSTEM32\\utpvquvx.exe"
"OLEJAVA"="C:\\WINDOWS\\JAVA\\HELP\\OLEJAVA.EXE"
"Win Server Updt"="C:\\WINDOWS\\wupdt.exe"
"EbatesMoeMoneyMaker0"="\"C:\\PROGRAM FILES\\EBATES_MOEMONEYMAKER\\EbatesMoeMoneyMaker0.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{90F28AF0-2CE4-487E-8B90-A578B7C4C417}"=""
"{7F5A2699-38CD-4B98-B193-5916D6566B01}"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"MSMSGS"="C:\\Program Files\\Messenger\\msmsgs.exe /background"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"CDRAutoRun"=hex:00,00,00,00
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ    HTTPFilter\0\0
LocalService REG_MULTI_SZ    Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ    DnsCache\0\0
DcomLaunch REG_MULTI_SZ    DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ    RpcSs\0\0
imgsvc REG_MULTI_SZ    StiSvc\0\0
termsvcs REG_MULTI_SZ    TermService\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Default.job
********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-07 16:49:30

1972vet

3.3K Posts

February 8th, 2007 16:00

Good work! Combofix removed quite a bit of junk but you still have several trojans. Please do this:

Download and scan with AVG Anti-Spyware v7.5
( This is Ewido 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
  • Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
  • Select the "Update" button and click "Start update". Wait until you see the "Update successful message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.

Once the updates are installed do the following:
Click on the " Scanner" button and choose the " Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

Close the application and reboot the computer into Safe mode. Once in safe mode continue with the instructions below:

Open the AVG Anti-Spyware application and click the " Scan" tab.
Click " Complete System Scan" to start.

Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
  • Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
  • If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
When the scan has finished you will be presented with a list of infected objects found. Click " Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate " No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

Click on " Save Report" to view all completed scans. Click on the most recent scan you just performed and select " Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\

Exit AVG Anti-Spyware when done. Boot back to your normal user mode. Please post the contents of the AVG Anti-Spyware scan log along with a fresh HijackThis log. Thanks!

sharkie510

14 Posts

February 9th, 2007 00:00

Alrighty, here we are:
 
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
 + Created at: 18:18:28 2/8/2007
 + Scan result: 
 
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\BO2801040128.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\Lycos.dll -> Adware.BargainBuddy : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\Ebates -> Adware.MoneyMaker : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\Ebates -> Adware.MoneyMaker : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Microsoft\Internet Explorer\MenuExt\Ebates -> Adware.MoneyMaker : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Microsoft\Internet Explorer\MenuExt\Ebates -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Downloads\HoyleCasino2007-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll -> Adware.Yahoo : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\greg.exe -> Backdoor.HacDef.fv : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r42054680.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r42181530.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r44099055.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r48610385.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r49180950.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r49810730.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f41016506.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f41116316.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f42145311.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f4831901.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f48336766.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f48527706.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f49219821.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h2339034.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h501814.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h7960579.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h8408604.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev72776167.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev73178852.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev74290177.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev76893477.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev77580737.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev79818997.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y2356648.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y363943.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y3883688.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y6455548.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y6649853.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y7154793.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y7911468.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y8315408.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y8588378.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y8857203.exe -> Backdoor.HacDef.fw : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r43648730.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r45559070.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r49841670.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f47078496.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f49146066.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h5160749.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h9309314.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h9929674.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev77625507.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y2646038.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y9911748.exe -> Backdoor.HacDef.gr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mvcrs.exe -> Backdoor.HacDef.he : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\rsmg.exe -> Backdoor.HacDef.he : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\rssp.exe -> Backdoor.HacDef.he : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev71283617.exe -> Backdoor.HacDef.hg : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\vmnat.exe -> Backdoor.SdBot.aad : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\perfkey.exe -> Downloader.Obfuscated.ak : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r43647045.exe -> Dropper.Mudrop.cr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r46133535.exe -> Dropper.Mudrop.cr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f49081286.exe -> Dropper.Mudrop.cr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev78043522.exe -> Dropper.Mudrop.cr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP600\A0104000.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP603\A0104023.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP604\A0104030.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP605\A0104037.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP607\A0104057.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP608\A0104064.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP609\A0104071.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cachex.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ntar.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\spoolb.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\zdrive.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\in10b6.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\Documents and Settings\Default\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-301c72d2-5f8a4c44.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP642\A0104378.exe -> Proxy.Horst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP643\A0104388.exe -> Proxy.Horst : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EF9504D7-42B9-45FF-9A28-4A8B07AAD83B}\RP644\A0104399.exe -> Proxy.Horst : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\vpms.exe -> Proxy.Horst : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\vrss.exe -> Proxy.Horst : Cleaned with backup (quarantined).
[1948] C:\WINDOWS\system32\vrss.exe -> Proxy.Horst : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mbti.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mpreg.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
[1596] C:\WINDOWS\system32\mbti.exe -> Proxy.Ranky : Cleaned with backup (quarantined).
C:\Documents and Settings\Default\Cookies\default@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@2o7[3].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@2o7[5].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@diggs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@divx.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@dowjones.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@efashionsolutions.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@gettyimages.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@gettyimages.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@hswmedia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@maxim.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@nasdaq.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@nasdaq.122.2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@wrigley.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ad.adition[2].txt -> TrackingCookie.Adition : Cleaned.

sharkie510

14 Posts

February 9th, 2007 00:00

part 3.....
 
C:\Documents and Settings\Default\Cookies\default@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@hitbox[4].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@hitbox[5].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned.
C:\Documents and Settings\Default\Cookies\default@hotlog[2].txt -> TrackingCookie.Hotlog : Cleaned.
C:\Documents and Settings\Default\Cookies\default@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Default\Cookies\default@searchportal.information[2].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.link4ads[2].txt -> TrackingCookie.Link4ads : Cleaned.
C:\Documents and Settings\Default\Cookies\default@linkbuddies[1].txt -> TrackingCookie.Linkbuddies : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Default\Cookies\default@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Default\Cookies\default@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Default\Cookies\default@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Default\Cookies\default@stat.onestat[1].txt -> TrackingCookie.Onestat : Cleaned.
C:\Documents and Settings\Default\Cookies\default@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@overture[3].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@perf.overture[3].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Default\Cookies\default@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@paycounter[2].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@paycounter[4].txt -> TrackingCookie.Paycounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.pointroll[3].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.pointroll[5].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Default\Cookies\default@aphrodite.porntrack[1].txt -> TrackingCookie.Porntrack : Cleaned.
C:\Documents and Settings\Default\Cookies\default@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\Default\Cookies\default@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Default\Cookies\default@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Default\Cookies\default@questionmarket[4].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Default\Cookies\anyuser@realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@network.realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@network.realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@realmedia[4].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@realmedia[5].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Default\Cookies\default@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Default\Cookies\default@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Default\Cookies\default@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@edge.ru4[3].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@edge.ru4[5].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\Default\Cookies\default@.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Default\Cookies\default@.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Default\Cookies\default@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Default\Cookies\default@serving-sys[3].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Default\Cookies\default@serving-sys[4].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Default\Cookies\default@serving-sys[5].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Default\Cookies\default@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@cs.sexcounter[3].txt -> TrackingCookie.Sexcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sexlist[3].txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter1.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter12.sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter14.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter3.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter5.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sextracker[3].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Default\Cookies\default@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@www.smartadserver[3].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@statcounter[3].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@statcounter[4].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@statcounter[5].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tacoda[4].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Default\Cookies\default@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Default\Cookies\default@targetnet[3].txt -> TrackingCookie.Targetnet : Cleaned.
C:\Documents and Settings\Default\Cookies\default@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\Default\Cookies\default@track-star[1].txt -> TrackingCookie.Track-star : Cleaned.
C:\Documents and Settings\Default\Cookies\default@login.tracking101[1].txt -> TrackingCookie.Tracking101 : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tradedoubler[3].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tradedoubler[5].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Default\Cookies\default@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Default\Cookies\default@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Default\Cookies\default@trafficmp[3].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Default\Cookies\default@trafficmp[4].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Default\Cookies\default@tribalfusion[3].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Default\Cookies\default@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Default\Cookies\default@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Default\Cookies\default@reduxads.valuead[3].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Default\Cookies\default@vdn.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Default\Cookies\default@blp.valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@valueclick[4].txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Default\Cookies\default@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Default\Cookies\default@xxxcounter[2].txt -> TrackingCookie.Xxxcounter : Cleaned.
C:\Documents and Settings\Default\Cookies\default@yadro[1].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Default\Cookies\default@yadro[2].txt -> TrackingCookie.Yadro : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ad.yieldmanager[4].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Default\Cookies\default@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Default\Cookies\default@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Default\Cookies\default@yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Default\Cookies\default@c6.zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Default\Cookies\default@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Default\Cookies\default@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Default\Cookies\default@zedo[3].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Default\Cookies\default@zedo[5].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\SYSTEM32\ahost.exe -> Trojan.Agent.khz : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\snvc.exe -> Trojan.Agent.khz : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r42701390.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r43854645.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cjnr4r46540375.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f41125346.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f47107056.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f47553896.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dior4f47662081.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h1864089.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h2365204.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\mlsdf8h4864429.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\nlkfev71880787.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y1593073.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y2915543.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y3023533.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y3910613.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y4930468.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y5129948.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y8905978.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y912918.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sklrr7y9268018.exe -> Trojan.Obfuscated.au : Cleaned with backup (quarantined).

::Report end

sharkie510

14 Posts

February 9th, 2007 00:00

and the fresh HijackThis log......
 
 
Logfile of HijackThis v1.99.1
Scan saved at 18:24:27, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\dvdupgrd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\hijackthis\Analyze.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {01C54550-1EE2-453C-B98B-641CC9788749} - C:\WINDOWS\system32\fccbc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {47282951-1F2B-4A13-ABB5-ADB29F43D3BB} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {4DF75823-458D-41B3-B76F-041E04A3ABFA} - C:\WINDOWS\system32\ddcdc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dqeivaej.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\byxvtqp.dll (file missing)
O2 - BHO: (no name) - {813B0799-1BBC-4C46-96A6-DD0C56F26F8B} - C:\WINDOWS\system32\byxyx.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A578B7C4C417} - C:\WINDOWS\system32\hggdday.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ECCA7110-3966-46FF-B4BA-E45D72F39520} - C:\WINDOWS\system32\wvuvu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [232A8E5B] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe

sharkie510

14 Posts

February 9th, 2007 00:00

part 2 of the AVG Anit-Spyware Scan log......
 
C:\Documents and Settings\Default\Cookies\default@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Default\Cookies\default@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Default\Cookies\default@gde.adocean[2].txt -> TrackingCookie.Adocean : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adrevolver[4].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adrevolver[7].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@z1.adserver[3].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@z1.adserver[4].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Default\Cookies\default@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Default\Cookies\default@advertising[3].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Default\Cookies\default@advertising[4].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Default\Cookies\default@advertising[5].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Default\Cookies\default@servedby.advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Default\Cookies\default@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Default\Cookies\default@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Default\Cookies\default@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Default\Cookies\default@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Default\Cookies\default@bluestreak[3].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Default\Cookies\default@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Default\Cookies\default@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Default\Cookies\default@citi.bridgetrack[4].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Default\Cookies\default@citi.bridgetrack[5].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Default\Cookies\default@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Default\Cookies\default@www.burstbeacon[3].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\Default\Cookies\default@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Default\Cookies\default@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Default\Cookies\default@burstnet[4].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as.casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@casalemedia[4].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Default\Cookies\default@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Default\Cookies\default@centrport[2].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Default\Cookies\default@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Default\Cookies\default@vip.clickzs[3].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.guardian.co[1].txt -> TrackingCookie.Co : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ads.guardian.co[2].txt -> TrackingCookie.Co : Cleaned.
C:\Documents and Settings\Default\Cookies\default@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Default\Cookies\default@commission-junction[2].txt -> TrackingCookie.Commission-junction : Cleaned.
C:\Documents and Settings\Default\Cookies\default@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Default\Cookies\default@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Default\Cookies\default@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@engage[1].txt -> TrackingCookie.Engage : Cleaned.
C:\Documents and Settings\Default\Cookies\default@www2.enigmasoftwaregroup[2].txt -> TrackingCookie.Enigmasoftwaregroup : Cleaned.
C:\Documents and Settings\Default\Cookies\default@estat[1].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Default\Cookies\default@estat[2].txt -> TrackingCookie.Estat : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as-us.falkag[3].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as-us.falkag[4].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@sel.as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Default\Cookies\default@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@fastclick[3].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Default\Cookies\default@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-accuweather.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-bestbuy.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-comcast.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-console.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-crain.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-cygnusbm.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-darden.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-dcshoes.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-dig.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-dig.hitbox[4].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-directv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-esignal.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-esignal.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-fandango.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-foxmovies.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-foxsports.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-hasbro.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-hitent.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-hollywood.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-ifilm.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-ignitemedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-knightridder.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-knightridder.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-space.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-space.hitbox[3].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-uniontrib.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-viacom.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-webex.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Default\Cookies\default@ehg-xxolympicwintergames.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.

1972vet

3.3K Posts

February 9th, 2007 02:00

Looks better. You got rid of a bunch of trojans. Now let's remove the Qoologic infection: Please download Qoofix 1.03

Unzip to the following location:
C:\Qoofix (Use your local hard drive letter if it is different).
Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
Finally, select Begin Removal and the removal process will commence.
A reboot may be necessary if an infection is found.
Post back a fresh HijackThis log. Thanks!

sharkie510

14 Posts

February 9th, 2007 03:00

Hmm, I ran Qoofix, and it reported no infections found.....
 
 
Logfile of HijackThis v1.99.1
Scan saved at 21:39:35, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dvdupgrd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rsbmsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Default\Desktop\hijackthis\Analyze.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {01C54550-1EE2-453C-B98B-641CC9788749} - C:\WINDOWS\system32\fccbc.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {47282951-1F2B-4A13-ABB5-ADB29F43D3BB} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {4DF75823-458D-41B3-B76F-041E04A3ABFA} - C:\WINDOWS\system32\ddcdc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dqeivaej.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\byxvtqp.dll (file missing)
O2 - BHO: (no name) - {813B0799-1BBC-4C46-96A6-DD0C56F26F8B} - C:\WINDOWS\system32\byxyx.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A578B7C4C417} - C:\WINDOWS\system32\hggdday.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {ECCA7110-3966-46FF-B4BA-E45D72F39520} - C:\WINDOWS\system32\wvuvu.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [232A8E5B] C:\WINDOWS\system32\rsbmsc.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe

1972vet

3.3K Posts

February 9th, 2007 05:00

Quote: Hmm, I ran Qoofix, and it reported no infections found.....
Interesting. The Qoologic entry from your log is here:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mbti.exe
But after running the Qoofix, that entry disappeared from the log. What I find curious however is that there is an associated entry in the "O23" category...I've not seen this before with Qoologic so my best guess is that it isn't Qoologic even though the Qoofix removed it.
I also checked to see if it was an older variant but have since determined that it isn't that either. With Vundo having been present in the log, it is undoubtedly just some spambot. Not to worry though, we'll kill it.

First, let's uninstall some software. Please click Start-->Control Panel-->Add/Remove Programs
Scroll down the list to locate the program named MOEMONEYMAKER and click Remove. Reboot when the uninstall comletes.

Please download the KILLBOX, extract it to your desktop.

Open killbox.exe. First click on Tools-->Delete Temp Files. A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well. Next, click on the Button titled "Delete Selected Temp Files".
Exit by clicking the Button titled "Exit(Save Settings)".

Once back into the main killbox program, check the box Delete on Reboot.

Highlight the entries below in Bold text and then copy them.

C:\WINDOWS\system32\rsbmsc.exe
C:\WINDOWS\system32\mbti.exe
Then in killbox click File-->Paste from Clipboard. Click the "All Files" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

A second message will ask to Reboot now? you will need to click No for now.
Note: Killbox will let you know if a file does not exist.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've completed the instructions below.

Please run HijackThis again and check the following:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {01C54550-1EE2-453C-B98B-641CC9788749} - C:\WINDOWS\system32\fccbc.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - (no file)
O2 - BHO: (no name) - {47282951-1F2B-4A13-ABB5-ADB29F43D3BB} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {4DF75823-458D-41B3-B76F-041E04A3ABFA} - C:\WINDOWS\system32\ddcdc.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\dqeivaej.dll (file missing)
O2 - BHO: (no name) - {7F5A2699-38CD-4B98-B193-5916D6566B01} - C:\WINDOWS\system32\byxvtqp.dll (file missing)
O2 - BHO: (no name) - {813B0799-1BBC-4C46-96A6-DD0C56F26F8B} - C:\WINDOWS\system32\byxyx.dll (file missing)
O2 - BHO: (no name) - {90F28AF0-2CE4-487E-8B90-A578B7C4C417} - C:\WINDOWS\system32\hggdday.dll (file missing)
O2 - BHO: (no name) - {ECCA7110-3966-46FF-B4BA-E45D72F39520} - C:\WINDOWS\system32\wvuvu.dll (file missing)
O4 - HKLM\..\Run: 232A8E5B> C:\WINDOWS\system32\rsbmsc.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe

Close all windows now except for HijackThis, then click Fix Checked.

Reboot the computer.

Your Java application is out of date and causes a slight security risk as a result.
Please follow these steps to remove older version Java components

1. Close any open programs you may have running, especially your web
browser.

2. Click Start-->Control Panel-->Add or Remove Programs.
For those just reading this thread:
Depending on your OS, you may have to click Start-->Settings-->Control Panel-->Add or Remove Programs.

3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.
Not every version of Java will begin with "Java" so be sure to read each entry in the list.
Repeat step 3 as many times as necessary to remove all versions of Java.
**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

4. Navigate to and delete:
  • C:\Program Files\ Java =this folder if found
5. Then go to this page.
Scroll down to where it says "Java Runtime Environment (JRE) 6
The Java SE Runtime Environment (JRE) allows end-users to run Java applications."and click the "Download" button to the right.

6. Check the box that says: "Accept License Agreement" the page will refresh and click on the link to download Windows Offline Installation with or without Multi-language. Save it to your desktop.
Then from your desktop double-click on the executable to install the newest version. Reboot when the installation completes.


Please post back a fresh HijackThis log and advise how the computer is running for you now.

sharkie510

14 Posts

February 10th, 2007 17:00

I couldn't find MOEMONEYMAKER on add/remove programs. Any ideas why? Anyways, I did all the other instructions you gave me. My computer seems to be working fine. The popups I mentioned (Winfixer, ErrorSafe, etc.) stopped a while back already, like 2-3 days ago. I hope we're done here, or at least close to done! :smileyvery-happy:
 
 
Heres a fresh HijackThis log:
 
Logfile of HijackThis v1.99.1
Scan saved at 11:25:57, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dvdupgrd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Default\Desktop\hijackthis\Analyze.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?s=consumer&LC=0409&c=1c00
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N1 - Netscape 4: user_pref("browser.startup.homepage", " http://realguide.real.com/redir/?cd=rpbrowserhome"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async9x
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=1c00&lc=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=1c00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .asf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .asx: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .wma: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ System Source (COMSysSRC) - Unknown owner - C:\WINDOWS\system32\vmnat.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Windows Network Latency Controller (nlc) - Unknown owner - C:\WINDOWS\system32\mbti.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Print Spooler Service (t9yya3aoaea) - Unknown owner - C:\WINDOWS\system32\rsbmsc.exe (file missing)

Was this post helpful?

View All

No Events found!

Top