Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

file3.exe messed up my system

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

file3.exe messed up my system

Unread postby matrix » July 4th, 2006, 5:45 pm

Hello,

I was on the web when Mcafee alerted the a script was trying to run (file3.exe). I requested to stop the script but I guess something did happen since now when I login I get some many errors that the system choke an I have to restart.
I am able to restart in save mode, run the hijack program, scan the system for viruses but if I try to run the Adware-Aware software I receive a Winlogon error and the system restarts automatically, givinving me a blue screen with a c000021 error.
I don't know how to fix this and would appreciate any help.

Thank you.

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 5:10:00 PM, on 7/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ZipCentral\ZCentral.exe
C:\DOCUME~1\erics\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [FWBootup] C:\Program Files\VoSKY Call Center\USBDRAM.exe
O4 - HKCU\..\Run: [VoKU Call Center] C:\Program Files\VoSKY Call Center\USBVoSKY.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Karen's Time Sync.lnk = C:\Program Files\PTSync\PTSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Namo APM Manager.lnk = C:\Program Files\Namo\WebBoard\Bin\APMTool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: obbn13t - C:\WINNT\SYSTEM32\obbn13t.dll
O20 - Winlogon Notify: psksds - C:\WINNT\SYSTEM32\psksds.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MySql - Unknown owner - C:/Program Files/Namo/WebBoard/Server/MySQL/bin/mysqld-nt.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - A Business Division of Secure-Soft (India) Pvt Ltd - C:\WINNT\SYSTEM32\ssoftsrv.exe
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm
Advertisement
Register to Remove

Unread postby Dorian » July 5th, 2006, 2:58 am

Hi there matrix and welcome to MalWare Removal, You have a couple of nasties in there that we need to sort...

You are curently running HJT from a temp folder, this can hamper things if we need to rollback..

Delete the current HJT folder from your temp drive --> C:\DOCUME~1\erics\LOCALS~1\Temp\_ZCTmp.Dir

Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Close HJT down and carry on with the fix...

Download haxfix.exe
and save it to your desktop.

Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
Copy the contents of that logfile and paste it into this thread.
User avatar
Dorian
Regular Member
 
Posts: 587
Joined: January 20th, 2006, 1:21 am
Location: Lost in the Milky Way

Unread postby matrix » July 5th, 2006, 8:57 am

Hi Dorian,

Thank you for helping out. I moved HJ to its own folder and installws Haxfix.
Last night I had manually deleted the file OBBN13T.DLL after doing some research on the web, that probably explains why it does not show up on the haxfix report (it may come back by itself, I don't know.)

Here's the report.

HAXFIX logfile - by Marckie
______________
version 3.03
Wed 07/05/2006 8:46:25.03

checking for haxdoor
--------------------
checking for a3d files....
a3d files not found

checking for matching notify keys....
no matching notify keys found

checking for matching services....
no matching services found

checking for matching safeboot services....
no matching safeboot services found


Checking for goldun
-------------------
checking for notify keys....
obbn13t

checking for services....
obbn13rt


Finished
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm

Unread postby matrix » July 5th, 2006, 12:11 pm

Dorian,

I just wanted to mention that in my system32 folder I have several files with the same date/time stamp (around the time I McAfee trigering the alert) and I think they may be related to my problem.

obbn13rt.sys
cabview7.dll
psksds.dll
p76xxsks.sys
nel32.dll

Thank you.
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm

Unread postby matrix » July 5th, 2006, 11:52 pm

Dorian,

Here's an update:
I moved all the files I mentioned in the previous post out of the system32 folder.
I can now log into my PC without getting any errors. I was even able to run a full scan with Ad-Aware.
I am sure that there's more to it but at least I can work again.
Thank you for any advice on the next steps, cleaning, rebuilding, ....
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm

Unread postby Dorian » July 6th, 2006, 2:27 am

Hi matrix

Where did you move the files to ?? Can I ask that you wait for instructions rather than acting on your own, this is so I can keep up with you and we do not get ahead of each other otherwise this will just create confusion between us. Although you have moved/removed certain files I still want you to run the haxfix on autofix just to check that nothing is left behind. I have also included an ewido scan whcih I want you run though. May I suggest that you either print out these instructions or save them as a text file with Notepad or your default text editor to your desktop as we will be restarting into Safe Mode later on in the fix.

Let's run haxfix first....

Option 2 autofix
Open this folder program files > haxfix and double click on fix.bat (or double click on fix.bat desktop icon)
Close all other open windows since this step requires a reboot
Select option 2. Run auto fix by typing 2 and then pressing Enter
If an infection is found, you'll get a message to close all other open windows.


Close all open windows except the red dos window from haxfix and then press Enter
The computer will reboot
After reboot a logfile will open > (c:\haxfix.txt)
We will need this report later

Next download Ewido Anti-Malware:
Close all other Applications Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait Ewido will open main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido. Do not scan yet

Please re-start your computer in safe mode - You may want to print the rest of these instructions from here onwards
To do so, reboot your computer and repeatedly tap the F8 whilst your computer is booting up (just before the MS Windows flag screen appears) until a menu appears. Once you see the menu select the option to start the computer in safe mode. (It might take more than go to access the menu if you have not done this before, just simply reboot the machine again and repeat the steps)

Open Ewido
Click on scanner top of Ewido sceen
Click on Settings
Under How to Act click on Recommended Action choose Quarantine
Under How to scan all boxes should be selected
Under Possibly unwanted software all boxes should be selected
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file
Click On scan Tab
Click on Complete system scan
Let the program scan the machine It can take awhile give it time.
When scan has finished At bottom of screen click Apply all Actions
Click Save report
Click Save Report as (Save as window's screen should pop up.)
Click desktop
Click Save
Exit ewido

Now reboot your computer into normal operating mode, generate and post a fresh HJT log along with your ewido log and haxfix log as a reply to this post, do not start a new topic! thank you. Please advise of any problems you may be expriencing
User avatar
Dorian
Regular Member
 
Posts: 587
Joined: January 20th, 2006, 1:21 am
Location: Lost in the Milky Way

Unread postby matrix » July 6th, 2006, 11:05 pm

Dear Dorian,

> Where did you move the files to ??

I moved the files to a folder named "suspicious" under system32. One of the files (file2.exe) was caught by Ewido.


>Can I ask that you wait for instructions rather than acting on your own...

Sure, I am sorry. My computer is an essential part of my work, I was just trying to get to a somewhat stable enough system to allow me to a least run some backups.

Here are the logs:
(The Ewido reports says "No action taken" but the report was saved before applying all actions)


----------------
Ewido Report
----------------

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:53:03 PM 7/6/2006

+ Scan result:



C:\Documents and Settings\erics\My Documents\Erics\RA-Portscan.zip/RA-PortScanner.exe -> Not-A-Virus.HackTool.Win32.VB.a : No action taken.
C:\Documents and Settings\erics\My Documents\Erics\portscan.zip/portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.11 : No action taken.
C:\Program Files\Radmin\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : No action taken.
C:\WINNT\system32\raddrv.dll -> Not-A-Virus.RemoteAdmin.Win32.RAdmin.20 : No action taken.
C:\WINNT\system32\suspicious\file2.exe -> Proxy.Agent.gx : No action taken.
C:\Documents and Settings\test\Cookies\test@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@americanexpress.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@anheuserbusch.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@broadspancommerce.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@cornerstone.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@couponchief.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@cratebarrel.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@etronics.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@hertz.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@marketlive.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@polo.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@saksfifthavenue.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@sonycorporate.122.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@thomasvillefurniture.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@webxites.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\erics\Cookies\erics@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\tina\Cookies\tina@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\tina\Cookies\tina@rotator.dex.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\tina\Cookies\tina@thunderbolt.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\tina\Cookies\tina@media.adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\erics\Cookies\erics@ads15.bpath[1].txt -> TrackingCookie.Bpath : No action taken.
C:\Documents and Settings\erics\Cookies\erics@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\tina\Cookies\tina@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\erics\Cookies\erics@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\tina\Cookies\tina@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\tina\Cookies\tina@www.burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\tina\Cookies\tina@cj[1].txt -> TrackingCookie.Cj : No action taken.
C:\Documents and Settings\erics\Cookies\erics@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\erics\Cookies\erics@news.com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\erics\Cookies\erics@techrepublic.com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\tina\Cookies\tina@com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\tina\Cookies\tina@news.com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\tina\Cookies\tina@overture-mysimon.com[2].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\erics\Cookies\erics@c.enhance[1].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\tina\Cookies\tina@c.enhance[1].txt -> TrackingCookie.Enhance : No action taken.
C:\Documents and Settings\erics\Cookies\erics@-1shz2prbmdj6wvny-1sez2pra2dj6wjk4ckajgkqa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@-1shz2prbmdj6wvny-1sez2pra2dj6wjloqjd5ekoq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@-1shz2prbmdj6wvny-1sez2pra2dj6wjlyugajecoa-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1mczwepg2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1mdzmhogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@a-1shz2prbmdj6wvny-1sez2pra2dj6wjmiwnd5scqq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@a-1shz2prbmdj6wvny-1sez2pra2dj6wjmyagczkfoq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@a-1shz2prbmdj6wvny-1sez2pra2dj6wjmysic5wloa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wflikmc5kcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wflismajcao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wgkyshczmco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjk4upazsbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjkosid5gbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjkyknajahp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjkyolczaeq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjmiwod5wbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjny-1md5kk.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjnyaidpcdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjnycmdpwlq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjnyehcjgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjnygiajgfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjnygnc5iho.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@e-2dj6wjnyqncjafo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wfl4ejdpwcowydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4amcpsdogqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4wjczefpgydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyaodjaaqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysndzigpqsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliglazseogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliohd5ccpgydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlioicpmhoqydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliugcjmeqqmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlosldzsdowwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmigmc5oloa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyakcjodpq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycodpkhqa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyeicpiepw2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyomazeaqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wfk4umc5scq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wfkoqhdjalp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wfl4eid5wco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wfliqkd5ihp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wflokid5olp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wfmyqhdjogp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjk4ulczico.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjkoggdjkeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjkycidjikp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjkyojdzweq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjkyqlczgbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjkysgdzidq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjl4knczkhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjloekdpobp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjlowicjaco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjlyagcjmgo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjlyegdzwhp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjmismd5wco.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjnycgc5wdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjnygicpslo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@e-2dj6wjnygmdzodp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiuiazogqqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiwndpoapgudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkykkdjcfogudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4kgdpigowidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkocmajicqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowkczsepqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyapd5cfpqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkycjdjmepg2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyujdjifpgudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyupdjihpamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4cjd5wfoa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliugcjmeqqmdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliwpdpcfpw2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlokjdzgdoasdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyanczkeqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycgazabqasdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyohdjidqqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnywgdzohpq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\test\Cookies\test@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\tina\Cookies\tina@hypertracker[1].txt -> TrackingCookie.Hypertracker : No action taken.
C:\Documents and Settings\erics\Cookies\erics@ivwbox[1].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\tina\Cookies\tina@ivwbox[2].txt -> TrackingCookie.Ivwbox : No action taken.
C:\Documents and Settings\erics\Cookies\erics@sales.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\tina\Cookies\tina@sales.liveperson[2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\erics\Cookies\erics@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\tina\Cookies\tina@data1.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@data2.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\tina\Cookies\tina@data3.perf.overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\erics\Cookies\erics@www.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : No action taken.
C:\Documents and Settings\erics\Cookies\erics@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\tina\Cookies\tina@cruises.res99[1].txt -> TrackingCookie.Res99 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@www.res99[1].txt -> TrackingCookie.Res99 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\tina\Cookies\tina@starware[2].txt -> TrackingCookie.Starware : No action taken.
C:\Documents and Settings\erics\Cookies\erics@anat.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\erics\Cookies\erics@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\tina\Cookies\tina@anat.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\tina\Cookies\tina@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\erics\Cookies\erics@login.tracking101[1].txt -> TrackingCookie.Tracking101 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@server3.web-stat[2].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\tina\Cookies\tina@web-stat[2].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\tina\Cookies\tina@webstat[1].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\tina\Cookies\tina@www.web-stat[1].txt -> TrackingCookie.Web-stat : No action taken.
C:\Documents and Settings\tina\Cookies\tina@affiliates.x10[1].txt -> TrackingCookie.X10 : No action taken.
C:\Documents and Settings\tina\Cookies\tina@yadro[2].txt -> TrackingCookie.Yadro : No action taken.
C:\Documents and Settings\tina\Cookies\tina@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end



----------
HJT Log
----------

Logfile of HijackThis v1.99.1
Scan saved at 10:53:10 PM, on 7/6/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ssoftsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\VoSKY Call Center\USBDRAM.exe
C:\Program Files\VoSKY Call Center\USBVoSKY.exe
C:\Program Files\PTSync\PTSync.exe
C:\Program Files\Namo\WebBoard\Bin\APMTool.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

(no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common

Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program

Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program

Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card

Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe]

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido

anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [OfotoNow USB Detection]

C:\WINNT\system32\RunDLL32.exe

C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection

OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot

- Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero

BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [FWBootup] C:\Program Files\VoSKY Call

Center\USBDRAM.exe
O4 - HKCU\..\Run: [VoKU Call Center] C:\Program Files\VoSKY

Call Center\USBVoSKY.exe
O4 - HKCU\..\Run: [Skype] "C:\Program

Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Program

Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Karen's Time Sync.lnk = C:\Program

Files\PTSync\PTSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk =

C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Namo APM Manager.lnk = C:\Program

Files\Namo\WebBoard\Bin\APMTool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave

ActiveX Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com

Operating System Class) -

http://download.mcafee.com/molbin/share ... 0,0,101/mc

insctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: vskype - (no CLSID) - (no file)
O20 - Winlogon Notify: obbn13t - obbn13t.dll (file missing)
O20 - Winlogon Notify: psksds - psksds.dll (file missing)
O23 - Service: Logical Disk Manager Administrative Service

(dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware

Development a.s. - C:\Program Files\ewido anti-spyware

4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer,

Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee,

Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) -

McAfee Corporation -

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MySql - Unknown owner - C:/Program

Files/Namo/WebBoard/Server/MySQL/bin/mysqld-nt.exe
O23 - Service: Remote Packet Capture Protocol v.0

(experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f

"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) -

Unknown owner - C:\WINNT\system32\r_server.exe" /service (file

missing)
O23 - Service: Cryptainer service (ssoftservice) - Cypherix -

A Business Division of Secure-Soft (India) Pvt Ltd -

C:\WINNT\SYSTEM32\ssoftsrv.exe



-------------
Haxfix log
-------------


HAXFIX logfile - by Marckie
--------------
version 3.03
Thu 07/06/2006 11:58:42.30

Auto Haxdoorfix
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm

Unread postby Dorian » July 7th, 2006, 6:02 am

Howdy there

(The Ewido reports says "No action taken" but the report was saved before applying all actions)

I trust you did apply the actions and you instructed ewido to delete the entries after the log was created ??

First of all I want you to download ATF-Cleaner by atribune
Save it to your desktop where you can access it easly but do not run just yet !

I want to run an online scan on the files that you have isolated
I would advise that you use Internet Explorer Browser for this task
Navigate to virus total --> http://www.virustotal.com/en/indexf.html

Click on the browse button and navigate to the file below, once you have located the file press the send button and wait for the file to be scanned for any viruses. Copy and paste the results off the web page from the scan to a text file, save them and let me know the results in the next post. Please be patient though the submission process as you will be placed in a queuing system. Please repeat the process for all files listed.

File to submit : (all in your suspicious folder)

cabview7.dll
psksds.dll
p76xxsks.sys
nel32.dll


Open HJT by double clicking on the icon and select the second button entitled "do a system scan only".
Make sure you close any windows that are open or minumised

Now select the followng entries by placing a tick in the left hand check box

O20 - Winlogon Notify: obbn13t - obbn13t.dll (file missing)
O20 - Winlogon Notify: psksds - psksds.dll (file missing)


Once you have selected all entries then click once on the "fix checked" button to clear the entries from your log.

Now navigate to the folder you created where you moved the suspicious files
Press shift and delete to remove the following file from your computer
--> obbn13rt.sys

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Now reboot your computer and post a fresh HJT log and include the scan results from the files submitted to virus total

Thanks - Dorian :)
User avatar
Dorian
Regular Member
 
Posts: 587
Joined: January 20th, 2006, 1:21 am
Location: Lost in the Milky Way

Unread postby matrix » July 7th, 2006, 7:31 pm

Dorian,

Prior to contacting MR I had also move to my suspicious folder 3 files, file1.exe, file2.exe and file3.exe. File2.exe was removed by Ewido.
According to Virustotal.com, cabview7.dll is the only clean file.

Thank you.

Here are the logs:

-----------------
Virustotal LOG
-----------------

Complete scanning result of "cabview7.dll", received in VirusTotal at 07.08.2006, 00:22:53 (CET).

AntiVir 6.35.0.21 07.07.2006 no virus found
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.07.2006 no virus found
CAT-QuickHeal 8.00 07.07.2006 no virus found
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.07.2006 no virus found
eTrust-InoculateIT 23.72.61 07.07.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 no virus found
Ewido 3.5 07.07.2006 no virus found
Fortinet 2.77.0.0 07.08.2006 no virus found
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.07.2006 no virus found
McAfee 4802 07.07.2006 no virus found
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1650 07.07.2006 no virus found
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.07.2006 no virus found
Sophos 4.07.0 07.08.2006 no virus found
Symantec 8.0 07.07.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.06.2006 no virus found
VBA32 3.11.0 07.06.2006 no virus found
VirusBuster 4.3.7:9 07.07.2006 no virus found


Complete scanning result of "psksds.dll", received in VirusTotal at 07.08.2006, 00:37:38 (CET).

AntiVir 6.35.0.21 07.07.2006 TR/Dldr.Agent.RQ.4
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.07.2006 Generic.Malware.FY.2A79544B
CAT-QuickHeal 8.00 07.07.2006 no virus found
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.07.2006 no virus found
eTrust-InoculateIT 23.72.61 07.07.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 no virus found
Ewido 3.5 07.07.2006 no virus found
Fortinet 2.77.0.0 07.08.2006 no virus found
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.07.2006 no virus found
McAfee 4802 07.07.2006 no virus found
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1650 07.07.2006 no virus found
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.07.2006 Suspicious file
Sophos 4.07.0 07.08.2006 Troj/Haxdor-Fam
Symantec 8.0 07.07.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.06.2006 no virus found
VBA32 3.11.0 07.06.2006 suspected of Trojan-PSW.LdPinch.9
VirusBuster 4.3.7:9 07.07.2006 no virus found

Complete scanning result of "file1.exe", received in VirusTotal at 07.08.2006, 00:34:24 (CET).

AntiVir 6.35.0.21 07.07.2006 HEUR/Malware.Crypted.PSM
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 Win32:Goldun-CQ
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.07.2006 no virus found
CAT-QuickHeal 8.00 07.07.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.07.2006 no virus found
eTrust-InoculateIT 23.72.61 07.07.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 Win32/Haxdoor!generic
Ewido 3.5 07.07.2006 no virus found
Fortinet 2.77.0.0 07.08.2006 suspicious
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.07.2006 no virus found
McAfee 4802 07.07.2006 no virus found
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1650 07.07.2006 probably a variant of Win32/Spy.Goldun.HP
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.07.2006 Suspicious file
Sophos 4.07.0 07.08.2006 no virus found
Symantec 8.0 07.07.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.06.2006 no virus found
VBA32 3.11.0 07.06.2006 suspected of Rootkit.Agent.10
VirusBuster 4.3.7:9 07.07.2006 no virus found

Complete scanning result of "file3.exe", received in VirusTotal at 07.08.2006, 00:35:00 (CET).

AntiVir 6.35.0.21 07.07.2006 TR/Crypt.F.Gen
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.07.2006 no virus found
CAT-QuickHeal 8.00 07.07.2006 no virus found
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.07.2006 no virus found
eTrust-InoculateIT 23.72.61 07.07.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 Win32/Vxidl!generic
Ewido 3.5 07.07.2006 no virus found
Fortinet 2.77.0.0 07.08.2006 no virus found
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.07.2006 no virus found
McAfee 4802 07.07.2006 no virus found
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1650 07.07.2006 Win32/TrojanDownloader.Small.AVT
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.07.2006 Adware/SpySheriff
Sophos 4.07.0 07.08.2006 Troj/DownLdr-QK
Symantec 8.0 07.07.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.06.2006 no virus found
VBA32 3.11.0 07.06.2006 no virus found
VirusBuster 4.3.7:9 07.07.2006 no virus found

Complete scanning result of "p76xxsks.sys", received in VirusTotal at 07.08.2006, 00:37:15 (CET).

AntiVir 6.35.0.21 07.07.2006 no virus found
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.07.2006 no virus found
CAT-QuickHeal 8.00 07.07.2006 no virus found
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.07.2006 no virus found
eTrust-InoculateIT 23.72.61 07.07.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 no virus found
Ewido 3.5 07.07.2006 no virus found
Fortinet 2.77.0.0 07.08.2006 no virus found
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.07.2006 no virus found
McAfee 4802 07.07.2006 no virus found
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1650 07.07.2006 probably a variant of Win32/Rootkit.Agent.AT
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.07.2006 no virus found
Sophos 4.07.0 07.08.2006 Troj/Haxdor-Fam
Symantec 8.0 07.07.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.06.2006 Trojan.Spy.Haxdoor
VBA32 3.11.0 07.06.2006 suspected of Rootkit.Agent.10
VirusBuster 4.3.7:9 07.07.2006 no virus found

Complete scanning result of "nel32.dll", received in VirusTotal at 07.08.2006, 01:01:32 (CET).

AntiVir 6.35.0.21 07.07.2006 no virus found
Authentium 4.93.8 07.07.2006 no virus found
Avast 4.7.844.0 07.07.2006 no virus found
AVG 386 07.07.2006 no virus found
BitDefender 7.2 07.07.2006 Generic.Malware.Fdld.70DE3AEF
CAT-QuickHeal 8.00 07.07.2006 no virus found
ClamAV devel-20060426 07.07.2006 no virus found
DrWeb 4.33 07.07.2006 no virus found
eTrust-InoculateIT 23.72.61 07.07.2006 no virus found
eTrust-Vet 12.6.2291 07.07.2006 no virus found
Ewido 3.5 07.07.2006 no virus found
Fortinet 2.77.0.0 07.08.2006 no virus found
F-Prot 3.16f 07.07.2006 no virus found
F-Prot4 4.2.1.29 07.07.2006 no virus found
Ikarus 0.2.65.0 07.07.2006 no virus found
Kaspersky 4.0.2.24 07.08.2006 no virus found
McAfee 4802 07.07.2006 no virus found
Microsoft 1.1481 07.08.2006 no virus found
NOD32v2 1.1650 07.07.2006 no virus found
Norman 5.90.23 07.07.2006 no virus found
Panda 9.0.0.4 07.07.2006 Trj/Downloader.JLB
Sophos 4.07.0 07.08.2006 no virus found
Symantec 8.0 07.07.2006 no virus found
TheHacker 5.9.8.170 07.07.2006 no virus found
UNA 1.83 07.06.2006 no virus found
VBA32 3.11.0 07.06.2006 no virus found
VirusBuster 4.3.7:9 07.07.2006 no virus found


----------
HJT LOG
----------

Logfile of HijackThis v1.99.1
Scan saved at 7:24:53 PM, on 7/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ssoftsrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\IC\Card Reader Driver v1.9e2\Disk_Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\RunDLL32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
C:\Program Files\VoSKY Call Center\USBDRAM.exe
C:\Program Files\VoSKY Call Center\USBVoSKY.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\PTSync\PTSync.exe
C:\Program Files\Namo\WebBoard\Bin\APMTool.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page

= http://www.yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

(no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467}

- C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan -

{BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common

Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program

Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program

Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\IC\Card

Reader Driver v1.9e2\Disk_Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program

Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [VSOCheckTask]

"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program

Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program

Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe]

c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe]

C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe]

C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter

4.5\THGuard.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido

anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [OfotoNow USB Detection]

C:\WINNT\system32\RunDLL32.exe

C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection

OfotoNow
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot

- Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero

BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]

C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [FWBootup] C:\Program Files\VoSKY Call

Center\USBDRAM.exe
O4 - HKCU\..\Run: [VoKU Call Center] C:\Program Files\VoSKY

Call Center\USBVoSKY.exe
O4 - HKCU\..\Run: [Skype] "C:\Program

Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: HotSync Manager.lnk = C:\Program

Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Karen's Time Sync.lnk = C:\Program

Files\PTSync\PTSync.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk =

C:\Program Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Namo APM Manager.lnk = C:\Program

Files\Namo\WebBoard\Bin\APMTool.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINNT\system32\msjava.dll
O9 - Extra button: Real.com -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\system32\Shdocvw.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave

ActiveX Control) -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com

Operating System Class) -

http://download.mcafee.com/molbin/share ... 0,0,101/mc

insctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O18 - Protocol: Festoon - (no CLSID) - (no file)
O18 - Protocol: vskype - (no CLSID) - (no file)
O23 - Service: Logical Disk Manager Administrative Service

(dmadmin) - VERITAS Software Corp. -

C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware

Development a.s. - C:\Program Files\ewido anti-spyware

4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG -

C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer,

Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee,

Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager

(mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) -

McAfee Corporation -

C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: MySql - Unknown owner - C:/Program

Files/Namo/WebBoard/Server/MySQL/bin/mysqld-nt.exe
O23 - Service: Remote Packet Capture Protocol v.0

(experimental) (rpcapd) - Unknown owner -

%ProgramFiles%\WinPcap\rpcapd.exe" -d -f

"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) -

Unknown owner - C:\WINNT\system32\r_server.exe" /service (file

missing)
O23 - Service: Cryptainer service (ssoftservice) - Cypherix -

A Business Division of Secure-Soft (India) Pvt Ltd -

C:\WINNT\SYSTEM32\ssoftsrv.exe
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm

Unread postby Dorian » July 8th, 2006, 5:02 am

Hi there matrix

Please delete the files that we submitted to virus total (pressing and holding down the shift key while pressing delete will bypass your recycle bin) except cabview7.dll which you can return to the folder you originally moved it from. Apart from that I am happy to say that your log is visually free from any signs of malware. Are you experienceing any other problems at all, hows your computer running now
User avatar
Dorian
Regular Member
 
Posts: 587
Joined: January 20th, 2006, 1:21 am
Location: Lost in the Milky Way

Unread postby matrix » July 10th, 2006, 1:02 pm

Hi Dorian,

Before removing the two [20] entries with HJT (even though the files were missing) my system used to lockup upon login. I had to logoff and login again to go through. Now it seems that the problem is gone...

Thank you very much for your help
matrix
Regular Member
 
Posts: 28
Joined: August 25th, 2005, 3:01 pm

Unread postby Dorian » July 10th, 2006, 4:21 pm

Only too glad to assist you :)

Below is my standard clean speech, feel free to read it through and ask any questions that you may have

Please advise on any problems that you may still be experiencing.

First lets rehide your System Files

  • ClickStart.
  • Open My Computer.
  • SelectTools menu
  • Click Folder Options.
  • Select the View Tab.
  • Uncheck Show hidden files and folders in the Hidden files and folders section.
  • Select Hide protected operating system files (recommended) option.
  • Check the Hide file extensions for known file types option.
  • ClickYes.
  • Click OK

Next lets reset your system restore points please follow these simple steps in order:


  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Clickthe System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.


    Restart your computer

  • Turn ON System Restore.
  • On the Desktop, right-clickMy Computer.
  • Click Properties.
  • Click theSystem Restore tab.
  • Un-Check Turn off System Restore.
  • Click Apply, and then clickOK.

Make your Internet Explorer more secure - This can be done by following these simple instructions:


  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Make sure you are protected with a known anti-virus checker and a firewall
Windows XP will supply its own firewall but it will only monitor traffic in one direction

Recommended Anti-Virus Programs

There are many antivirus products out there, and at first, with there being so many different products it may look confusuing to you, some are free products and others are fully licienced products. It is up to you which you go for. For free antivirus product I would be looking at either Avast Home edition or AVG Free edition. If you are going to be looking at fully licienced software then I would seriously consider either Nod32 or kaspersky Antivirus products, both are excellent in their job of keeping viruses at bay.

Recommended Firewalls

Firewalls.... A firewall serves as a program that monitors ports, connections and programs, both incomming and outgoing from your computer. Windows does come with its own firewall but unfortunatly it only monitors traffic in one direction. As a result we advise that you install your own independant firewall. Two good firewalls you can choose from (both are free) are Sunbelt Kerio Firewall and also Zonealarm As with the above anti virus packages, both are excellent in their job.

Please note.... only ever install one anti virus product and one firewall, if you try running more than one antivirus on your computer they will conflct and cause problems with each other. Once you have these products installed and on board your computer the next thing is to update your anti virus, this will check for the latest virus definitions so that your anti virus can detect the latest viruses. One you have updated then you should run a full complete scan on your computer, this may take some time but it is highly advisable that you let this finish on its own accord.

Next, if they're not already present, I would reccomend the download and installation of some or all of the following programs (Unlike firewalls and virus checkers you can run more than one application at once, feel free to download ALL of the below if you wish)

  • Ad-Aware SE - This is a program that scans for and removes known spyware from your machine.
  • Spybot Search & Destroy - Spybot is a tool like Ad-Aware SE whereas it seeks out and removes known spyware from your machine. These two tools (Ad-Aware & spybot) are perfect complements to each other as one will most always find something the other missed.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • IE_Spyad - Works by placing known "bad" sites into your Internet Explorer "Restricted Zones" prohibiting them from doing potentially problematic things to your computer.

For added protection you may also like to add a host file, for more information regarding host files read here

Once you have installed and updated any malware solution tools you must remember to update regularly, I would advise at least a manual check of once a week as well as any auto scheduled checks.

Take care and happy surfin' ......

Dorian - aKa Steve
User avatar
Dorian
Regular Member
 
Posts: 587
Joined: January 20th, 2006, 1:21 am
Location: Lost in the Milky Way

Unread postby 'KotaGuy » July 11th, 2006, 6:13 pm

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 262 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware