Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacked web browser. Please help?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijacked web browser. Please help?

Unread postby piploo » November 30th, 2006, 5:23 pm

Hi,
Just yesterday my homepage became the victim of a hijack. The site I'm redirected to is jupk.com. I have read many posts on similar situations, and tried everything I can to get rid of it, but it would seem everybody that has suffered this problem goes down the route I'm about to. So, as you know, I'm posting my HT log. Thanks for any replies to this post, I would greatly appreciate any help.

Logfile of HijackThis v1.99.1
Scan saved at 21:03:49, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sistray.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Piploo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E4136F6-A927-4337-8178-B7EBC309EFC4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d1d70c25820048668871f2219a9be50c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d1d70c25820048668871f2219a9be50c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B41ACD4-9420-4665-BECD-9FBBA97B1372}: NameServer = 85.255.115.66 85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE11C0F3-2A94-47AD-A4B4-9E6C7AE77BA0}: NameServer = 85.255.115.66,85.255.112.98
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.66 85.255.112.98
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.66 85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.66 85.255.112.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm
Advertisement
Register to Remove

Unread postby Susan528 » November 30th, 2006, 9:15 pm

Hello piploo and Welcome to Malware Removal,

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/l ... areout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Scan with HijackThis. Place a check against each of the following:
O2 - BHO: (no name) - {2E4136F6-A927-4337-8178-B7EBC309EFC4} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B41ACD4-9420-4665-BECD-9FBBA97B1372}: NameServer = 85.255.115.66 85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE11C0F3-2A94-47AD-A4B4-9E6C7AE77BA0}: NameServer = 85.255.115.66,85.255.112.98
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.66 85.255.112.98
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.66 85.255.112.98
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.66 85.255.112.98

Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Post (reply) with the C:\fixwareout\report.txt and
a fresh HijackThis log.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby piploo » December 1st, 2006, 10:55 am

Ok, done everything you asked, here are the reports and logs.

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Logfile of HijackThis v1.99.1
Scan saved at 14:52:38, on 01/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\sistray.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
D:\Documents and Settings\Piploo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d1d70c25820048668871f2219a9be50c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d1d70c25820048668871f2219a9be50c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm

Unread postby Susan528 » December 1st, 2006, 4:43 pm

STEP 1.
======
Combofix
  1. Download this file - combofix.exe
  2. Double click combofix.exe & follow the prompts.
  3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.

Copy and paste that information from Kapersky in your next post.

Please post the ComboFix log and the Kapersky log. How is your computer running?
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby piploo » December 1st, 2006, 10:27 pm

hi, computer is running as normal apart from the hijack. speed is ok but redirected to site on manyoccasions. heres the info on combofix and kaspersky
Piploo - 06-12-02 0:50:34.81 Service Pack 2
ComboFix 06.11.27W - Running from: "D:\Documents and Settings\Piploo\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-11-02 to 2006-12-02 ))))))))))))))))))))))))))))))))))


2006-12-01 14:42 <DIR> d-------- C:\fixwareout
2006-12-01 14:42 <DIR> d-------- C:\fixwareout
2006-11-30 20:37 <DIR> d-------- C:\Program Files\Video ActiveX Object
2006-11-30 20:37 <DIR> d-------- C:\Program Files\Video ActiveX Object
2006-11-30 20:37 <DIR> d-------- C:\Program Files\Video ActiveX Object
2006-11-30 20:37 <DIR> d-------- C:\Program Files\Video ActiveX Object
2006-11-30 20:37 <DIR> d-------- C:\Program Files\Common Files\Scanner
2006-11-30 19:38 <DIR> d-------- C:\Program Files\InterMute
2006-11-30 19:38 <DIR> d-------- C:\Program Files\InterMute
2006-11-30 19:38 <DIR> d-------- C:\Program Files\InterMute
2006-11-30 19:38 <DIR> d-------- C:\Program Files\InterMute
2006-11-30 16:49 <DIR> d-------- C:\WINDOWS\system32\en-US
2006-11-30 16:48 <DIR> d----c--- C:\WINDOWS\ie7
2006-11-30 16:46 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-11-30 16:26 24,576 --a------ C:\WINDOWS\system32\STKIT432.DLL
2006-11-30 16:26 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-11-30 16:26 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-11-30 16:26 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-11-30 16:26 <DIR> d-------- C:\Program Files\Registry Mechanic
2006-11-25 13:44 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-25 13:44 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-25 13:44 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-25 13:44 <DIR> d-------- C:\Program Files\Yahoo!
2006-11-24 22:25 <DIR> d-------- C:\Program Files\VideoAccess
2006-11-24 22:25 <DIR> d-------- C:\Program Files\VideoAccess
2006-11-24 22:25 <DIR> d-------- C:\Program Files\VideoAccess
2006-11-24 22:25 <DIR> d-------- C:\Program Files\VideoAccess
2006-11-06 00:12 <DIR> d-------- C:\Program Files\utorrent
2006-11-06 00:12 <DIR> d-------- C:\Program Files\utorrent
2006-11-06 00:12 <DIR> d-------- C:\Program Files\utorrent
2006-11-06 00:12 <DIR> d-------- C:\Program Files\utorrent
2006-11-04 21:39 <DIR> d-------- C:\Program Files\RegScrubXP
2006-11-04 21:39 <DIR> d-------- C:\Program Files\RegScrubXP
2006-11-04 21:39 <DIR> d-------- C:\Program Files\RegScrubXP
2006-11-04 21:39 <DIR> d-------- C:\Program Files\RegScrubXP
2006-11-04 21:32 <DIR> d-------- C:\Program Files\CleanMyPC
2006-11-04 21:32 <DIR> d-------- C:\Program Files\CleanMyPC
2006-11-04 21:32 <DIR> d-------- C:\Program Files\CleanMyPC
2006-11-04 21:32 <DIR> d-------- C:\Program Files\CleanMyPC
2006-11-04 20:13 11,648 --a------ C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-11-04 20:11 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2006-11-04 19:43 <DIR> d-------- C:\Program Files\Innovative Solutions
2006-11-04 19:43 <DIR> d-------- C:\Program Files\Innovative Solutions
2006-11-04 19:43 <DIR> d-------- C:\Program Files\Innovative Solutions
2006-11-04 19:43 <DIR> d-------- C:\Program Files\Innovative Solutions
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-02 00:49 -------- d-------- C:\Program Files\Soulseek
2006-12-02 00:49 -------- d-------- C:\Program Files\Soulseek
2006-11-30 20:38 -------- d-------- C:\Program Files\Internet Explorer
2006-11-30 20:38 -------- d-------- C:\Program Files\Internet Explorer
2006-11-30 20:37 -------- d-a------ C:\Program Files\Common Files
2006-11-30 20:37 -------- d-a------ C:\Program Files\Common Files
2006-11-30 20:37 -------- d-------- C:\Program Files\AOL 9.0
2006-11-30 20:37 -------- d-------- C:\Program Files\AOL 9.0
2006-11-08 03:00 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-11-08 03:00 -------- d-------- C:\Program Files\Windows Live Toolbar
2006-10-26 18:39 -------- d-------- C:\Program Files\fsupport
2006-10-26 18:39 -------- d-------- C:\Program Files\fsupport
2006-10-18 18:48 -------- d-------- C:\Program Files\Google
2006-10-18 18:48 -------- d-------- C:\Program Files\Google
2006-10-18 18:41 -------- d-------- C:\Program Files\Winamp
2006-10-18 18:41 -------- d-------- C:\Program Files\Winamp
2006-10-18 18:40 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-18 18:40 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-18 18:39 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-18 18:39 -------- d-------- C:\Program Files\Adobe
2006-10-18 18:39 -------- d-------- C:\Program Files\Adobe
2006-10-15 02:01 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-15 02:01 -------- d-------- C:\Program Files\MSXML 4.0
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-07 02:26 -------- d-------- C:\Program Files\MSN
2006-10-07 02:26 -------- d-------- C:\Program Files\MSN
2006-10-04 20:46 29784 --a------ C:\Program Files\popcorn Terms.html
2006-10-04 20:46 29784 --a------ C:\Program Files\popcorn Terms.html
2006-10-02 10:44 629264 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys
2006-10-02 10:44 108592 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys
2006-09-13 05:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"Ulead AutoDetector v2"="C:\\Program Files\\Common Files\\Ulead Systems\\AutoDetector\\monitor.exe"
"PCMService"="\"c:\\Apps\\Powercinema\\PCMService.exe\""
"ACTIVBOARD"="c:\\apps\\ABoard\\ABoard.exe"
"ElbyCheckAnyDVD"="\"C:\\Program Files\\SlySoft\\AnyDVD\\ElbyCheck.exe\" /L AnyDVD"
"AnyDVD"="\"C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DSLSTATEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"CaISSDT"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"CaAvTray"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVTray.exe\""
"CAVRID"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust EZ Antivirus\\CAVRID.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"RegistryMechanic"=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\HDReg.job

Completion time: 06-12-02 0:54:21.90
C:\ComboFix.txt ... 06-12-02 00:54

KASPERSKY ONLINE SCANNER REPORT
Saturday, December 02, 2006 2:10:47 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/12/2006
Kaspersky Anti-Virus database records: 233373
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 59879
Number of viruses found: 1
Number of infected objects: 4 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:45:52

Infected Object Name / Virus Name / Last Action
C:\Program Files\BT Broadband Basic Help\log\mpbtn.log Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP413\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CD2789FA-DA9A-4707-8798-8F6A6BBB2AB6}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Piploo\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\Desktop\Desktop stuff\Registry[1].Mechanic.v6.00.750.Cracked-EXPLOSiON.zip/run.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.bbp skipped
D:\Documents and Settings\Piploo\Desktop\Desktop stuff\Registry[1].Mechanic.v6.00.750.Cracked-EXPLOSiON.zip/run.exe/stream Infected: Trojan-Downloader.Win32.Zlob.bbp skipped
D:\Documents and Settings\Piploo\Desktop\Desktop stuff\Registry[1].Mechanic.v6.00.750.Cracked-EXPLOSiON.zip/run.exe Infected: Trojan-Downloader.Win32.Zlob.bbp skipped
D:\Documents and Settings\Piploo\Desktop\Desktop stuff\Registry[1].Mechanic.v6.00.750.Cracked-EXPLOSiON.zip ZIP: infected - 3 skipped
D:\Documents and Settings\Piploo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\History\History.IE5\MSHist012006120120061202\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\My Documents\My Music\black album\disc 4\INCOMPLETE~4-04 Everybody Needs Somebody.mp3 Object is locked skipped
D:\Documents and Settings\Piploo\ntuser.dat Object is locked skipped
D:\Documents and Settings\Piploo\ntuser.dat.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP413\change.log Object is locked skipped

Scan process completed.
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm

Unread postby Susan528 » December 2nd, 2006, 11:43 am

Hi piploo,

Kapersky found a few infected files we need to get rid of. It is odd how files with the word Cracked in them are generally infected.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
D:\Documents and Settings\Piploo\Desktop\Desktop stuff\Registry[1].Mechanic.v6.00.750.Cracked-EXPLOSiON.zip<=file

Exit Explorer, and reboot as normal afterwards.

Please post a fresh hijackthis log and a Kapersky log again and let's make sure you got it!
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby piploo » December 2nd, 2006, 1:07 pm

hi, thanks for your time, here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 17:05:46, on 02/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
D:\Documents and Settings\Piploo\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\autodown.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d1d70c25820048668871f2219a9be50c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d1d70c25820048668871f2219a9be50c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B41ACD4-9420-4665-BECD-9FBBA97B1372}: NameServer = 85.255.115.66 85.255.112.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm

Unread postby piploo » December 2nd, 2006, 4:11 pm

I hope I'm not jumping the gun but I've fixed the line beginning O17 as it has made it back into the log but was removed before. Hope that was the correct thing to do?
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm

Unread postby Susan528 » December 2nd, 2006, 5:10 pm

You did right to delete it. But something must be generating it. Did you run Kapersky again? Were you able to delete that file that I wanted you to delete?

inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: *****@inhoster.com
remarks: Network problems to: ***@inhoster.com
remarks: Peering requests to: *******@inhoster.com
remarks: -----------------------------------
country: UA
org: ORG-EST1-RIPE
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
tech-c: FWHS1-RIPE
notify: *******@bas-net.by
notify: *******@ydav.com
status: ASSIGNED PI
mnt-by: RIPE-NCC-HM-PI-MNT
mnt-lower: RIPE-NCC-HM-PI-MNT
mnt-by: RECIT-MNT
mnt-routes: RECIT-MNT
mnt-domains: RECIT-MNT
mnt-by: DAV-MNT
mnt-routes: DAV-MNT
mnt-domains: DAV-MNT
changed: *******@bas-net.by 20050916
changed: **********@ripe.net 20051026
source: RIPE

organisation: ORG-EST1-RIPE
org-name: INHOSTER
org-type: NON-REGISTRY
remarks: *************************************
remarks: * Abuse contacts: *****@inhoster.com *
remarks: *************************************
address: OOO Inhoster
address: Poltavskij Shliax 24, Xarkov,
address: 61000, Ukraine
phone: +38 066 4633621
e-mail: *******@inhoster.com
admin-c: AK4026-RIPE
tech-c: AK4026-RIPE
ref-nfy: *******@ydav.com
ref-nfy: *******@inhoster.com
mnt-ref: DAV-MNT
notify: *******@ydav.com
notify: *******@inhoster.com
mnt-by: DAV-MNT
changed: *******@ydav.com 20050725
source: RIPE

person: Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
notify: *******@inhoster.com
notify: *******@ydav.com
changed: *******@ydav.com 20050725
source: RIPE

person: Fast Web Hosting Support
address: 01110, Ukraine, Kiev, 20�, Solomenskaya street. room 201.
address: UA
phone: +35 79 91 17 759
e-mail: *******@fwebhost.net
nic-hdl: FWHS1-RIPE
changed: *******@fwebhost.net 20060813
source: RIPE


Let me know about the Kapersky scan. Also please do the the following:
STEP 1.
======
GMER
Please create a new subfolder in the Program Files folder called GMER. If you have an older version of GMER installed, you must delete it.
  • Download GMER and extract it to the C:\program files\GMER folder.
  • Run the Gmer.exe program by double-clicking the executable file (gmer.exe) in Windows Explorer.
    You may be prompted to scan immediately if GMER detects rootkit activity.
    • If you are prompted to scan your system click "yes" to begin the scan.
    • If you are not prompted, Click the "Rootkit" tab, then click "Scan".

At the end of the scan, click "Copy" to copy the scan results to the clipboard. Then paste the results in a notepad file and also paste them back in a reply here.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby Susan528 » December 2nd, 2006, 10:16 pm

Please do this also

STEP 1.
======
Silent Runners

Download Silentrunners.zip from here and unzip it a new folder on your desktop.
  • Run the SilentRunners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click NO
  • If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run.
  • This script is not malicious so please allow it.
  • A text file will appear in the folder - it's not done, let it run (it won't appear to be doing anything!)
  • Once the "All Done!" prompt flashes up, open the text file and copy & paste it in your next reply.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby piploo » December 3rd, 2006, 9:03 am

OK, here we go.

here is the Kasp report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 02, 2006 11:05:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 3/12/2006
Kaspersky Anti-Virus database records: 233617
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 60016
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:46:29

Infected Object Name / Virus Name / Last Action
C:\Program Files\BT Broadband Basic Help\log\mpbtn.log Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP414\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SN048800320432.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B173FBA6-29A1-4DB7-8D1D-9EFE68D9505B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT079a5.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT079b9.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat Object is locked skipped
D:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat Object is locked skipped
D:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Piploo\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\History\History.IE5\MSHist012006120220061203\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\Temp\~DF23D9.tmp Object is locked skipped
D:\Documents and Settings\Piploo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Piploo\My Documents\My Music\INCOMPLETE~Egg, the - Wall (Mylo Remi.mp3 Object is locked skipped
D:\Documents and Settings\Piploo\ntuser.dat Object is locked skipped
D:\Documents and Settings\Piploo\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Piploo\UserData\index.dat Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP414\change.log Object is locked skipped

Scan process completed.

Here is the GMER file.

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-12-03 12:48:47
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [B5CE52A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [B5CE52A0] vsdatant.sys

---- Files - GMER 1.0.11 ----

ADS ...
ADS D:\Documents and Settings\Piploo\Desktop\AV Tools\audiograbber.exe:SummaryInformation
ADS D:\Documents and Settings\Piploo\Desktop\AV Tools\audiograbber.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\adv.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\audio.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\bb-arch1-main.jpg
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\book2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\bootlegzone2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\checked.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\core.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\cover.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\film.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\intro.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\iview.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\lyrics.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\medley.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\other.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\paper.jpg
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\people.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\schat.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\song.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\songb.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\text.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\tvchat.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 1)_files\validated2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\adv.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\audio.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\bb-arch2-main.jpg
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\book2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\bootlegzone2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\checked.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\core.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\cover.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\film.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\intro.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\iview.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\lyrics.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\medley.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\other.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\paper.jpg
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\people.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\schat.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\song.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\songb.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\text.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\tvchat.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 2)_files\validated2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\adv.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\audio.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\bb-arch3-main.jpg
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\book2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\bootlegzone2.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\checked.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\core.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\cover.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\film.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\intro.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\iview.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\lyrics.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\medley.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\other.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\paper.jpg
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\people.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\schat.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\song.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\songb.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\text.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\tvchat.gif
File D:\Documents and Settings\Piploo\My Documents\01-Paul's Share Folder\Brian Wilson-Smile Stuff(1966)\Documents\BZ Beach Boots Pages\BZ Pages 2-Various Smile Boots\Archaeology1-3-Lost Smile Sessions(BZ info)\BootlegZone The Beach Boys -- Archaeology (Disc 3)_files\validated2.gif

---- EOF - GMER 1.0.11 ----

And finally, the silent runner file.

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe" ["Sun Microsystems, Inc."]
"Ulead AutoDetector v2" = "C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" ["Ulead Systems, Inc."]
"PCMService" = ""c:\Apps\Powercinema\PCMService.exe"" ["CyberLink Corp."]
"ACTIVBOARD" = "c:\apps\ABoard\ABoard.exe" ["NEC Computers International"]
"ElbyCheckAnyDVD" = ""C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD" ["Elaborate Bytes AG"]
"AnyDVD" = ""C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"" ["SlySoft"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"DSLSTATEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon" ["GlobespanVirata, Inc."]
"DSLAGENTEXE" = "C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [null data]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"
"CaISSDT" = ""C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"" ["Computer Associates International, Inc."]
"CaAvTray" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"" ["Computer Associates International, Inc."]
"CAVRID" = ""C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"" ["Computer Associates International, Inc."]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"RegistryMechanic" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Sign-in Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus"
-> {HKLM...CLSID} = "CA_AntiVirus"
\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]
"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 DragDrop Shell Extension"
-> {HKLM...CLSID} = "WinAceDrag-Drop Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Property Sheet Shell Extension"
-> {HKLM...CLSID} = "WinAceProperty Sheet Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"
-> {HKLM...CLSID} = "CA_AntiVirus"
\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]
Shldsb\(Default) = "{91F8021B-ADB9-4548-A5FF-FB9F009FA5B6}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "Shldsb.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Shldsb\(Default) = "{91F8021B-ADB9-4548-A5FF-FB9F009FA5B6}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "Shldsb.dll" [null data]
ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"
-> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension"
\InProcServer32\(Default) = "C:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}"
-> {HKLM...CLSID} = "CA_AntiVirus"
\InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Piploo\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Piploo" & "All Users" startup folders:
--------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"BT Broadband Basic Help" -> shortcut to: "C:\Program Files\BT Broadband Basic Help\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]


Enabled Scheduled Tasks:
------------------------

"Check Updates for Windows Live Toolbar" -> launches: "C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE" [MS]
"HDReg" -> launches: "c:\Apps\HDReg\HDRegRem.exe" [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 24
%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 23
%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)
-> {HKLM...CLSID} = "Windows Live Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Windows Live Toolbar\msntb.dll" [MS]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_02"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
CAISafe, CAISafe, "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe" ["Computer Associates International, Inc."]
CyberLink Background Capture Service (CBCS), CLCapSvc, ""c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe"" [empty string]
CyberLink Media Library Service, CyberLink Media Library Service, ""C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe"" ["Cyberlink"]
CyberLink Task Scheduler (CTS), CLSched, ""c:\APPS\Powercinema\Kernel\TV\CLSched.exe"" [empty string]
Generic Service for HID Keyboard Input Collections, GenericHidService, "c:\APPS\HIDSERVICE\HIDSERVICE.exe" [null data]
SmartLinkService, SLService, "slserv.exe" [" "]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
VET Message Service, VETMSGNT, "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe" ["Computer Associates International, Inc."]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 95 seconds.
---------- (total run time: 204 seconds)

Cheers
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm

Unread postby Susan528 » December 3rd, 2006, 9:21 am

Okay GMER did not show any Rootkits = good!
The Kapersky log is clean
I am reviewing the Silent Runners log.

Are you still experiencing problems?
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby piploo » December 3rd, 2006, 11:08 am

Hi, I've just checked my homepage, and the hijack appears to have gone. Thanks very very much for the help. are there any programs you would recommend for protecting me from this in the future. I currently use spybot and adaware, with a zone alarm firewall.
Thanks
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm

Unread postby Susan528 » December 3rd, 2006, 4:03 pm

Please post another hijackthis log and let me review it one more time.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby piploo » December 3rd, 2006, 6:14 pm

Hi, I've noticed the O17 line has come back. Heres the HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 22:12:52, on 03/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Soulseek\slsk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Piploo\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD
O4 - HKLM\..\Run: [AnyDVD] "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?d1d70c25820048668871f2219a9be50c
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?d1d70c25820048668871f2219a9be50c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B41ACD4-9420-4665-BECD-9FBBA97B1372}: NameServer = 85.255.115.66 85.255.112.98
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
piploo
Active Member
 
Posts: 8
Joined: November 30th, 2006, 5:13 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware