Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Desktop gone when re-booting

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Desktop gone when re-booting

Unread postby maryd3954 » November 6th, 2005, 5:29 pm

I found 4 problems when I ran Spybot. They referred me to a malware site. When I deleted these 4 items (shown below), Windows didn't come up when we re-booted. So, I figured out how to restore a previous system environment, re-ran Spybot and sent them the results. They think it might be PSGuard. What should I do?

Here's the results from Spybot. Highjack log to follow....

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

IE Plugin: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp

PSGuard.msmsgs: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell!=Explorer.exe

HIGHJACK.LOG....

Logfile of HijackThis v1.99.1
Scan saved at 1:05:57 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Vision\vservice.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\MENTOR~1\Nutc\bin\snmptrapd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\cidaemon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {8C11D8A5-2972-3FF0-FCE1-5048A8C6383C} - C:\Program Files\CDM\pltqeehmnq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\MENTOR~1\Nutc\bin\ncoeenv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Allison\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB74C7E-316F-4E64-B154-1D9DA493623B}: NameServer = 10.3.8.70,10.3.8.75
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC Portmapper (Portmapper) - Unknown owner - C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SNMPTrapd Service (SNMPTrapdService) - DataFocus, Inc. - C:\MENTOR~1\Nutc\bin\snmptrapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca
Advertisement
Register to Remove

Unread postby VopThis » November 7th, 2005, 1:54 pm

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing



Please download LSP-Fix from the following link and save it to a location you can find later if necessary - DESKTOP.

http://www.bleepingcomputer.com/files/lspfix.php

If you cannot connect to the Internet after removing New.net (below), please run the LSP-Fix program that you download earlier, and click on the finish button. Reboot and you should be able to get back on.




NEWDOTNET Removal: Open the Control Panel’s Add/Remove Programs list and remove any found entries for:
‘New.net domains’ (B variant),
‘FirstLook’ (FirstLook variant),
QuickSearch Toolbar’ (QuickSearch variant).




If the above options are unavailable or are ineffective, try looking in the Program Files\NewDotNet folder for an EXE uninstaller:
(* = any additional pattern of characters)
*Uninstall*.EXE; unins*.EXE; Unwise.EXE
(copy and use this exact keywords list in a file search of the relevant FOLDER, if needed)


If more than one uninstaller is present, try the installer with the highest version number in its name.



There will several other items to fix so please post a revised HJT log and we can carry on from there.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

desktop gone

Unread postby maryd3954 » November 8th, 2005, 10:34 pm

Here is my new HJT log.
Couldn't find NewDotNet in the Add/Remove programs. I found only a directory called NewDotNet in Program Files. It had just a readme file in it. So I went to their website and downloaded their uninstall.exe. I ran it and rebooted, but the folder was still there so I deleted it. Hope that was OK.
Previously whever I booted up the computer, it complained that I was missing the NewDotNet file. It doesn't complain now.
Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 6:23:31 PM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Vision\vservice.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\WINDOWS\webshots.scr
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\MENTOR~1\Nutc\bin\snmptrapd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {8C11D8A5-2972-3FF0-FCE1-5048A8C6383C} - C:\Program Files\CDM\pltqeehmnq.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\MENTOR~1\Nutc\bin\ncoeenv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Allison\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB74C7E-316F-4E64-B154-1D9DA493623B}: NameServer = 10.3.8.70,10.3.8.75
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC Portmapper (Portmapper) - Unknown owner - C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SNMPTrapd Service (SNMPTrapdService) - DataFocus, Inc. - C:\MENTOR~1\Nutc\bin\snmptrapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » November 9th, 2005, 12:49 pm

So I went to their website and downloaded their uninstall.exe. I ran it and rebooted, but the folder was still there so I deleted it. Hope that was OK.

Such a step is rarely appropriate but, in this case it is OK. Strange to have to face your attacker in this way.


We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {8C11D8A5-2972-3FF0-FCE1-5048A8C6383C} - C:\Program Files\CDM\pltqeehmnq.dll (file missing)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKCU\..\Run: [CAS CLIENT] "C:\Program Files\Cas\Client\casclient.exe"

O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0002.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)


Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
  • Temporary Internet Files
  • Downloaded Program Files
  • Recycle Bin
  • Temporary Files
Click OK or Enter


***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.



DELETE APPLICATION FOLDERS
  1. Go to Add/Remove Programs
    In Control Panel>Add/Remove Programs look for any related entries for unwanted items listed below (or anything else you need to investigate or did not put in there).

  2. UNINSTALLER Alternate SEARCH: Otherwise, advisable to locate and try right-clicking on any of the given SEARCH FOLDER items below and further search (tick include subdirectories) for the following exact text:

    UN*.EXE, *UN.EXE

    This may reveal an uninstaller with label terms such as '...uninstall...EXE', ‘unins000’, or 'unwise.EXE'. Double-click that EXE, if one is found. Thereafter, check to ensure that the folder is completely gone. Otherwise, consider deleting the folder in question.

-----> C:\Program Files\Aprps
AproposMedia/PeopleOnPage (AKA: AMSERVER/POP/SYSAL/CTXPLS)

-----> C:\Program Files\Cas
CasinoClient (CAS)


REBOOT.

Please use Internet Explorer and go to the Ewido Online Malware Scan:
http://www.ewido.net/en/onlinescan
--Active X must be allowed for this scan to work

  • Click the yellow Start button in the lower left of the page
  • Click yes when prompted to download the Ewido Software
  • Once installed click Start Scan
  • After the scan is finished Please click Save Report, save the log and post it for us in your next reply.
  • Make sure all bad files/entries are checked and click Remove Infections


REBOOT.

Then,

Run these two online virus/malware scanners (Panda Activescan, Trendmicro Housecall) following these instructions below:
    Trend Micro - Housecall:
    http://housecall.trendmicro.com (select auto clean before scanning)


    Panda Scan:
    http://www.pandasoftware.com/products/a ... ncipal.htm
    This one could take an hour or more so do it only when you have the time to let it run. Tell it to scan for everything including messages and heuristic viruses.




Let them fix what they can. Reboot between scans.

Take note of any FILES that couldn't be deleted. Post any undeletable items and any available LOGS back here (IMPORTANT FEEDBACK) AND go after such FILES yourself if you want (preferably in SAFE MODE - reboot tapping the F8 key) .

These scans will take more than an hour to complete, so make sure you have time to let them run all the way through.
(let us know if any files couldn't be deleted/cleaned.)




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback and requested logs as appropriate - how things are now behaving: any new or remaining apparent issues.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Desktop Gone

Unread postby maryd3954 » November 12th, 2005, 1:28 pm

Hi,
When I went into safe mode and got into the internet to run the Panda scan, it came up with some stuff and I noticed a virus also. I couldn't scroll over to the right because my display was so large. I tried to set the display, but I guess it doesn't re-set in safe mode. I re-ran the scan and noticed it didn't find the virus. I figured out I can press the middle button and move the display over and ran the report. I don't know what happened to the virus.
I also noticed a window that comes up during the scan that wants to know my profile. Didn't know what to do so I cancelled it. Anyway, here are the reports...
Note: I ran "hijack" in non-safe mode. Was that OK?

I also noticed that after re-booting at the end, getting into "my computer" took a long time before the window appeared.

Thanks!


Here is the Ewido report:
ewido security suite online scanner
http://www.ewido.net
__________________________________________________


Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@ad.yieldmanager[1].txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@ad.yieldmanager[2].txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@ad.yieldmanager[3].txt
Risk: Medium

Name: Spyware.Cookie.Euroclick
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@adopt.euroclick[2].txt
Risk: Medium

Name: Spyware.Cookie.Burstnet
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@burstnet[1].txt
Risk: Medium

Name: Spyware.Cookie.Adjuggler
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@rotator.adjuggler[1].txt
Risk: Medium

Name: Spyware.Cookie.Onestat
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@stat.onestat[2].txt
Risk: Medium

Name: Spyware.Cookie.Statcounter
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@statcounter[1].txt
Risk: Medium

Name: Spyware.Cookie.Burstbeacon
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@www.burstbeacon[1].txt
Risk: Medium

Name: Spyware.Cookie.Burstnet
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@www.burstnet[1].txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\cookies\larry_and_mary@yieldmanager[1].txt
Risk: Medium

Name: Spyware.BrilliantDigital
Path: HKLM\SOFTWARE\Classes\.b3dini
Risk: High

Name: Spyware.BrilliantDigital
Path: HKLM\SOFTWARE\Classes\.s3d
Risk: High

Name: Spyware.MiniBug
Path: HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C}
Risk: High

Name: Spyware.AproposMedia
Path: HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212}
Risk: High

Name: Spyware.AproposMedia
Path: HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
Risk: High

Name: Spyware.AproposMedia
Path: HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10}
Risk: High

Name: Spyware.AproposMedia
Path: HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904}
Risk: High

Name: Spyware.AproposMedia
Path: HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA}
Risk: High

Name: Spyware.IEPlugin
Path: HKLM\SOFTWARE\Classes\Wbho.Band
Risk: High

Name: Spyware.IEPlugin
Path: HKLM\SOFTWARE\Classes\Wbho.Band\CLSID
Risk: High

Name: Spyware.IEPlugin
Path: HKLM\SOFTWARE\Classes\Wbho.Band\CurVer
Risk: High

Name: Spyware.IEPlugin
Path: HKLM\SOFTWARE\Classes\Wbho.Band.1
Risk: High

Name: Spyware.CometCursor
Path: HKLM\SOFTWARE\Comet
Risk: High

Name: Spyware.Delfin
Path: HKLM\SOFTWARE\DelFin
Risk: High

Name: Spyware.Delfin
Path: HKLM\SOFTWARE\DelFin\PromulGate
Risk: High

Name: Spyware.Downloadware
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads Enhanced
Risk: High

Name: Spyware.Delfin
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\DelFin
Risk: High

Name: Spyware.Delfin
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\DelFin\PromulGate
Risk: High

Name: Spyware.IEPlugin
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp
Risk: High

Name: Spyware.IEPlugin
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp\Config
Risk: High

Name: Spyware.IEPlugin
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\intexp\MyFileSystem2
Risk: High

Name: Spyware.AproposMedia
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9}
Risk: High

Name: Spyware.IEPlugin
Path: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}
Risk: High

Name: Spyware.Cookie.2o7
Path: :mozilla.6:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.2o7
Path: :mozilla.7:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.2o7
Path: :mozilla.8:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.2o7
Path: :mozilla.9:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.2o7
Path: :mozilla.10:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.2o7
Path: :mozilla.11:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Pointroll
Path: :mozilla.13:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Pointroll
Path: :mozilla.14:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Pointroll
Path: :mozilla.15:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Advertising
Path: :mozilla.16:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Advertising
Path: :mozilla.17:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Casalemedia
Path: :mozilla.24:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Centrport
Path: :mozilla.25:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Com
Path: :mozilla.28:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Com
Path: :mozilla.29:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Doubleclick
Path: :mozilla.35:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Mediaplex
Path: :mozilla.45:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Mediaplex
Path: :mozilla.46:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Overture
Path: :mozilla.64:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Pro-market
Path: :mozilla.71:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Pro-market
Path: :mozilla.72:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Questionmarket
Path: :mozilla.73:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Advertising
Path: :mozilla.80:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Trafficmp
Path: :mozilla.83:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Trafficmp
Path: :mozilla.84:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Tribalfusion
Path: :mozilla.85:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Adserver
Path: :mozilla.92:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Adserver
Path: :mozilla.93:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: :mozilla.94:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: :mozilla.95:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: :mozilla.96:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: :mozilla.97:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: :mozilla.98:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Liveperson
Path: :mozilla.112:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Liveperson
Path: :mozilla.113:C:\Documents and Settings\Larry and Mary\Application Data\Mozilla\Profiles\default\n463yf0t.slt\cookies.txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@ad.yieldmanager[1].txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@ad.yieldmanager[2].txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@ad.yieldmanager[3].txt
Risk: Medium

Name: Spyware.Cookie.Euroclick
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@adopt.euroclick[2].txt
Risk: Medium

Name: Spyware.Cookie.Burstnet
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@burstnet[1].txt
Risk: Medium

Name: Spyware.Cookie.Adjuggler
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@rotator.adjuggler[1].txt
Risk: Medium

Name: Spyware.Cookie.Onestat
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@stat.onestat[2].txt
Risk: Medium

Name: Spyware.Cookie.Statcounter
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@statcounter[1].txt
Risk: Medium

Name: Spyware.Cookie.Burstbeacon
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@www.burstbeacon[1].txt
Risk: Medium

Name: Spyware.Cookie.Burstnet
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@www.burstnet[1].txt
Risk: Medium

Name: Spyware.Cookie.Yieldmanager
Path: C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@yieldmanager[1].txt
Risk: Medium

Name: Spyware.Cookie.Doubleclick
Path: C:\Documents and Settings\LocalService\Cookies\larry and mary@doubleclick[1].txt
Risk: Medium

Name: Spyware.NewDotNet
Path: C:\download\uninstall6_38.exe
Risk: High

Name: Downloader.Apropo.ad
Path: C:\Program Files\HijackThis\backups\backup-20051109-213230-221.dll
Risk: High

Name: Spyware.Eztracks
Path: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP517\A0127785.rbf
Risk: High

Name: Spyware.Eztracks
Path: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP517\A0127787.rbf
Risk: High

Name: Downloader.Apropo.ad
Path: C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP582\A0152389.dll
Risk: High



Here is the Active Scan Report:


Incident Status Location

Adware:adware/bigtrafficnet No disinfected c:\documents and settings\larry and mary\favorites\1111\1111.url
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\bose.ico
Spyware:spyware/safesurf No disinfected C:\WINDOWS\SYSTEM32\VBUninstall.exe
Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/downloadware No disinfected C:\PROGRAM FILES\MLH
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/beginto No disinfected C:\WINDOWS\SYSTEM32\cache32_rtneg4
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/pacimedia No disinfected c:\documents and settings\larry and mary\favorites\1111
Adware:adware/novo No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP583\A0152463.exe
Spyware:Spyware/New.net No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152476.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152477.dll
Adware:Adware/BrilliantDigitalNo disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152532.dll
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\VBUninstall.exe
Here is the Hijack.log:


Logfile of HijackThis v1.99.1
Scan saved at 9:13:38 AM, on 11/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Vision\vservice.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\WINDOWS\webshots.scr
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\MENTOR~1\Nutc\bin\snmptrapd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\MENTOR~1\Nutc\bin\ncoeenv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Allison\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB74C7E-316F-4E64-B154-1D9DA493623B}: NameServer = 10.3.8.70,10.3.8.75
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC Portmapper (Portmapper) - Unknown owner - C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SNMPTrapd Service (SNMPTrapdService) - DataFocus, Inc. - C:\MENTOR~1\Nutc\bin\snmptrapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » November 12th, 2005, 3:49 pm

The scans seemed to run OK. The HJT log is looking much better.

After saving the Ewido report did you remove all infections found by Ewido? Did you run Housecall? Those online scans and Panda Activescan did not need to be run in SAFE MODE.



You may want to print out and/or review these instructions for reference, since you will have to restart your computer during the fix.


Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.



Download the latest version of CWSHredder to your desktop from here:
http://cwshredder.net/bin/CWShredder.exe

We will use this application a little later on in the process.
Initially, run it ONLY to check for updates.



HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).


Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.


Also, in SAFE MODE, please delete the following files/folders if still present:

C:\WINDOWS\SYSTEM32\bose.ico
C:\WINDOWS\SYSTEM32\VBUninstall.exe
C:\PROGRAM FILES\Aprps (FOLDER)
C:\PROGRAM FILES\MLH (FOLDER)
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs (FOLDER)
C:\WINDOWS\SYSTEM32\cache32_rtneg4 (FOLDER)
C:\WINDOWS\SYSTEM32\SahImages (FOLDER)
c:\documents and settings\larry and mary\favorites\1111 (FOLDER)
C:\WINDOWS\SYSTEM32\VBUninstall.exe



Next, run CWShredder
-Click on the: ‘Fix’ button
-Follow the prompts, and press OK




POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues. Also include the contents of the log.txt file in the aproposfix folder.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Desktop Gone

Unread postby maryd3954 » November 13th, 2005, 8:06 pm

Hi,
When I tried to run AproposFix, it errored out. It said it couldn't find the file needed for Windows XP. So I couldn't run it. I did, though, delete the files and folders from your list. I also deleted the infections from Ewido last time. I couldn't find the program Housecall on the Website, so I just downloaded what they offered.
I haven't seen PSGaurd in any of the scans, except in the beginning with SpyBot. When I deleted this file and the other 2 files about Windows security disable, that's when we lost Windows and the desktop. What do you think happened there? I ended up restoring an earlier backup so those files might still be there since I haven't run Spybot since.

Thanks again!


Here is the AproposFix log:

Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.





Here is the new Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 3:53:48 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Vision\vservice.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\webshots.scr
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\MENTOR~1\Nutc\bin\snmptrapd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\MENTOR~1\Nutc\bin\ncoeenv.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Allison\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBB74C7E-316F-4E64-B154-1D9DA493623B}: NameServer = 10.3.8.70,10.3.8.75
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC Portmapper (Portmapper) - Unknown owner - C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SNMPTrapd Service (SNMPTrapdService) - DataFocus, Inc. - C:\MENTOR~1\Nutc\bin\snmptrapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » November 15th, 2005, 1:32 am

When I tried to run AproposFix, it errored out.

That was an attempt to pick up on any possible remaining pieces of that infection. I have requested further guidance from the creator of that tool. There may, in fact, be nothing further to find.

Do you know if your hard drive is formatted as FAT32 (right click on the C:\ Drive in my computer)?


I couldn't find the program Housecall on the Website

Try http://housecall60.trendmicro.com/en/st ... sp?id=scan
Select the 'Complete Scan' option.
Post any available logs.


I haven't seen PSGaurd in any of the scans, except in the beginning with SpyBot. When I deleted this file and the other 2 files about Windows security disable, that's when we lost Windows and the desktop. What do you think happened there?

If after running SpyBot you discover that you have issues, you should click on the 'Recovery' button and attempt to reinstate some of those lines that you previously fixed to see if that would help resolve your issues.

Run Spybot to at least determine if those 'pests' may still be present.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

desktop gone

Unread postby maryd3954 » November 17th, 2005, 2:20 am

Hi Vincent,

I found my conputer's drive is NTFS.

I also re-ran Spybot with the same 3 files detected:
PSGuard, and 2 Windows firewall disabled files. When I delete these, I lose my Windows, so I'll just leave them there. They are apparently setup files that effect the registry.
HKEY_LOCAL_MACHINE I think they were.


I ran Housecall and....

Virus Scan 0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken

Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken

Spyware Check 14 spyware programs removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 14 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 14 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
COOKIE_146 Cookie Removal successful
COOKIE_169 Cookie Removal successful
COOKIE_193 Cookie Removal successful
COOKIE_592 Cookie Removal successful
COOKIE_875 Cookie Removal successful
COOKIE_1523 Cookie Removal successful
COOKIE_1638 Cookie Removal successful
COOKIE_1701 Cookie Removal successful
COOKIE_1985 Cookie Removal successful
COOKIE_2281 Cookie Removal successful
COOKIE_2314 Cookie Removal successful
COOKIE_2736 Cookie Removal successful
COOKIE_3201 Cookie Removal successful
COOKIE_3237 Cookie Removal successful

Microsoft Vulnerability Check No vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 0 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » November 17th, 2005, 8:34 am

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Place a shortcut to Panda ActiveScan on your desktop.



Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup. Don't run it yet!



Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested (below) in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido


Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked (PRO version only)!

Save the Panda scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log.

Let us know if any problems persist.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby maryd3954 » November 22nd, 2005, 1:31 am

Well, I had some of the tools not work for whatever reason.

Ad-Aware wouldn't download.


__________________________________________________________
Here's what I got from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:04:08 PM, 11/20/2005
+ Report-Checksum: B7B99F3

+ Scan result:

C:\Program Files\iPass\iPassConnect Corporate\idialer.exe -> Heuristic.Win32.Dialer : Ignored
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-2175716871-3226743395-489727769-1005\Software\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-2175716871-3226743395-489727769-1005_Classes\CLSID\\ -> Spyware.AproposMedia : Error during cleaning
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@e-2dj6wfk4kidzkdq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@e-2dj6wflikkcpsbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@e-2dj6wjl4cmdjaep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@e-2dj6wjliajdpkbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@e-2dj6wjny-1odzah.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Cookies\larry_and_mary@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Larry and Mary\Local Settings\Temporary Internet Files\Content.IE5\GP4RSVGJ\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152476.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP584\A0152477.dll -> TrojanDownloader.Apropo.ad : Cleaned with backup


::Report End
_________________________________________________________

Here's what I got from SmiRem.com:

" Unable to find Windows XP. The system cannot find the file specified"
"Sorry, this tool cannot run on your system..."

____________________________________________________________

This is what I got from AproposFix: The .bat file wouldn't do anything.

Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.
Error! Unsupported OS or version mismatch.


At least the .exe downloaded..
____________________________________________________________-
Here is the ActiveScan log:

Incident Status Location
Adware:adware/novo Not disinfected Windows Registry
This tool didn't ask me to remove the culprit. It just did the scan and a report
___________________________________________________________
Here is the hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:32 PM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Vision\vservice.exe
C:\WINDOWS\webshots.scr
C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoctrl.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\MENTOR~1\Nutc\bin\snmptrapd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\cidaemon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\MENTOR~1\Nutc\bin\ncoeenv.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Allison\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC Portmapper (Portmapper) - Unknown owner - C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SNMPTrapd Service (SNMPTrapdService) - DataFocus, Inc. - C:\MENTOR~1\Nutc\bin\snmptrapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

I think I have still some problems on my system.
How does ADWARE get back into the computer? I thought we had got rid of them.
Well, write back when you can and Thanks again for all your help.

-Mary
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » November 22nd, 2005, 12:16 pm

Please download this file:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to its own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Unread postby maryd3954 » November 23rd, 2005, 11:13 pm

Here is the log from Rootkit:



HKLM\SOFTWARE\Enroute Imaging\QuickStitch\Â
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca

Unread postby VopThis » November 28th, 2005, 1:12 am

There are no trouble signs in the rootkit log.


Please do a search for:

Find.exe

Please report back their path location(s) and file size(s) such as C:\Windows\System32.


Also, please run the following scan:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
http://www.webroot.com/downloads/

  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.



Post the SpySweeper session log here along with a fresh HiJackThis log. Indicate any symptoms or problems that still remain.
User avatar
VopThis
Regular Member
 
Posts: 203
Joined: August 1st, 2005, 1:43 am
Location: Halifax, Nova Scotia, Canada

Desktop gone

Unread postby maryd3954 » December 1st, 2005, 2:01 am

Hi,
Here is the Sweep Now log: I gues stuff is still being found!
Thanks much,
-Mary

********
9:24 PM: | Start of Session, Wednesday, November 30, 2005 |
9:24 PM: Spy Sweeper started
9:24 PM: Sweep initiated using definitions version 576
9:24 PM: Starting Memory Sweep
9:28 PM: Memory Sweep Complete, Elapsed Time: 00:04:06
9:28 PM: Starting Registry Sweep
9:28 PM: Found Adware: apropos
9:28 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
9:28 PM: Found Adware: begin2search
9:28 PM: HKCR\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104124)
9:28 PM: HKCR\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104126)
9:28 PM: HKCR\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104127)
9:28 PM: HKCR\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104128)
9:28 PM: HKCR\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104139)
9:28 PM: HKCR\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104141)
9:28 PM: HKLM\software\classes\interface\{6b882c34-a832-4f5b-bef1-7e198be3f094}\ (8 subtraces) (ID = 104174)
9:28 PM: HKLM\software\classes\interface\{9b6b4031-1d6d-4c65-acba-021916853822}\ (8 subtraces) (ID = 104176)
9:28 PM: HKLM\software\classes\interface\{9ff60a27-0c0c-4a6a-a15f-b21b644d67bb}\ (8 subtraces) (ID = 104177)
9:28 PM: HKLM\software\classes\interface\{15d53b86-e055-43b1-bbee-a91a0f37bd2a}\ (8 subtraces) (ID = 104178)
9:28 PM: HKLM\software\classes\interface\{f3c41c1d-22f1-4692-8a7a-88de70a2e9e2}\ (8 subtraces) (ID = 104189)
9:28 PM: HKLM\software\classes\interface\{fa6fa7a5-2c49-4567-ba74-6dd1c36099ee}\ (8 subtraces) (ID = 104191)
9:28 PM: Found Adware: delfin
9:28 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\delfin media viewer\ (2 subtraces) (ID = 124859)
9:28 PM: Found Adware: networkessentials
9:28 PM: HKLM\software\microsoft\windows\currentversion\uninstall\cdm\ (2 subtraces) (ID = 136172)
9:28 PM: HKLM\software\novo\ (23 subtraces) (ID = 136175)
9:28 PM: HKLM\software\np\ (2 subtraces) (ID = 136176)
9:28 PM: Found Adware: regsync
9:28 PM: HKLM\software\microsoft\windows\currentversion\app paths\regsync\ (2 subtraces) (ID = 139350)
9:28 PM: HKLM\software\microsoft\windows\currentversion\app paths\vbrundll\ (2 subtraces) (ID = 139351)
9:28 PM: HKLM\software\microsoft\windows\currentversion\uninstall\vbrundll\ (2 subtraces) (ID = 139352)
9:28 PM: HKLM\system\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\regsync.exe\ (1 subtraces) (ID = 139354)
9:28 PM: Found Adware: rich editor
9:28 PM: HKLM\software\microsoft\windows\currentversion\app paths\richedtr\ (2 subtraces) (ID = 373109)
9:28 PM: HKLM\software\microsoft\windows\currentversion\app paths\richup\ || path (ID = 373114)
9:28 PM: HKLM\software\microsoft\windows\currentversion\uninstall\richeditor\ (2 subtraces) (ID = 373125)
9:28 PM: HKLM\software\riched\ (41 subtraces) (ID = 373158)
9:28 PM: Found Adware: cas
9:28 PM: HKCR\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609381)
9:28 PM: HKLM\software\classes\appid\{e0dc5cc4-25a5-4bc7-a3aa-3525733dc796}\ (1 subtraces) (ID = 609547)
9:28 PM: Found Adware: eztracks toolbar
9:28 PM: HKCR\xbtb09612.ietoolbar\ (5 subtraces) (ID = 788135)
9:28 PM: HKCR\xbtb09612.ietoolbar.1\ (3 subtraces) (ID = 788141)
9:28 PM: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb09612.xbtb09612toolbar\ (2 subtraces) (ID = 788365)
9:28 PM: HKLM\software\classes\xbtb09612.ietoolbar\ (5 subtraces) (ID = 788411)
9:28 PM: HKCR\appid\main.dll\ || appid (ID = 889946)
9:28 PM: HKLM\software\classes\appid\main.dll\ || appid (ID = 889947)
9:28 PM: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\software\aprps\ (7 subtraces) (ID = 103740)
9:28 PM: Found Adware: great net downloadware
9:28 PM: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\software\medialoads\ (15 subtraces) (ID = 125355)
9:28 PM: Found Adware: drsnsrch.com hijack
9:28 PM: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
9:28 PM: Found Trojan Horse: trojan-downloader-pacisoft
9:28 PM: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\software\psof1\ (9 subtraces) (ID = 136530)
9:28 PM: Found Adware: privacyscan
9:28 PM: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\software\privacy champion\ (1 subtraces) (ID = 136898)
9:28 PM: HKU\S-1-5-21-2175716871-3226743395-489727769-1005\software\xbtb09612\ (65 subtraces) (ID = 788237)
9:28 PM: Registry Sweep Complete, Elapsed Time:00:00:15
9:28 PM: Starting Cookie Sweep
9:28 PM: Found Spy Cookie: webtrendslive cookie
9:28 PM: larry and mary@dcsgcxwngpifwznfzlmv83o6w_5w4m[2].txt (ID = 3674)
9:28 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
9:28 PM: Starting File Sweep
9:29 PM: Found Adware: weirdontheweb
9:29 PM: weirdontheweb_ventura.exe (ID = 87900)
9:29 PM: pinkkas21.ico (ID = 51041)
9:29 PM: Found Adware: shopathomeselect
9:29 PM: eats8oqi.dat (ID = 75801)
9:29 PM: bingo_big31.ico (ID = 51022)
9:30 PM: c:\program files\eztracks\ (13 subtraces) (ID = -2147481005)
9:30 PM: Found Adware: bullguard popup ad
9:30 PM: c:\windows\temp\bullguard\ (1 subtraces) (ID = -2147476409)
9:30 PM: File Sweep Complete, Elapsed Time: 00:01:18
9:30 PM: Full Sweep has completed. Elapsed time 00:05:43
9:30 PM: Traces Found: 359
9:56 PM: Removal process initiated
9:56 PM: Quarantining All Traces: apropos
9:56 PM: Quarantining All Traces: begin2search
9:57 PM: Quarantining All Traces: cas
9:57 PM: Quarantining All Traces: trojan-downloader-pacisoft
9:57 PM: Quarantining All Traces: bullguard popup ad
9:57 PM: Quarantining All Traces: delfin
9:57 PM: Quarantining All Traces: drsnsrch.com hijack
9:57 PM: Quarantining All Traces: eztracks toolbar
9:57 PM: Quarantining All Traces: great net downloadware
9:57 PM: Quarantining All Traces: networkessentials
9:57 PM: Quarantining All Traces: privacyscan
9:57 PM: Quarantining All Traces: regsync
9:57 PM: Quarantining All Traces: rich editor
9:57 PM: Quarantining All Traces: shopathomeselect
9:57 PM: Quarantining All Traces: weirdontheweb
9:57 PM: Quarantining All Traces: webtrendslive cookie
9:57 PM: Removal process completed. Elapsed time 00:00:49
********
9:21 PM: | Start of Session, Wednesday, November 30, 2005 |
9:21 PM: Spy Sweeper started
9:24 PM: Only Sweep Folders Where Threats Are Known to Reside
9:24 PM: | End of Session, Wednesday, November 30, 2005 |


And here is the Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:00:57 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\AccessRamp\ARMon32.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\cisvc.exe
C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoctrl.exe
C:\WINDOWS\MXOALDR.EXE
C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nutsrv4.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
C:\MENTOR~1\Nutc\bin\snmptrapd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SmartDisk\FlashPath\sdstat.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Vision\vservice.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\Vision\dbserv.exe
C:\WINDOWS\webshots.scr
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper.exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AccessRampMonitor] C:\Program Files\AccessRamp\ARMon32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\MENTOR~1\Nutc\bin\ncoeenv.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Vision Services.lnk = C:\Program Files\Common Files\Vision\vservice.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Allison\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.mindspring.net
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.186,207.217.77.82,192.168.0.1
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Larry and Mary\Desktop\SCANS\security suite\ewidoguard.exe
O23 - Service: ISJ - Sysinternals - http://www.sysinternals.com - C:\DOCUME~1\LARRYA~1\LOCALS~1\Temp\ISJ.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\System32\nutsrv4.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ONC Portmapper (Portmapper) - Unknown owner - C:\MentorGraphics\MGC_HOME-2004.ixn\pkgs\mdb\_lib\portmap.exe
O23 - Service: Reflection Line Printer Daemon - WRQ, Inc. - C:\Program Files\Reflection\lpdserv.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SNMPTrapd Service (SNMPTrapdService) - DataFocus, Inc. - C:\MENTOR~1\Nutc\bin\snmptrapd.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\EarthLink TotalAccess\Spyware Blocker\WRSSSDK.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
maryd3954
Active Member
 
Posts: 9
Joined: November 6th, 2005, 5:14 pm
Location: Boulder Creek, Ca
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware