Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trying to remove trojans HJT included

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Trying to remove trojans HJT included

Unread postby shugz » May 27th, 2007, 3:09 pm

Logfile of HijackThis v1.99.1
Scan saved at 2:06:39 PM, on 5/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shacknews.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shacknews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = thundanet.homeip.net:4480
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4563483987
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4565248968
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



TIA!
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am
Advertisement
Register to Remove

Unread postby tim s » May 28th, 2007, 10:47 pm

Hello shugz

Welcome to the MalWare Removal forums! I'll be glad to help you with your computer problems.
HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

In order to help me help you, please observe the following while we work:
  1. If you don't know, stop and ask! Don't continue, we don't want to start all over again!
  2. Understand that cleaning your computer can sometimes take multiple passes/posts,
    and it's important to follow the steps as listed including re-running scans as listed
  3. Please reply to this thread, do not start another.


If you can do those three things, everything should go smoothly


----------------------------------------------------------------------------

Your log indicates Norton and AVG7 Anti-virus programs.

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two or more anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. They can conflict with each other which leaves you open to infection.


If you have more than one antivirus program installed, you must narrow it down to only one. Please choose one that is currently capable of receiving updates of virus definitions. If you have an antivirus program that no longer has an active subscription to antivirus updates, it cannot protect your system from malware.

You must decide which one you want to use and uninstall all others.

If you choose AVG7 (free for home use only) it does not come with a firewall you will have to choose a firewall to go with it from list below and install.

Here are some you can choose from
Only run one firewall program too same as antivirus software.

Firewall protection programs: (free for personal use only available)

Link to one Jetico Personal Firewall

Link to second Comodo Firewall

Link to third ZoneAlarm

Make sure to restart computer if you install one of these firewall program before continuing

------------------------------------------------------------------------------
Please do the following:

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files.
It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Change settings Under Files/Folders Created Within-----
    • Click on 60 days
  • Change settings Under Files/Folders Modified Within-----
    • Click on 60 days
  • Next on the right side of screen Under Additional Scans
    • Put a checkmark in the box next to Reg-Uninstall List
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Use the Add Reply button and Copy/Paste the information back here.

Note* If, after posting your reply, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into separate reply post.

Please post log and I will review it.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby shugz » May 29th, 2007, 9:28 am

tim s wrote:Your log indicates Norton and AVG7 Anti-virus programs.

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two or more anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. They can conflict with each other which leaves you open to infection.


If you have more than one antivirus program installed, you must narrow it down to only one. Please choose one that is currently capable of receiving updates of virus definitions. If you have an antivirus program that no longer has an active subscription to antivirus updates, it cannot protect your system from malware.

You must decide which one you want to use and uninstall all others.



I have been using AVG free for quite sometime. I guess when I uninstalled Norton it didnt bother to remove it's own Live Update program and I never noticed :oops:

I have uninstalled the left-over Live Update software via the add/remove programs list. I d/l'd the software for scanning my machine and launched a scan per your instructions before I left for work this morning. So, I wont be able to check it until this evening. Thanks for your help so far and I will post the scan log as soon as I can tonite! :)
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby shugz » May 29th, 2007, 7:59 pm

WinPFind3 logfile created on: 5/29/2007 7:07:00 AM
WinPFind3U by OldTimer - Version 1.0.38 Folder = C:\Documents and Settings\Richard\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)

1023.00 Mb Total Physical Memory | 723.75 Mb Available Physical Memory | 70.75% Memory free
2.40 Gb Paging File | 2.15 Gb Available in Paging File | 89.51% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.72 Gb Total Space | 14.97 Gb Free Space | 13.40% Space Free
D: Drive not present or media not loaded
Drive E: | 344.71 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free
Drive F: | 604.45 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free

Computer Name: SHUGSXPS
Current User Name: Richard
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
adservice.exe -> %ProgramFiles%\Iomega\AutoDisk\ADService.exe -> Iomega Corporation [Ver = 3, 2, 1, 5 | Size = 151552 bytes | Modified Date = 9/24/2002 5:39:48 PM | Attr = ]
adusermon.exe -> %ProgramFiles%\Iomega\AutoDisk\ADUserMon.exe -> Iomega Corporation [Ver = 3, 2, 1, 5 | Size = 147456 bytes | Modified Date = 9/24/2002 5:39:24 PM | Attr = ]
appservices.exe -> %ProgramFiles%\Iomega\System32\AppServices.exe -> Iomega Corporation [Ver = 2, 0, 2, 5 | Size = 73728 bytes | Modified Date = 9/4/2002 3:11:04 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4142 | Size = 413696 bytes | Modified Date = 8/22/2006 8:45:14 PM | Attr = ]
ati2evxx.exe -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4142 | Size = 413696 bytes | Modified Date = 8/22/2006 8:45:14 PM | Attr = ]
avgamsvr.exe -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.453 | Size = 353280 bytes | Modified Date = 4/21/2007 8:14:46 AM | Attr = ]
avgemc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.460 | Size = 351744 bytes | Modified Date = 4/21/2007 8:14:48 AM | Attr = ]
avgupsvc.exe -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 4/3/2007 8:12:32 AM | Attr = ]
cli.exe -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLI.exe -> ATI Technologies Inc. [Ver = 1.11.0.0 | Size = 45056 bytes | Modified Date = 1/2/2006 5:41:22 PM | Attr = ]
ctdvddet.exe -> %ProgramFiles%\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe -> Creative Technology Ltd [Ver = 1.0.2.0 | Size = 45056 bytes | Modified Date = 9/30/2002 1:00:00 AM | Attr = ]
cthelper.exe -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 1, 0, 1, 2 | Size = 24576 bytes | Modified Date = 10/6/2003 2:57:32 PM | Attr = ]
ctsvccda.exe -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 1:01:00 AM | Attr = ]
ctsysvol.exe -> %ProgramFiles%\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe -> Creative Technology Ltd [Ver = 1.1.3.0 | Size = 49152 bytes | Modified Date = 10/29/2002 9:18:24 AM | Attr = ]
directcd.exe -> %ProgramFiles%\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.4.21 | Size = 684032 bytes | Modified Date = 12/17/2002 12:28:00 PM | Attr = ]
dsentry.exe -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 8/14/2002 6:22:52 PM | Attr = R ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 2/15/2007 6:21:24 PM | Attr = ]
ventrilo_srv.exe -> %ProgramFiles%\VentSrv\ventrilo_srv.exe -> [Ver = | Size = 221184 bytes | Modified Date = 9/14/2005 11:46:42 AM | Attr = ]
ventrilo_svc.exe -> %ProgramFiles%\VentSrv\ventrilo_svc.exe -> [Ver = | Size = 65536 bytes | Modified Date = 7/13/2005 10:18:10 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.38.0 | Size = 318976 bytes | Modified Date = 5/22/2007 6:27:40 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %System32%\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4142 | Size = 413696 bytes | Modified Date = 8/22/2006 8:45:14 PM | Attr = ]
(ATI Smart) ATI Smart [Win32_Own | Auto | Stopped] -> %System32%\ati2sgag.exe -> [Ver = 5.13.0025 | Size = 520192 bytes | Modified Date = 8/22/2006 9:05:00 PM | Attr = ]
(Autodesk Licensing Service) Autodesk Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Autodesk Shared\Service\AdskScSrv.exe -> Autodesk [Ver = 2.70.000 | Size = 77944 bytes | Modified Date = 5/11/2007 8:56:44 PM | Attr = ]
(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgamsvr.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.453 | Size = 353280 bytes | Modified Date = 4/21/2007 8:14:46 AM | Attr = ]
(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgupsvc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.420 | Size = 49664 bytes | Modified Date = 4/3/2007 8:12:32 AM | Attr = ]
(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Free\avgemc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.460 | Size = 351744 bytes | Modified Date = 4/21/2007 8:14:48 AM | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %System32%\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 1:01:00 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 2:56:48 AM | Attr = ]
(DynDNS_Updater_Service) DynDNS Updater Service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\DynDNS Updater\DynDNS.exe -> Kana Solution [Ver = 3.1.0.15 | Size = 1352704 bytes | Modified Date = 9/17/2006 11:32:16 AM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2/15/2007 6:21:22 PM | Attr = ]
(Iomega Activity Disk2) Iomega Activity Disk2 [Win32_Own | Disabled | Stopped] -> -> File not found
(Iomega App Services) Iomega App Services [Win32_Own | Auto | Running] -> %ProgramFiles%\Iomega\System32\AppServices.exe -> Iomega Corporation [Ver = 2, 0, 2, 5 | Size = 73728 bytes | Modified Date = 9/4/2002 3:11:04 PM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 1.2.26.0 | Size = 143360 bytes | Modified Date = 3/3/2003 1:33:40 PM | Attr = ]
(Ventrilo) Ventrilo [Win32_Own | Auto | Running] -> %ProgramFiles%\VentSrv\ventrilo_svc.exe -> [Ver = | Size = 65536 bytes | Modified Date = 7/13/2005 10:18:10 PM | Attr = ]
(vsmon) TrueVector Internet Monitor [Win32_Own | Auto | Stopped] -> %System32%\ZoneLabs\vsmon.exe -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 75568 bytes | Modified Date = 3/9/2007 1:01:58 AM | Attr = ]
(_IOMEGA_ACTIVE_DISK_SERVICE_) Iomega Active Disk [Win32_Own | Auto | Running] -> %ProgramFiles%\Iomega\AutoDisk\ADService.exe -> Iomega Corporation [Ver = 3, 2, 1, 5 | Size = 151552 bytes | Modified Date = 9/24/2002 5:39:48 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD -> %ProgramFiles%\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe -> Roxio [Ver = 5.3.4.21 | Size = 684032 bytes | Modified Date = 12/17/2002 12:28:00 PM | Attr = ]
ADUserMon -> %ProgramFiles%\Iomega\AutoDisk\ADUserMon.exe -> Iomega Corporation [Ver = 3, 2, 1, 5 | Size = 147456 bytes | Modified Date = 9/24/2002 5:39:24 PM | Attr = ]
ATICCC -> %ProgramFiles%\ATI Technologies\ATI.ACE\CLIStart.exe -> [Ver = | Size = 90112 bytes | Modified Date = 5/10/2006 11:12:06 AM | Attr = ]
AVG7_CC -> %ProgramFiles%\Grisoft\AVG Free\avgcc.exe -> GRISOFT, s.r.o. [Ver = 7.5.0.460 | Size = 416256 bytes | Modified Date = 4/21/2007 8:14:46 AM | Attr = ]
CTDVDDet -> %ProgramFiles%\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe -> Creative Technology Ltd [Ver = 1.0.2.0 | Size = 45056 bytes | Modified Date = 9/30/2002 1:00:00 AM | Attr = ]
CTHelper -> %System32%\CTHELPER.EXE -> Creative Technology Ltd [Ver = 1, 0, 1, 2 | Size = 24576 bytes | Modified Date = 10/6/2003 2:57:32 PM | Attr = ]
CTSysVol -> %ProgramFiles%\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe -> Creative Technology Ltd [Ver = 1.1.3.0 | Size = 49152 bytes | Modified Date = 10/29/2002 9:18:24 AM | Attr = ]
DVDSentry -> %System32%\DSentry.exe -> Dell - Advanced Desktop Engineering [Ver = 1, 0, 2, 0 | Size = 28672 bytes | Modified Date = 8/14/2002 6:22:52 PM | Attr = R ]
Logitech Hardware Abstraction Layer -> %SystemRoot%\KHALMNPR.Exe -> Logitech Inc. [Ver = 2.30.314 | Size = 49152 bytes | Modified Date = 12/10/2004 1:45:26 PM | Attr = ]
PRONoMgr.exe -> %ProgramFiles%\Intel\NCS\PROSet\PRONoMgr.exe -> Intel(R) Corporation [Ver = 6.2.35.0 | Size = 86016 bytes | Modified Date = 3/11/2003 4:24:40 PM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe -> Apple Computer, Inc. [Ver = 7.1.3 | Size = 282624 bytes | Modified Date = 9/1/2006 3:57:48 PM | Attr = ]
THGuard -> %ProgramFiles%\TrojanHunter 4.6\THGuard.exe -> Mischel Internet Security [Ver = 4.5.0.277 | Size = 1102848 bytes | Modified Date = 5/11/2007 8:01:48 PM | Attr = ]
UpdReg -> %SystemRoot%\Updreg.EXE -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 5/11/2000 1:00:00 AM | Attr = ]
WinPatrol -> %ProgramFiles%\BillP Studios\WinPatrol\WinPatrol.exe -> BillP Studios [Ver = 7, 0, 0, 3 | Size = 192512 bytes | Modified Date = 3/10/2004 9:33:06 AM | Attr = ]
ZoneAlarm Client -> %ProgramFiles%\Zone Labs\ZoneAlarm\zlclient.exe -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 919280 bytes | Modified Date = 3/9/2007 1:02:00 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igndlm.exe -> %ProgramFiles%\IGN\Download Manager\DLM.exe -> IGN Entertainment [Ver = 2.3.6.108 | Size = 1103480 bytes | Modified Date = 3/5/2007 4:57:48 PM | Attr = ]
SB Audigy 2 Startup Menu -> -> File not found
Steam -> -> File not found
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Google Inc. [Ver = 1, 2, 1128, 5462 | Size = 171448 bytes | Modified Date = 2/15/2007 6:21:24 PM | Attr = ]
< Common Startup > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%AllUsersStartup%\Adobe Gamma Loader.lnk -> %CommonProgramFiles%\Adobe\Calibration\Adobe Gamma Loader.exe -> Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Modified Date = 11/4/1999 3:06:48 PM | Attr = ]
%AllUsersStartup%\AutoCAD Startup Accelerator.lnk -> %CommonProgramFiles%\Autodesk Shared\acstart17.exe -> Autodesk, Inc [Ver = 17.0.54.0 | Size = 11000 bytes | Modified Date = 3/5/2006 7:43:54 AM | Attr = ]
%AllUsersStartup%\Logitech SetPoint.lnk -> %ProgramFiles%\Logitech\SetPoint\SetPoint.exe -> Logitech Inc. [Ver = 2.30.399 | Size = 434176 bytes | Modified Date = 1/28/2005 3:35:58 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
AtiExtEvent -> %System32%\ati2evxx.dll -> ATI Technologies Inc. [Ver = 6.14.10.4142 | Size = 86016 bytes | Modified Date = 8/22/2006 8:46:30 PM | Attr = ]
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKLM: Search Bar -> ->
HKLM: Search Page -> http://www.google.com ->
HKLM: Start Page -> http://www.shacknews.com/ ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://www.google.com/ie ->
HKCU: Local Page -> C:\WINDOWS\System32\blank.htm ->
HKCU: Search Bar -> http://www.google.com/ie ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.shacknews.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 6.0.0.2003051500 | Size = 50376 bytes | Modified Date = 5/15/2003 1:47:54 AM | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{603A8664-541F-42AE-9256-85B3F21CAA97} -> (Intel(R) PRO/100 VE Network Connection) ->
{FC0A7332-E5FA-4341-B553-2C6326C15DBE} -> (1394 Net Adapter) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shoc ... tor/sw.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?LinkID=39204 ->
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/ ... mv9VCM.CAB ->
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -> CDownloadCtrl Object - CodeBase = http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab ->
{41F17733-B041-4099-A042-B518BB6A408C} -> - CodeBase = http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupda ... 4563483987 ->
{68BCE50A-DC9B-4519-A118-6FDA19DB450D} -> Info Class - CodeBase = http://www.blizzard.com/register/wowbeta/si.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftup ... 4565248968 ->
{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> GSDACtl Class - CodeBase = http://launch.gamespyarcade.com/softwar ... launch.cab ->
{9F1C11AA-197B-4942-BA54-47A8489BB47F} -> - CodeBase = http://v4.windowsupdate.microsoft.com/C ... 7472106482 ->
{D27CDB6E-0000-0000-0000-000000000000} -> - CodeBase = http://download.macromedia.com/pub/shoc ... wflash.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/fl ... wflash.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->


[Registry - Additional Scans - Non-Microsoft Only]
< Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
{01501EBA-EC35-4F9F-8889-3BE346E5DA13} -> MSXML4 Parser ->
{0BEDBD4E-2D34-47B5-9973-57E62B29307C} -> ATI Control Panel ->
{11CAA479-DD6E-4BD8-92F6-C0F98FD6370C} -> Threewave 1.6 ->
{18D10072035C4515918F7E37EAFAACFC} -> AutoUpdate ->
{22C97984-6A68-4140-872E-B2F5123A7387} -> ATI Catalyst Control Center ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} -> Google Toolbar for Internet Explorer ->
{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3} -> Logitech SetPoint ->
{337FE904-145E-4975-8C76-ED26FC8E1C8B} -> OSP for Quake3 1.03 ->
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP ->
{412B69AF-C352-4F6F-A318-B92B3CB9ACC6} -> Titan Quest ->
{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF} -> Banctec Service Agreement ->
{55FA89BD-21D3-42F7-9249-C94C0094A83C} -> Apple Software Update ->
{56F3E1FF-54FE-4384-A153-6CCABA097814} -> Creative MediaSource ->
{5783F2D7-5001-0409-0002-0060B0CE6BBA} -> AutoCAD 2007 - English ->
{5F8E2CBB-949D-4175-AC98-5ADE7F6C9697} -> PlayNC Launcher ->
{609F7AC8-C510-11D4-A788-009027ABA5D0} -> Easy CD Creator 5 Basic ->
{62D77FB3-32E3-4D37-AB96-0941DE80C9CA} -> Magic The Gathering Online Tutorial ->
{63569CE9-FA00-469C-AF5C-E5D4D93ACF91} -> Windows Genuine Advantage v1.3.0254.0 ->
{6811CAA0-BF12-11D4-9EA1-0050BAE317E1} -> PowerDVD ->
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} -> Microsoft .NET Framework 2.0 ->
{716E0306-8318-4364-8B8F-0CC4E9376BAC} -> MSXML 4.0 SP2 Parser and SDK ->
{789289CA-F73A-4A16-A331-54D498CE069F} -> Ventrilo Client ->
{78CC3BAB-DE2A-4FB4-8FBB-E4DADDC26747} -> Ad-Aware SE Personal ->
{7B63B2922B174135AFC0E1377DD81EC2} -> DivX Codec ->
{85DD724B-15E5-4572-81BF-CF9031D83848} -> Ventrilo Server ->
{8795CBED-55E2-4693-9F14-84EC446935BE} -> SpeechRedist ->
{8A62C8DA-2DB7-4D94-B5BA-1D38FC36E830} -> Manhunt ->
{8ADFC4160D694100B5B8A22DE9DCABD9} -> DivX Player ->
{90D55A3F-1D99-4C94-A77E-46DC14F0BF08} -> Help and Support Customization ->
{911FE3B1-79E4-4CE8-825D-747B6D7D3370} -> Dungeon Runners ->
{98DF85D9-96C0-4F57-A92E-C3539477EF5E} -> DVDSentry ->
{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C} -> Windows Defender Signatures ->
{A790BEB1-BCCF-4EC6-807B-5708B36E8A79} -> Intel(R) PROSet ->
{AC76BA86-7AD7-1033-7B44-000000000001} -> Adobe Reader 6.0 ->
{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7} -> Titan Quest Immortal Throne ->
{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1} -> Microsoft .NET Framework 1.1 ->
{D792A069-B96B-40BA-BCB4-E5651A6E5926} -> Far Cry (Patch 1) ->
{E82BF103-904F-49C0-B77F-6EC110B71E87} -> Sound Blaster Audigy 2 ->
{F07B861C-72B9-40A4-8B1A-AAED4C06A7E8} -> QuickTime ->
Active Disk -> Active Disk ->
Adobe Photoshop 7.0 -> Adobe Photoshop 7.0 ->
All ATI Software -> ATI - Software Uninstall Utility ->
Another World -> Another World 1.1 ->
ATI Display Driver -> ATI Display Driver ->
Autodesk DWF Viewer -> Autodesk DWF Viewer ->
AVG7Uninstall -> AVG Free Edition ->
Battle.net -> Battle.net ->
Bink and Smacker -> Bink and Smacker ->
BulletProof FTP -> BulletProof FTP ->
Download Manager -> Download Manager 2.3.6 ->
DynDNS Updater_is1 -> DynDNS Updater 3.1 ->
GameSpy Arcade -> GameSpy Arcade ->
HijackThis -> HijackThis 1.99.1 ->
IGN Download Manager -> IGN Download Manager 2.3.3 ->
IrfanView -> IrfanView (remove only) ->
KB873333 -> Windows XP Hotfix - KB873333 ->
KB873339 -> Windows XP Hotfix - KB873339 ->
KB885835 -> Windows XP Hotfix - KB885835 ->
KB885836 -> Windows XP Hotfix - KB885836 ->
KB888113 -> Windows XP Hotfix - KB888113 ->
KB888302 -> Windows XP Hotfix - KB888302 ->
KB890046 -> Security Update for Windows XP (KB890046) ->
KB890859 -> Windows XP Hotfix - KB890859 ->
KB891781 -> Windows XP Hotfix - KB891781 ->
KB893066 -> Security Update for Windows XP (KB893066) ->
KB893086 -> Windows XP Hotfix - KB893086 ->
KB893756 -> Security Update for Windows XP (KB893756) ->
KB893803v2 -> Windows Installer 3.1 (KB893803) ->
KB896358 -> Security Update for Windows XP (KB896358) ->
KB896422 -> Security Update for Windows XP (KB896422) ->
KB896423 -> Security Update for Windows XP (KB896423) ->
KB896428 -> Security Update for Windows XP (KB896428) ->
KB898458 -> Security Update for Step By Step Interactive Training (KB898458) ->
KB898461 -> Update for Windows XP (KB898461) ->
KB899587 -> Security Update for Windows XP (KB899587) ->
KB899588 -> Security Update for Windows XP (KB899588) ->
KB899591 -> Security Update for Windows XP (KB899591) ->
KB901214 -> Security Update for Windows XP (KB901214) ->
LiveReg -> LiveReg (Symantec Corporation) ->
Magic Online -> Magic Online ->
Microsoft .NET Framework 1.1 (1033) -> Microsoft .NET Framework 1.1 ->
Microsoft .NET Framework 2.0 -> Microsoft .NET Framework 2.0 ->
Miranda IM_is1 -> Miranda IM ->
mIRC -> mIRC ->
Mozilla Firefox (2.0.0.3) -> Mozilla Firefox (2.0.0.3) ->
MUSICMATCH Jukebox -> MUSICMATCH Jukebox ->
Outerinfo -> Outerinfo ->
PROSet -> Intel(R) PRO Network Adapters and Drivers ->
Proxy+ -> Proxy+ ->
Quake III Arena -> Quake III Arena ->
Quake III Arena Point Release 1.32 -> Quake III Arena Point Release 1.32 ->
Quake III Team Arena -> Quake III Team Arena ->
Shadow Warrior v1.2 -> Shadow Warrior v1.2 ->
Shockwave -> Shockwave ->
ShockwaveFlash -> Macromedia Flash Player 8 ->
Sierra Utilities -> Sierra Utilities ->
Spybot - Search & Destroy_is1 -> Spybot - Search & Destroy 1.4 ->
ST6UNST #1 -> Doomsday KickStart ->
Starcraft -> Starcraft ->
Steam -> Steam ->
Teamspeak 2 RC2_is1 -> TeamSpeak 2 RC2 ->
TeamSpeak 2 Server_is1 -> TeamSpeak 2 Server RC2 ->
TrojanHunter_is1 -> TrojanHunter 4.6 ->
UltraEdit-32 -> UltraEdit-32 Uninstall ->
UNOFFICIAL HD Pack for Steam -> MGZB: UNOFFICIAL HD Pack for Steam ->
Winamp -> Winamp (remove only) ->
Windows Media Format Runtime -> Windows Media Format Runtime ->
Windows Media Player -> Windows Media Player 10 ->
Windows XP Service Pack -> Windows XP Service Pack 2 ->
WinPatrol -> WinPatrol ->
WinRAR archiver -> WinRAR archiver ->
WinZip -> WinZip ->
World of Warcraft -> World of Warcraft ->
XLViewer97 -> Microsoft Excel Viewer 97 ->
ZoneAlarm -> ZoneAlarm ->


[Files/Folders - Created Within 60 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1072762880 bytes | Created Date = 1/1/1601 6:00:00 AM | Attr = HS]
SDRIVE -> %SystemDrive%\SDRIVE -> [Folder | Created Date = 5/11/2007 4:46:41 PM | Attr = ]
Work -> %SystemDrive%\Work -> [Folder | Created Date = 5/18/2007 3:40:14 PM | Attr = ]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Created Date = 5/27/2007 3:51:07 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1156 bytes | Created Date = 5/16/2007 3:16:17 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 0 bytes | Created Date = 5/16/2007 3:14:46 PM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Created Date = 5/16/2007 2:00:40 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Created Date = 5/16/2007 2:00:39 PM | Attr = H ]
retadpu11.exe -> %SystemRoot%\retadpu11.exe -> [Ver = 1, 0, 0, 2 | Size = 40960 bytes | Created Date = 5/27/2007 10:36:31 AM | Attr = ]
system32CmdLineExt.dll -> %System32%CmdLineExt.dll -> Sony DADC Austria AG. [Ver = 1,0,201,0 | Size = 98304 bytes | Created Date = 4/30/2007 4:15:27 PM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 75512 bytes | Created Date = 5/27/2007 3:52:30 PM | Attr = ]
CmdLineExt03.dll -> %System32%\CmdLineExt03.dll -> [Ver = | Size = 43520 bytes | Created Date = 5/22/2007 7:05:13 PM | Attr = ]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Created Date = 5/27/2007 3:52:13 PM | Attr = ]
pxafs.dll -> %System32%\pxafs.dll -> Sonic Solutions [Ver = 3.2.40.500 | Size = 129784 bytes | Created Date = 4/17/2007 7:39:00 AM | Attr = ]
pxsfs.dll -> %System32%\pxsfs.dll -> Sonic Solutions [Ver = 3.2.40.500 | Size = 1309432 bytes | Created Date = 4/17/2007 7:39:00 AM | Attr = ]
streamhlp.dll -> %System32%\streamhlp.dll -> [Ver = | Size = 59392 bytes | Created Date = 5/16/2007 11:33:49 AM | Attr = R ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49617 bytes | Created Date = 5/27/2007 3:51:59 PM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 83696 bytes | Created Date = 5/27/2007 3:51:07 PM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 394192 bytes | Created Date = 5/27/2007 3:51:59 PM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 157424 bytes | Created Date = 5/27/2007 3:51:07 PM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 104176 bytes | Created Date = 5/27/2007 3:52:00 PM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 276208 bytes | Created Date = 5/27/2007 3:52:01 PM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 71408 bytes | Created Date = 5/27/2007 3:52:13 PM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 472816 bytes | Created Date = 5/27/2007 3:51:07 PM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 46832 bytes | Created Date = 5/27/2007 3:52:04 PM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 100080 bytes | Created Date = 5/27/2007 3:52:02 PM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 83696 bytes | Created Date = 5/27/2007 3:52:09 PM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 71408 bytes | Created Date = 5/27/2007 3:52:10 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Created Date = 5/27/2007 3:52:41 PM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Created Date = 5/27/2007 3:52:01 PM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 5/27/2007 3:52:03 PM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Created Date = 4/3/2007 7:13:29 AM | Attr = ]

[Files/Folders - Modified Within 60 days]
$VAULT$.AVG -> %SystemDrive%\$VAULT$.AVG -> [Folder | Modified Date = 5/28/2007 10:58:56 PM | Attr = RH ]
docs -> %SystemDrive%\docs -> [Folder | Modified Date = 4/12/2007 8:13:30 AM | Attr = ]
downloads -> %SystemDrive%\downloads -> [Folder | Modified Date = 5/26/2007 12:47:48 PM | Attr = ]
games -> %SystemDrive%\games -> [Folder | Modified Date = 5/22/2007 7:57:14 PM | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1072762880 bytes | Modified Date = 5/27/2007 4:56:50 PM | Attr = HS]
ISOS -> %SystemDrive%\ISOS -> [Folder | Modified Date = 5/11/2007 5:56:44 PM | Attr = ]
mp3 -> %SystemDrive%\mp3 -> [Folder | Modified Date = 4/27/2007 5:08:10 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 5/27/2007 4:52:02 PM | Attr = ]
SDRIVE -> %SystemDrive%\SDRIVE -> [Folder | Modified Date = 5/22/2007 7:56:36 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 5/28/2007 10:58:14 PM | Attr = ]
Work -> %SystemDrive%\Work -> [Folder | Modified Date = 5/20/2007 3:17:50 PM | Attr = ]
assembly -> %SystemRoot%\assembly -> [Folder | Modified Date = 5/11/2007 8:56:42 PM | Attr = R S]
BOOTSTAT.DAT -> %SystemRoot%\BOOTSTAT.DAT -> [Ver = | Size = 2048 bytes | Modified Date = 5/27/2007 4:56:58 PM | Attr = S]
CSC -> %SystemRoot%\CSC -> [Folder | Modified Date = 5/24/2007 4:55:08 PM | Attr = HS]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 5/16/2007 1:16:00 PM | Attr = S]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 5/11/2007 8:55:48 PM | Attr = R S]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 5/11/2007 8:55:08 PM | Attr = ]
INF -> %SystemRoot%\INF -> [Folder | Modified Date = 5/24/2007 4:55:38 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 5/22/2007 8:04:24 PM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 5/28/2007 10:46:04 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 1156 bytes | Modified Date = 5/16/2007 4:16:20 PM | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 0 bytes | Modified Date = 5/16/2007 4:14:48 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 5/29/2007 7:05:44 AM | Attr = ]
QTFont.for -> %SystemRoot%\QTFont.for -> [Ver = | Size = 1409 bytes | Modified Date = 5/16/2007 3:00:42 PM | Attr = ]
QTFont.qfn -> %SystemRoot%\QTFont.qfn -> [Ver = | Size = 54156 bytes | Modified Date = 5/16/2007 3:00:40 PM | Attr = H ]
retadpu11.exe -> %SystemRoot%\retadpu11.exe -> [Ver = 1, 0, 0, 2 | Size = 40960 bytes | Modified Date = 5/27/2007 11:36:34 AM | Attr = ]
SYSTEM32 -> %System32% -> [Folder | Modified Date = 5/27/2007 4:52:44 PM | Attr = ]
system32CmdLineExt.dll -> %System32%CmdLineExt.dll -> Sony DADC Austria AG. [Ver = 1,0,201,0 | Size = 98304 bytes | Modified Date = 4/30/2007 5:15:28 PM | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 5/28/2007 9:04:02 AM | Attr = ]
UEDIT32.INI -> %SystemRoot%\UEDIT32.INI -> [Ver = | Size = 10469 bytes | Modified Date = 5/26/2007 4:17:56 PM | Attr = ]
Winamp.ini -> %SystemRoot%\Winamp.ini -> [Ver = | Size = 192 bytes | Modified Date = 4/17/2007 8:37:48 AM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 5/11/2007 8:55:56 PM | Attr = ]
{00000002-00000000-00000001-00001102-00000004-10031102}.CDF -> %SystemRoot%\{00000002-00000000-00000001-00001102-00000004-10031102}.CDF -> [Ver = | Size = 4932148 bytes | Modified Date = 5/27/2007 4:55:34 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 5/27/2007 4:57:12 PM | Attr = H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 366 bytes | Modified Date = 5/29/2007 7:06:00 AM | Attr = ]
BMXBkpCtrlState-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> %System32%\BMXBkpCtrlState-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> [Ver = | Size = 30960 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
BMXCtrlState-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> %System32%\BMXCtrlState-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> [Ver = | Size = 30960 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
BMXState-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> %System32%\BMXState-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> [Ver = | Size = 31856 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
BMXStateBkp-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> %System32%\BMXStateBkp-{00000002-00000000-00000001-00001102-00000004-10031102}.rfx -> [Ver = | Size = 31856 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 5/24/2007 4:55:32 PM | Attr = ]
CmdLineExt03.dll -> %System32%\CmdLineExt03.dll -> [Ver = | Size = 43520 bytes | Modified Date = 5/22/2007 8:05:14 PM | Attr = ]
CONFIG -> %System32%\CONFIG -> [Folder | Modified Date = 5/27/2007 1:52:48 PM | Attr = ]
DirectX -> %System32%\DirectX -> [Folder | Modified Date = 5/11/2007 8:50:48 PM | Attr = ]
DRIVERS -> %System32%\DRIVERS -> [Folder | Modified Date = 4/27/2007 8:13:04 AM | Attr = ]
DVCState-{00000002-00000000-00000001-00001102-00000004-10031102}.dat -> %System32%\DVCState-{00000002-00000000-00000001-00001102-00000004-10031102}.dat -> [Ver = | Size = 384 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-10031102}.dat -> %System32%\DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-10031102}.dat -> [Ver = | Size = 384 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 185016 bytes | Modified Date = 5/24/2007 4:54:58 PM | Attr = ]
PERFC009.DAT -> %System32%\PERFC009.DAT -> [Ver = | Size = 62344 bytes | Modified Date = 4/3/2007 10:09:28 PM | Attr = ]
PERFH009.DAT -> %System32%\PERFH009.DAT -> [Ver = | Size = 401064 bytes | Modified Date = 4/3/2007 10:09:28 PM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 471150 bytes | Modified Date = 4/3/2007 10:09:28 PM | Attr = ]
ReinstallBackups -> %System32%\ReinstallBackups -> [Folder | Modified Date = 5/16/2007 11:33:12 AM | Attr = ]
settings.sfm -> %System32%\settings.sfm -> [Ver = | Size = 1080 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
settingsbkup.sfm -> %System32%\settingsbkup.sfm -> [Ver = | Size = 1080 bytes | Modified Date = 5/27/2007 4:56:00 PM | Attr = ]
streamhlp.dll -> %System32%\streamhlp.dll -> [Ver = | Size = 59392 bytes | Modified Date = 5/16/2007 12:33:54 PM | Attr = R ]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49617 bytes | Modified Date = 5/27/2007 4:57:08 PM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 5/27/2007 4:54:46 PM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 5/27/2007 4:52:38 PM | Attr = ]
avg7core.sys -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.467 | Size = 777984 bytes | Modified Date = 4/27/2007 8:12:44 AM | Attr = ]
avg7rsw.sys -> %System32%\drivers\avg7rsw.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,340 | Size = 4224 bytes | Modified Date = 4/3/2007 8:13:30 AM | Attr = ]
avg7rsxp.sys -> %System32%\drivers\avg7rsxp.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.442 | Size = 27776 bytes | Modified Date = 4/3/2007 8:13:30 AM | Attr = ]
avgclean.sys -> %System32%\drivers\avgclean.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 3968 bytes | Modified Date = 4/3/2007 8:13:30 AM | Attr = ]
avgtdi.sys -> %System32%\drivers\avgtdi.sys -> GRISOFT, s.r.o. [Ver = 7,0,0,346 | Size = 4960 bytes | Modified Date = 4/3/2007 8:12:38 AM | Attr = ]
ETC -> %System32%\drivers\ETC -> [Folder | Modified Date = 5/28/2007 9:43:58 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %SystemRoot%\Boyllyybj.kpy -> [Ver = | Size = 200923 bytes | Modified Date = 9/13/2004 10:19:56 PM | Attr = ]
PEC2 , -> %SystemRoot%\Euahsrsns.pek -> [Ver = | Size = 193869 bytes | Modified Date = 9/13/2004 10:19:56 PM | Attr = ]
PEC2 , -> %SystemRoot%\Pelpjnaxupm.gcg -> [Ver = | Size = 192875 bytes | Modified Date = 9/13/2004 10:19:54 PM | Attr = ]
UPX! , -> %SystemRoot%\retadpu11.exe -> [Ver = 1, 0, 0, 2 | Size = 40960 bytes | Modified Date = 5/27/2007 11:36:34 AM | Attr = ]
PEC2 , -> %SystemRoot%\Ugatqgumjxd.wiy -> [Ver = | Size = 184535 bytes | Modified Date = 9/13/2004 10:19:52 PM | Attr = ]
PEC2 , -> %System32%\DFRG.MSC -> [Ver = | Size = 41397 bytes | Modified Date = 8/29/2002 5:00:00 AM | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.4.0.51 | Size = 635486 bytes | Modified Date = 10/2/2006 2:04:40 PM | Attr = ]
UPX! , UPX0 , -> %System32%\fmod.dll -> Firelight Technologies Pty, Ltd [Ver = 3.71 | Size = 154624 bytes | Modified Date = 11/17/2003 11:49:16 AM | Attr = ]
aspack , SAHAgent , -> %System32%\in10b6s.dll -> [Ver = 1, 0, 0, 1 | Size = 188416 bytes | Modified Date = 9/13/2004 10:19:44 PM | Attr = ]
UPX! , UPX0 , -> %System32%\msdjgk.dll -> [Ver = | Size = 86030 bytes | Modified Date = 8/22/2001 7:00:00 PM | Attr = ]
UPX! , UPX0 , -> %System32%\msiaih.dll -> [Ver = | Size = 170496 bytes | Modified Date = 8/22/2001 7:00:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxcpya64.exe -> Sonic Solutions [Ver = 1.00.35a | Size = 63144 bytes | Modified Date = 8/24/2006 10:47:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxhpinst.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 67240 bytes | Modified Date = 8/24/2006 10:47:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxinsa64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 62632 bytes | Modified Date = 8/24/2006 10:47:00 PM | Attr = ]
Thawte Consulting , -> %System32%\pxinsi64.exe -> Sonic Solutions [Ver = 3.00.33a | Size = 115880 bytes | Modified Date = 8/24/2006 10:47:00 PM | Attr = ]
winsync , -> %System32%\WBDBASE.DEU -> [Ver = | Size = 1309184 bytes | Modified Date = 8/29/2002 5:00:00 AM | Attr = ]
UPX! , FSG! , PEC2 , aspack , -> %System32%\drivers\avg7core.sys -> GRISOFT, s.r.o. [Ver = 7.5.0.467 | Size = 777984 bytes | Modified Date = 4/27/2007 8:12:44 AM | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 8/4/2004 12:41:38 AM | Attr = ]

< End of report >
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby tim s » May 29th, 2007, 11:24 pm

Hi shugz,

Thanks for posting log.


This Add or Remove Programs entry corresponds to a program that is either malware, installs malware, or is bundled with malware.

Outerinfo


------------------------------------------------

Look in your control panels add/remove programs for any of these and uninstall them:

Outerinfo
<<<< This is the one I see in your uninstall list.
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
and any other programs you didn't install or don't recognize - if your not sure please ask first


Don't reboot

Next......
Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Download and unzip hosts.zip from HERE to a folder (hosts).

When you get a chance please read more about what we are doing HERE.

Here's a Tutorial on how to install it, but it's installed like this:

Open up the hosts folder and double-click on the mvps.bat file, it will rename your present HOSTS file to HOSTS.MVP, then it will copy the new HOSTS file to the correct location on your machine. It happens very quickly so don't blink!

--------------------------------------------------

Please note that a large HOSTS file (over 135 kb) may slow down the machine. This only occurs in W2K and XP.

To fix this:
Go to Start > Run (type) services.msc > OK
Scroll down to DNS Client, Right-click and select: Properties
Click the drop-down arrow for "Startup type"
Select: Manual, click Apply/Ok and restart.


Reboot when done and........

----------------------------------------------------------------

Next do the following:
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


--------------------------------------------------------------

Post these in next reply:
combofix.txt
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby shugz » May 30th, 2007, 7:21 pm

"Richard" - 2007-05-29 23:09:48 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\downloads\malware tools and infos\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\retadpu11.exe"
"C:\WINDOWS\system32\drivers\sfsync02.sys"


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_SFSYNC02
-------\sfsync02


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-30 ))))))))))))))))))))))))))))))))))


2007-05-29 23:14 0 --a------ C:\WINDOWS\SYSTEM32\sfsync02.dll
2007-05-29 23:03 <DIR> d-------- C:\hosts
2007-05-27 16:52 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-27 16:52 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-05-27 16:52 1,087,216 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-05-27 16:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-05-27 16:51 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-22 20:05 43,520 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2007-05-18 16:40 <DIR> d-------- C:\Work
2007-05-16 16:16 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-16 16:14 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-16 13:16 <DIR> d-------- C:\DOCUME~1\Richard\APPLIC~1\TrojanHunter
2007-05-16 12:33 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-05-11 20:55 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2007-05-11 20:52 <DIR> d-------- C:\Program Files\AutoCAD 2007
2007-05-11 20:52 <DIR> d-------- C:\DOCUME~1\Richard\APPLIC~1\Autodesk
2007-05-11 20:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-05-11 20:50 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-05-11 20:50 <DIR> d-------- C:\Program Files\Autodesk
2007-05-11 17:46 <DIR> d-------- C:\SDRIVE
2007-04-30 17:15 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-04-17 08:39 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 05:04:08 -------- d-----w C:\Program Files\DynDNS Updater
2007-05-30 04:06:44 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-10031102}.dat
2007-05-30 04:06:44 384 ----a-w C:\WINDOWS\system32\DVCState-{00000002-00000000-00000001-00001102-00000004-10031102}.dat
2007-05-29 03:59:22 -------- d-----w C:\Program Files\Symantec
2007-05-29 03:59:20 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-24 04:04:31 -------- d-----w C:\Program Files\IrfanView
2007-05-22 21:56:10 -------- d-----w C:\DOCUME~1\Richard\APPLIC~1\IGN_DLM
2007-05-13 22:56:49 -------- d-----w C:\DOCUME~1\Richard\APPLIC~1\Lavasoft
2007-05-13 22:56:41 -------- d-----w C:\Program Files\Lavasoft
2007-05-13 22:56:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 22:15:39 -------- d-----w C:\Program Files\Winamp
2007-03-20 22:34:36 75,244 ----a-w C:\WINDOWS\War3Unin.dat
2006-08-20 22:45:41 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [2004-03-10 09:33]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 17:39]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:14]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-05-11 20:01]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Steam"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:56]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 16:57]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-15 18:21]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-05-30 11:51:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-30 06:53:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-30 6:55:14 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-30 06:55

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 6:20:33 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shacknews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = thundanet.homeip.net:4480
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4563483987
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4565248968
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby tim s » May 30th, 2007, 7:59 pm

Hi shugz,

Thanks for posting logs.

Disable Trojan Hunter Guard:

Please disable Trojan Hunter Guard, as it may interfere.

To disable Trojan Hunter Guard:
  • Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red.
  • Right click it and select settings. Uncheck "Load at startup" and "Enabled"
Once your log is clean you can re-enable Trojan Hunter Guard.


---------------------------------------------------------------

Disable Winpatrol:

Please disable Winpatrol as it may hinder the removal of some entries.

Right click the running icon of Winpatrol, and choose exit.

After all of the fixes are complete it is very important that you enable WinPatrol again.


---------------------------------------------------------------

Run Panda's ActiveScan from here and perform a full system scan.
Note* Internet Explorer must be used for scan to run.

1. Once you are on the Panda site scroll to the bottom of page and click the "Scan your PC" button NOTE: If you have a popblocker enable you will have to allow popup here.
2. A new window will open...click the big "Check Now" button
3. Enter your Country
4. Enter your State/Province
5. Enter your e-mail address and click send
6. Select either Home User or Company
7. Click the big Scan Now button
8. If it wants to install an ActiveX component allow it
9. It will start downloading the files it requires for the scan (Note: It will take a couple minutes. You may have to reboot here and start back with step 1. I did.)
10. Click on "Local Disks" to start the scan
11. Post Panda scan results in your next reply with others requested.

----------------------------------------------------------------

Please post in next reply:
Panda's scan report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby shugz » May 31st, 2007, 8:10 am

Thanks tim s for all of your time and help so far! Here are the latest scans:


Incident Status Location

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.atwola.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.com.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[server.iad.liveperson.net/hc/35439559]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Richard\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Richard\Cookies\richard@perf.overture[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Richard\Local Settings\Application Data\Mozilla\Firefox\Profiles\b1eb8lyd.default\Cache\C2152591d01[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\downloads\malware tools and infos\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\downloads\malware tools and infos\sdfix\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\WINDOWS\retadpu11.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe
Virus:Trj/CPR.A Disinfected C:\WINDOWS\SYSTEM32\Cache\setup.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\SYSTEM32\mscjjn.dll
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\SYSTEM32\msglji.gif
Spyware:Spyware/ClientMan Not disinfected C:\WINDOWS\SYSTEM32\msiaih.dll
Adware:Adware/SideSearch Not disinfected C:\WINDOWS\SYSTEM32\sset.exe[²êÇ.dll]
Spyware:Spyware/ClearSearch Not disinfected C:\WINDOWS\SYSTEM32\sset.exe[ClrSchUninstall_78_86.exe]
Logfile of HijackThis v1.99.1
Scan saved at 7:08:53 AM, on 5/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shacknews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = thundanet.homeip.net:4480
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4563483987
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4565248968
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby tim s » May 31st, 2007, 7:20 pm

Hi shugz,

Thanks for posting logs.

This is next:

Open notepad and copy/paste the text in the quotebox below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.

File::
C:\WINDOWS\SYSTEM32\mscjjn.dll
C:\WINDOWS\SYSTEM32\msglji.gif
C:\WINDOWS\SYSTEM32\msiaih.dll
C:\WINDOWS\SYSTEM32\sset.exe



Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby shugz » June 1st, 2007, 9:09 am

"Richard" - 2007-05-31 23:09:20 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Richard\"
Command switches used :: ""C:\downloads\malware tools and infos\ComboFix-Do.txt""


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\SYSTEM32\mscjjn.dll"
"C:\WINDOWS\SYSTEM32\msglji.gif"
"C:\WINDOWS\SYSTEM32\msiaih.dll"
"C:\WINDOWS\SYSTEM32\sset.exe"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-31 ))))))))))))))))))))))))))))))))))


2007-05-30 22:46 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-30 22:46 <DIR> d-------- C:\WINDOWS\LastGood
2007-05-30 06:55 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-29 23:14 0 --a------ C:\WINDOWS\SYSTEM32\sfsync02.dll
2007-05-29 23:03 <DIR> d-------- C:\hosts
2007-05-27 16:52 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-05-27 16:52 4,212 ---h----- C:\WINDOWS\SYSTEM32\zllictbl.dat
2007-05-27 16:52 1,087,216 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2007-05-27 16:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\ZoneLabs
2007-05-27 16:51 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-05-22 20:05 43,520 --a------ C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2007-05-18 16:40 <DIR> d-------- C:\Work
2007-05-16 16:16 1,156 --a------ C:\WINDOWS\mozver.dat
2007-05-16 16:14 0 --a------ C:\WINDOWS\nsreg.dat
2007-05-16 13:16 <DIR> d-------- C:\DOCUME~1\Richard\APPLIC~1\TrojanHunter
2007-05-16 12:33 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-05-11 20:55 <DIR> d-------- C:\Program Files\AnswerWorks 4.0
2007-05-11 20:52 <DIR> d-------- C:\Program Files\AutoCAD 2007
2007-05-11 20:52 <DIR> d-------- C:\DOCUME~1\Richard\APPLIC~1\Autodesk
2007-05-11 20:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Autodesk
2007-05-11 20:50 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2007-05-11 20:50 <DIR> d-------- C:\Program Files\Autodesk
2007-05-11 17:46 <DIR> d-------- C:\SDRIVE
2007-04-30 17:15 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-04-17 08:39 129,784 --------- C:\WINDOWS\SYSTEM32\pxafs.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 05:02:44 -------- d-----w C:\Program Files\DynDNS Updater
2007-05-31 04:29:06 -------- d-----w C:\Program Files\VentSrv
2007-05-31 04:25:28 -------- d-----w C:\Program Files\Messenger
2007-05-31 04:24:43 -------- d-----w C:\Program Files\Google
2007-05-30 23:23:24 384 ----a-w C:\WINDOWS\system32\DVCStateBkp-{00000002-00000000-00000001-00001102-00000004-10031102}.dat
2007-05-30 23:23:24 384 ----a-w C:\WINDOWS\system32\DVCState-{00000002-00000000-00000001-00001102-00000004-10031102}.dat
2007-05-29 03:59:22 -------- d-----w C:\Program Files\Symantec
2007-05-29 03:59:20 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-05-24 04:04:31 -------- d-----w C:\Program Files\IrfanView
2007-05-22 21:56:10 -------- d-----w C:\DOCUME~1\Richard\APPLIC~1\IGN_DLM
2007-05-13 22:56:49 -------- d-----w C:\DOCUME~1\Richard\APPLIC~1\Lavasoft
2007-05-13 22:56:41 -------- d-----w C:\Program Files\Lavasoft
2007-05-13 22:56:14 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-27 22:15:39 -------- d-----w C:\Program Files\Winamp
2007-03-20 22:34:36 75,244 ----a-w C:\WINDOWS\War3Unin.dat
2006-08-20 22:45:41 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 01:47]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar4.dll [2007-01-20 00:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00]
"CTHelper"="CTHELPER.EXE" [2003-10-06 14:57 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28]
"WinPatrol"="C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [2004-03-10 09:33]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]
"ADUserMon"="C:\Program Files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 17:39]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:14]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" []
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 01:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SB Audigy 2 Startup Menu"=" /L:ENG" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Steam"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:56]
"igndlm.exe"="C:\Program Files\IGN\Download Manager\DLM.exe" [2007-03-05 16:57]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-15 18:21]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-06-01 04:11:00 C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-31 23:14:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-31 23:15:36
C:\ComboFix-quarantined-files.txt ... 2007-05-31 23:15

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 8:09:37 AM, on 6/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shacknews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = thundanet.homeip.net:4480
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4563483987
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4565248968
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby tim s » June 1st, 2007, 11:26 am

Hi shugz,


Thanks for posting logs this in next:

To enable the viewing of Hidden files follow these steps:
  1. Close all programs so that you are at your desktop.
  2. Click Start, then select My Computer)
  3. Select the Tools (at top of opened screen in menu and click Folder Options.
  4. After the new window appears select the View tab.
  5. Put a checkmark in the checkbox labeled Display the contents of system folders.
  6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
  9. Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.

--------------------------------------------------------

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present):

    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit HijackThis.

---------------------------------------------------------

Use Explorer to navigate to and delete the following folder (if it is present) just what is in red:

Folders:

  • C:\Program Files\Ebates_MoeMoneyMaker
  • C:\Program Files\Symantec <<<< leftover of norton uninstall
  • C:\Program Files\Common Files\Symantec Shared <<<< leftover of norton uninstall
Reboot computer

----------------------------------------------------------

Here we are going to clean out cookies and temp files from your computer.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here It will start to download automatically. If ask if you want to download let it. Save to your Desktop.
Note: If you get and Error page from this link.
Try again you will see this message Your download of CCleaner will automatically start in 5 seconds. Click here if it does not do not wait go ahead and click on it.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Follow prompts to install finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
    • On the Windows tab, under Internet Explorer,
      • All Boxes should have a check mark. (You will need to re-enter your passwords at all sites where a cookie is used to recognize you when you visit).
    • On the Windows tab, under Windows Explorer,
      • All Boxes should have a check mark.
    • On the Windows tab, under System,
      • All Boxes should have a check mark.
    • On the Windows tab, under Advanced,
      • NO check marks
  • If you use either the Firefox or Mozilla browsers, the box to put check in for "Cookies" is on the Applications tab, under Firefox/Mozilla. If already checked move to next step.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.
  • You will need to reboot here if not ask to do so.
_______________________________

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Here we are going to just make sure this tool is setup correctly Do not run scan yet.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.

  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to the words Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
    • Click on Scanner on the toolbar at top of this screen.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Close AVG Anti-Spyware without running yet.
Now disable (turn off AVG Anti-Spyware)
  • Right-click the AVG Anti-Spyware Tray Icon (Bottom right corner of computer screen near clock) and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon again and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________


Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Note: If AVG Anti-Spyware screen does not fit your monitor screen Hold down the Alt button on keyboard then tap spacebar, menu should pop up then choose maximize. AVG Anti-Spyware screen should fix screen a little better.

  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.

Image

IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button.(3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop. I will need you to post this in your next reply.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
-------------------------------------------------------------

Post in next reply:
AVG Anti-Spyware scan report
New HJT log
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby shugz » June 2nd, 2007, 7:09 pm

Logfile of HijackThis v1.99.1
Scan saved at 6:06:17 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\VentSrv\ventrilo_svc.exe
C:\Program Files\VentSrv\ventrilo_srv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shacknews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = thundanet.homeip.net:4480
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4563483987
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/register/wowbeta/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4565248968
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/softwar ... launch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DynDNS Updater Service (DynDNS_Updater_Service) - Kana Solution - C:\Program Files\DynDNS Updater\DynDNS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:02:26 PM 6/2/2007

+ Scan result:



C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mscjjn.dll.vir -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1592\A0102439.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\msiaih.dll.vir -> Adware.Ipend : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1592\A0102440.dll -> Adware.Ipend : Cleaned with backup (quarantined).
C:\downloads\malware tools and infos\OiUninstaller.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\retadpu11.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1590\A0101249.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\in10b6s.dll -> Dropper.Small.abe : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1591\A0102319.exe -> Trojan.VB.tq : Cleaned with backup (quarantined).


::Report end
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby tim s » June 2nd, 2007, 7:55 pm

Hi shugz,

Good job.

These tools I had you download are of no longer any use as they update so frequently that fresh copies have to be downloaded when needed.

Delete tools:
Combofix.exe and C:\QooBox
WinPFind3U. folder and its installer


Let me know how your computer is running now?

------------------------------------------------

Make sure to re-enable Trojan Hunter Guard and Winpatrol

------------------------------------------------

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. You can go back and rehide system files:
    1. Close all programs so that you are at your desktop.
    2. Double-click on the My Computer icon (or click Start, then select My Computer)
    3. Select the Tools menu at top of this screen and click Folder Options.
    4. After the new window appears select the View tab.
    5. Remove checkmark in the checkbox labeled Display the contents of system folders.
    6. Under the Hidden files and folders section select the radio button(round circle) labeled Do not Show hidden files and folders.
    7. Put a checkmark in the checkbox labeled Hide file extensions for known file types.
    8. Put a checkmark in the checkbox labeled Hide protected operating system files.
    9. Press the Apply button and then the OK button and shutdown My Computer.
  2. Disable and Enable System Restore. - You are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:

    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  3. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  4. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  5. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  6. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  7. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  8. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  10. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  11. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.
Image
Please take the time to go and complain - that forum has a topic for your infection which is PurityScan please post as a reply, you will need to register to do so. It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.


Tim s
User avatar
tim s
MRU Honors Grad Emeritus
 
Posts: 1541
Joined: February 11th, 2006, 10:27 am

Unread postby shugz » June 2nd, 2007, 10:17 pm

Everything appears to be working great!! I can't thank you enough for your time and effort. This truly is an awesome service all you people provide!!

Thank you for all your help and for the recommendations. I will follow your advice to a "T". I should be pretty clean now that you have cleaned my system and taught me how to protect it from all the garbage out there ready to infect me.



Thanks a million tim s!!!!
shugz
Regular Member
 
Posts: 20
Joined: May 15th, 2007, 11:44 am

Unread postby NonSuch » June 3rd, 2007, 9:35 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27305
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 50 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware