Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo B Virus


  • This topic is locked This topic is locked
17 replies to this topic

#1 Justnameme

Justnameme

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 20 October 2005 - 01:09 AM

been having problems with computer, slow, freezing etc. Ran Norton virus scan, produced nothing
few days ago, pop up from Norton saying I had Vundo virus, could not fix or contain. Have been searching internet, Symantec, etc for solutions. Norton pop up will not go away, Incredimails pop up opens at startup and do not want this thing. I have the geedc.dll version of this thing. All other virus scanners say I am clean but there it is.

Please find log as per hijackthis. Help, not computer literate. :thumbsup: Do you see the problem, can I get rid of it?? My computer is constantly working, previously shutting down and turning back on every 2 minutes by itself. Crazy! Thank you, JustNameMe

Logfile of HijackThis v1.99.1
Scan saved at 12:06:21 AM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\geedc.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm117BNUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: geedc - C:\WINDOWS\system32\geedc.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 21 October 2005 - 04:07 PM

Download, install & launch - Webroot SpySweeper (Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions.

Then configure it as followed:
  • From the left pane, click Options
  • Select the Sweep Options tab & ensure the following are ticked:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All Users accounts
    • Do Not Sweep System Restore Folder
    • Enable Direct Disk Sweeping
    • Sweep For Rootkits
  • After that's done, select Sweep from the left pane & click on the Start button
  • Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.

#3 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 23 October 2005 - 11:45 AM

Thank you so much for your help in getting this thing sorted out for me. Seems my computer is running at top speed again, Norton has settled down and virus scan seems clear. I have run HJT and webroot and am including logs as suggested. Am I in the clear? Thanks again for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 11:27:27 AM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm117BNUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



********
4:58 PM: | Start of Session, Saturday, October 22, 2005 |
4:58 PM: Spy Sweeper started
4:58 PM: Sweep initiated using definitions version 560
4:58 PM: Starting Memory Sweep
4:58 PM: Warning: Failed to load image: C:\WINDOWS\system32\geedc.dll
4:59 PM: Found Adware: virtumonde
4:59 PM: Detected running threat: C:\WINDOWS\system32\geedc.dll (ID = 77)
5:02 PM: Memory Sweep Complete, Elapsed Time: 00:03:45
5:02 PM: Starting Registry Sweep
5:02 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
5:02 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
5:02 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
5:02 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
5:02 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
5:02 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
5:02 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
5:02 PM: Registry Sweep Complete, Elapsed Time:00:00:31
5:02 PM: Starting Cookie Sweep
5:02 PM: Found Spy Cookie: 2o7.net cookie
5:02 PM: hp_owner@112.2o7[2].txt (ID = 1958)
5:02 PM: Found Spy Cookie: 247realmedia cookie
5:02 PM: hp_owner@247realmedia[2].txt (ID = 1953)
5:02 PM: hp_owner@2o7[2].txt (ID = 1957)
5:02 PM: Found Spy Cookie: tribalfusion cookie
5:02 PM: hp_owner@a.tribalfusion[1].txt (ID = 3590)
5:02 PM: Found Spy Cookie: about cookie
5:02 PM: hp_owner@about[2].txt (ID = 2037)
5:02 PM: Found Spy Cookie: yieldmanager cookie
5:02 PM: hp_owner@ad.yieldmanager[2].txt (ID = 3751)
5:02 PM: Found Spy Cookie: specificclick.com cookie
5:02 PM: hp_owner@adopt.specificclick[2].txt (ID = 3400)
5:02 PM: Found Spy Cookie: adprofile cookie
5:02 PM: hp_owner@adprofile[1].txt (ID = 2084)
5:02 PM: Found Spy Cookie: adrevolver cookie
5:02 PM: hp_owner@adrevolver[2].txt (ID = 2088)
5:02 PM: hp_owner@adrevolver[3].txt (ID = 2088)
5:02 PM: Found Spy Cookie: addynamix cookie
5:02 PM: hp_owner@ads.addynamix[1].txt (ID = 2062)
5:02 PM: Found Spy Cookie: ads.adsag cookie
5:02 PM: hp_owner@ads.adsag[1].txt (ID = 2108)
5:02 PM: Found Spy Cookie: belointeractive cookie
5:02 PM: hp_owner@ads.belointeractive[2].txt (ID = 2295)
5:02 PM: Found Spy Cookie: pointroll cookie
5:02 PM: hp_owner@ads.pointroll[1].txt (ID = 3148)
5:02 PM: Found Spy Cookie: ads.tripod.lycos.com cookie
5:02 PM: hp_owner@ads.tripod.lycos[2].txt (ID = 2133)
5:02 PM: Found Spy Cookie: advertising cookie
5:02 PM: hp_owner@advertising[1].txt (ID = 2175)
5:02 PM: Found Spy Cookie: associated new media cookie
5:02 PM: hp_owner@anm.co[2].txt (ID = 2223)
5:02 PM: Found Spy Cookie: apmebf cookie
5:02 PM: hp_owner@apmebf[1].txt (ID = 2229)
5:02 PM: Found Spy Cookie: ask cookie
5:02 PM: hp_owner@ask[1].txt (ID = 2245)
5:02 PM: Found Spy Cookie: atlas dmt cookie
5:02 PM: hp_owner@atdmt[2].txt (ID = 2253)
5:02 PM: Found Spy Cookie: belnk cookie
5:02 PM: hp_owner@ath.belnk[1].txt (ID = 2293)
5:02 PM: Found Spy Cookie: atwola cookie
5:02 PM: hp_owner@atwola[2].txt (ID = 2255)
5:02 PM: hp_owner@belnk[1].txt (ID = 2292)
5:02 PM: hp_owner@belointeractive[2].txt (ID = 2294)
5:02 PM: Found Spy Cookie: bizrate cookie
5:02 PM: hp_owner@bizrate[1].txt (ID = 2308)
5:02 PM: Found Spy Cookie: bluestreak cookie
5:02 PM: hp_owner@bluestreak[1].txt (ID = 2314)
5:02 PM: Found Spy Cookie: bravenet cookie
5:02 PM: hp_owner@bravenet[1].txt (ID = 2322)
5:02 PM: Found Spy Cookie: bs.serving-sys cookie
5:02 PM: hp_owner@bs.serving-sys[2].txt (ID = 2330)
5:02 PM: Found Spy Cookie: burstnet cookie
5:02 PM: hp_owner@burstnet[2].txt (ID = 2336)
5:02 PM: Found Spy Cookie: enhance cookie
5:02 PM: hp_owner@c.enhance[1].txt (ID = 2614)
5:02 PM: Found Spy Cookie: goclick cookie
5:02 PM: hp_owner@c.goclick[2].txt (ID = 2733)
5:02 PM: Found Spy Cookie: gostats cookie
5:02 PM: hp_owner@c2.gostats[2].txt (ID = 2748)
5:02 PM: Found Spy Cookie: casalemedia cookie
5:02 PM: hp_owner@casalemedia[1].txt (ID = 2354)
5:02 PM: Found Spy Cookie: centrport net cookie
5:02 PM: hp_owner@centrport[2].txt (ID = 2374)
5:02 PM: Found Spy Cookie: clickagents cookie
5:02 PM: hp_owner@clickagents[1].txt (ID = 2394)
5:02 PM: Found Spy Cookie: clickbank cookie
5:02 PM: hp_owner@clickbank[1].txt (ID = 2398)
5:02 PM: Found Spy Cookie: commission junction cookie
5:02 PM: hp_owner@commission-junction[2].txt (ID = 2455)
5:02 PM: hp_owner@cornerstone.122.2o7[1].txt (ID = 1958)
5:02 PM: Found Spy Cookie: hitslink cookie
5:02 PM: hp_owner@counter.hitslink[2].txt (ID = 2790)
5:02 PM: hp_owner@counter2.hitslink[1].txt (ID = 2790)
5:02 PM: Found Spy Cookie: 360i cookie
5:02 PM: hp_owner@ct.360i[1].txt (ID = 1962)
5:02 PM: Found Spy Cookie: customer cookie
5:02 PM: hp_owner@customer[2].txt (ID = 2481)
5:02 PM: Found Spy Cookie: coremetrics cookie
5:02 PM: hp_owner@data.coremetrics[1].txt (ID = 2472)
5:02 PM: Found Spy Cookie: dealtime cookie
5:02 PM: hp_owner@dealtime[1].txt (ID = 2505)
5:02 PM: Found Spy Cookie: did-it cookie
5:02 PM: hp_owner@did-it[1].txt (ID = 2523)
5:02 PM: hp_owner@dist.belnk[1].txt (ID = 2293)
5:02 PM: Found Spy Cookie: ru4 cookie
5:02 PM: hp_owner@edge.ru4[1].txt (ID = 3269)
5:02 PM: Found Spy Cookie: go.com cookie
5:02 PM: hp_owner@espn.go[1].txt (ID = 2729)
5:02 PM: Found Spy Cookie: fastclick cookie
5:02 PM: hp_owner@fastclick[1].txt (ID = 2651)
5:02 PM: Found Spy Cookie: fe.lea.lycos.com cookie
5:02 PM: hp_owner@fe.lea.lycos[2].txt (ID = 2660)
5:02 PM: Found Spy Cookie: findwhat cookie
5:02 PM: hp_owner@findwhat[1].txt (ID = 2674)
5:02 PM: hp_owner@go[1].txt (ID = 2728)
5:02 PM: Found Spy Cookie: starware.com cookie
5:02 PM: hp_owner@h.starware[1].txt (ID = 3442)
5:02 PM: Found Spy Cookie: humanclick cookie
5:02 PM: hp_owner@hc2.humanclick[2].txt (ID = 2810)
5:02 PM: hp_owner@homepage.belointeractive[1].txt (ID = 2295)
5:02 PM: Found Spy Cookie: homestore cookie
5:02 PM: hp_owner@homestore[2].txt (ID = 2793)
5:02 PM: hp_owner@horses.about[1].txt (ID = 2038)
5:02 PM: Found Spy Cookie: infospace cookie
5:02 PM: hp_owner@infospace[2].txt (ID = 2865)
5:02 PM: Found Spy Cookie: linksynergy cookie
5:02 PM: hp_owner@linksynergy[1].txt (ID = 2926)
5:02 PM: Found Spy Cookie: maxserving cookie
5:02 PM: hp_owner@maxserving[2].txt (ID = 2966)
5:02 PM: hp_owner@microsoftwga.112.2o7[1].txt (ID = 1958)
5:02 PM: hp_owner@msnportal.112.2o7[2].txt (ID = 1958)
5:02 PM: Found Spy Cookie: mywebsearch cookie
5:02 PM: hp_owner@mywebsearch[1].txt (ID = 3051)
5:02 PM: Found Spy Cookie: nextag cookie
5:02 PM: hp_owner@nextag[2].txt (ID = 5014)
5:02 PM: Found Spy Cookie: overture cookie
5:02 PM: hp_owner@overture[2].txt (ID = 3105)
5:02 PM: hp_owner@perf.overture[1].txt (ID = 3106)
5:02 PM: Found Spy Cookie: pricegrabber cookie
5:02 PM: hp_owner@pricegrabber[2].txt (ID = 3185)
5:02 PM: Found Spy Cookie: pub cookie
5:02 PM: hp_owner@pub[2].txt (ID = 3205)
5:02 PM: Found Spy Cookie: qksrv cookie
5:02 PM: hp_owner@qksrv[2].txt (ID = 3213)
5:02 PM: Found Spy Cookie: questionmarket cookie
5:02 PM: hp_owner@questionmarket[1].txt (ID = 3217)
5:02 PM: Found Spy Cookie: realmedia cookie
5:02 PM: hp_owner@realmedia[2].txt (ID = 3235)
5:02 PM: hp_owner@rsi.espn.go[1].txt (ID = 2729)
5:02 PM: Found Spy Cookie: sympaticoca cookie
5:02 PM: hp_owner@saymail.sympatico[2].txt (ID = 3484)
5:02 PM: Found Spy Cookie: domain sponsor cookie
5:02 PM: hp_owner@searchportal.domainsponsor[2].txt (ID = 2534)
5:02 PM: Found Spy Cookie: servedby advertising cookie
5:02 PM: hp_owner@servedby.advertising[2].txt (ID = 3335)
5:02 PM: Found Spy Cookie: server.iad.liveperson cookie
5:02 PM: hp_owner@server.iad.liveperson[1].txt (ID = 3341)
5:02 PM: Found Spy Cookie: web-stat cookie
5:02 PM: hp_owner@server3.web-stat[1].txt (ID = 3649)
5:02 PM: Found Spy Cookie: serving-sys cookie
5:02 PM: hp_owner@serving-sys[1].txt (ID = 3343)
5:02 PM: Found Spy Cookie: servlet cookie
5:02 PM: hp_owner@servlet[2].txt (ID = 3345)
5:02 PM: hp_owner@servlet[3].txt (ID = 3345)
5:02 PM: hp_owner@sports.espn.go[1].txt (ID = 2729)
5:02 PM: hp_owner@stat.dealtime[2].txt (ID = 2506)
5:02 PM: Found Spy Cookie: onestat.com cookie
5:02 PM: hp_owner@stat.onestat[2].txt (ID = 3098)
5:02 PM: Found Spy Cookie: statcounter cookie
5:02 PM: hp_owner@statcounter[2].txt (ID = 3447)
5:02 PM: Found Spy Cookie: reliablestats cookie
5:02 PM: hp_owner@stats1.reliablestats[2].txt (ID = 3254)
5:02 PM: Found Spy Cookie: webtrendslive cookie
5:02 PM: hp_owner@statse.webtrendslive[2].txt (ID = 3667)
5:02 PM: hp_owner@test.coremetrics[1].txt (ID = 2472)
5:02 PM: Found Spy Cookie: tracking cookie
5:02 PM: hp_owner@tracking[2].txt (ID = 3571)
5:02 PM: Found Spy Cookie: trafficmp cookie
5:02 PM: hp_owner@trafficmp[1].txt (ID = 3581)
5:02 PM: hp_owner@tribalfusion[1].txt (ID = 3589)
5:02 PM: Found Spy Cookie: tripod cookie
5:02 PM: hp_owner@tripod[1].txt (ID = 3591)
5:02 PM: hp_owner@usgovinfo.about[2].txt (ID = 2038)
5:02 PM: Found Spy Cookie: realtracker cookie
5:02 PM: hp_owner@web4.realtracker[2].txt (ID = 3242)
5:02 PM: Found Spy Cookie: 123count cookie
5:02 PM: hp_owner@www.123count[2].txt (ID = 1928)
5:02 PM: Found Spy Cookie: adminder cookie
5:02 PM: hp_owner@www.adminder[2].txt (ID = 2079)
5:02 PM: Found Spy Cookie: burstbeacon cookie
5:02 PM: hp_owner@www.burstbeacon[1].txt (ID = 2335)
5:02 PM: Found Spy Cookie: esurance cookie
5:02 PM: hp_owner@www.esurance[2].txt (ID = 2626)
5:02 PM: hp_owner@www.homestore[1].txt (ID = 2794)
5:02 PM: Found Spy Cookie: pollstar cookie
5:02 PM: hp_owner@www.pollstar[1].txt (ID = 3152)
5:02 PM: hp_owner@www.starware[1].txt (ID = 3442)
5:02 PM: hp_owner@www.web-stat[2].txt (ID = 3649)
5:02 PM: Found Spy Cookie: adserver cookie
5:02 PM: hp_owner@z1.adserver[1].txt (ID = 2142)
5:02 PM: Found Spy Cookie: zedo cookie
5:02 PM: hp_owner@zedo[1].txt (ID = 3762)
5:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
5:03 PM: Starting File Sweep
5:29 PM: File Sweep Complete, Elapsed Time: 00:26:54
5:29 PM: Full Sweep has completed. Elapsed time 00:31:32
5:29 PM: Traces Found: 151
5:36 PM: Removal process initiated
5:37 PM: Quarantining All Traces: virtumonde
5:37 PM: virtumonde is in use. It will be removed on reboot.
5:37 PM: C:\WINDOWS\system32\geedc.dll is in use. It will be removed on reboot.
5:37 PM: Quarantining All Traces: 123count cookie
5:37 PM: Quarantining All Traces: 247realmedia cookie
5:37 PM: Quarantining All Traces: 2o7.net cookie
5:37 PM: Quarantining All Traces: 360i cookie
5:37 PM: Quarantining All Traces: about cookie
5:37 PM: Quarantining All Traces: addynamix cookie
5:37 PM: Quarantining All Traces: adminder cookie
5:37 PM: Quarantining All Traces: adprofile cookie
5:37 PM: Quarantining All Traces: adrevolver cookie
5:37 PM: Quarantining All Traces: ads.adsag cookie
5:37 PM: Quarantining All Traces: ads.tripod.lycos.com cookie
5:37 PM: Quarantining All Traces: adserver cookie
5:37 PM: Quarantining All Traces: advertising cookie
5:37 PM: Quarantining All Traces: apmebf cookie
5:37 PM: Quarantining All Traces: ask cookie
5:37 PM: Quarantining All Traces: associated new media cookie
5:37 PM: Quarantining All Traces: atlas dmt cookie
5:37 PM: Quarantining All Traces: atwola cookie
5:37 PM: Quarantining All Traces: belnk cookie
5:37 PM: Quarantining All Traces: belointeractive cookie
5:37 PM: Quarantining All Traces: bizrate cookie
5:37 PM: Quarantining All Traces: bluestreak cookie
5:37 PM: Quarantining All Traces: bravenet cookie
5:37 PM: Quarantining All Traces: bs.serving-sys cookie
5:37 PM: Quarantining All Traces: burstbeacon cookie
5:37 PM: Quarantining All Traces: burstnet cookie
5:37 PM: Quarantining All Traces: casalemedia cookie
5:37 PM: Quarantining All Traces: centrport net cookie
5:37 PM: Quarantining All Traces: clickagents cookie
5:37 PM: Quarantining All Traces: clickbank cookie
5:37 PM: Quarantining All Traces: commission junction cookie
5:37 PM: Quarantining All Traces: coremetrics cookie
5:37 PM: Quarantining All Traces: customer cookie
5:37 PM: Quarantining All Traces: dealtime cookie
5:37 PM: Quarantining All Traces: did-it cookie
5:37 PM: Quarantining All Traces: domain sponsor cookie
5:37 PM: Quarantining All Traces: enhance cookie
5:37 PM: Quarantining All Traces: esurance cookie
5:37 PM: Quarantining All Traces: fastclick cookie
5:37 PM: Quarantining All Traces: fe.lea.lycos.com cookie
5:37 PM: Quarantining All Traces: findwhat cookie
5:37 PM: Quarantining All Traces: go.com cookie
5:37 PM: Quarantining All Traces: goclick cookie
5:37 PM: Quarantining All Traces: gostats cookie
5:37 PM: Quarantining All Traces: hitslink cookie
5:37 PM: Quarantining All Traces: homestore cookie
5:37 PM: Quarantining All Traces: humanclick cookie
5:37 PM: Quarantining All Traces: infospace cookie
5:37 PM: Quarantining All Traces: linksynergy cookie
5:37 PM: Quarantining All Traces: maxserving cookie
5:37 PM: Quarantining All Traces: mywebsearch cookie
5:37 PM: Quarantining All Traces: nextag cookie
5:37 PM: Quarantining All Traces: onestat.com cookie
5:37 PM: Quarantining All Traces: overture cookie
5:37 PM: Quarantining All Traces: pointroll cookie
5:37 PM: Quarantining All Traces: pollstar cookie
5:37 PM: Quarantining All Traces: pricegrabber cookie
5:37 PM: Quarantining All Traces: pub cookie
5:37 PM: Quarantining All Traces: qksrv cookie
5:37 PM: Quarantining All Traces: questionmarket cookie
5:37 PM: Quarantining All Traces: realmedia cookie
5:37 PM: Quarantining All Traces: realtracker cookie
5:37 PM: Quarantining All Traces: reliablestats cookie
5:37 PM: Quarantining All Traces: ru4 cookie
5:37 PM: Quarantining All Traces: servedby advertising cookie
5:37 PM: Quarantining All Traces: server.iad.liveperson cookie
5:37 PM: Quarantining All Traces: serving-sys cookie
5:37 PM: Quarantining All Traces: servlet cookie
5:37 PM: Quarantining All Traces: specificclick.com cookie
5:37 PM: Quarantining All Traces: starware.com cookie
5:37 PM: Quarantining All Traces: statcounter cookie
5:37 PM: Quarantining All Traces: sympaticoca cookie
5:37 PM: Quarantining All Traces: tracking cookie
5:37 PM: Quarantining All Traces: trafficmp cookie
5:37 PM: Quarantining All Traces: tribalfusion cookie
5:37 PM: Quarantining All Traces: tripod cookie
5:37 PM: Quarantining All Traces: web-stat cookie
5:37 PM: Quarantining All Traces: webtrendslive cookie
5:37 PM: Quarantining All Traces: yieldmanager cookie
5:37 PM: Quarantining All Traces: zedo cookie
5:37 PM: Preparing to restart your computer. Please wait...
5:37 PM: Removal process completed. Elapsed time 00:01:18
********
4:51 PM: | Start of Session, Saturday, October 22, 2005 |
4:51 PM: Spy Sweeper started
4:54 PM: Your spyware definitions have been updated.
4:58 PM: | End of Session, Saturday, October 22, 2005 |

#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 October 2005 - 12:07 PM

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Please download & install - CleanUp.exe


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • My Web Search
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


With HiJackThis & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE



* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\MyWebSearch\
    C:\WINDOWS\system32\cdeeg >> delete all instances of this file
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Perform an online scan with Internet Explorer at one of the following sites:Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis
  • Online scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

#5 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 23 October 2005 - 09:09 PM

OK, here it is.

First.... page 1 blew on the floor soooo.

#6 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 23 October 2005 - 09:27 PM

downloaded- Cleanup.exe
add/remove- my web search, required rebooting, which I did
copied to C program files\hijackthis - ran scan

could only find 4 of the listed files you suggested to get rid of (R1 HKCU, R1 HKLM, 04 HKLM\Alcmtr.exe, and 04 HKLM IMinstaller

Checked the above and hit fix checked

deleted the new " uninstall my web search" in the program files ( I am assuming it was put there during my first action of removing it and rebooting)

Windows\sys32\cdeeg ( no files found)

I ran Cleanup as suggested - Files deleted 40375/744.7 mb freed up no errors, nothing else found

Went to Panda Activescan - could not get it to operate.

Went to Kaspersky Web scanner and scanned C.D. drives

Results: C:\Windows|system32|mlljq.dll Trojan.Win32.Crypt.O

EGAD!!! not another one

I ran Norton Anti virus, it picked up nothing. Gave me the all clear. :thumbsup:

Here is the Hijack and Kaspersky results as I have them.... sUBs, what now? The computer so far seems fine.

Logfile of HijackThis v1.99.1
Scan saved at 9:01:00 PM, on 10/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\Program Files\Norton Internet Security\ccEmFlSv.exe
C:\Program Files\hijackthis\HijackThis.exe


KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 23, 2005 19:53:20
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/10/2005
Kaspersky Anti-Virus database records: 146448
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 71603
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 2941 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\mlljg.dll Infected: Trojan.Win32.Crypt.o

Scan process completed.
:flowers:

Again, thanks, Connie

#7 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 24 October 2005 - 02:21 AM

Connie,

Thank you for the detailed report. It certainly makes my job easier. :thumbsup:

Let's get the last remaining file as found by Kaspersky.

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...
  • In the popup box that appears, type in C:\Windows\system32\mlljq.dll
  • Click the Open button.
  • Click YES when prompted to restart your computer.
Please post a fresh HJT log after you rebooted. I need to verify that you're truly clean.

#8 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 24 October 2005 - 08:27 PM

Here goes. I know not what I am looking for really, but I still see this Incredimail thing happening. It has not appeared on my desktop at opening the last couple of times but I see it here in the log. Aside from that, everything seems to be working appropriately, no constant running of memory on the computer. It is quiet again. And speed is back. How am I doing so far?

You cannot imagine how relieved I am about all of this, you have been a treasure! This is hell for those of us whom are not computer literate. Thanks for making the experience much less terrifying.

Connie



Logfile of HijackThis v1.99.1
Scan saved at 8:15:30 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm117BNUS
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#9 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 25 October 2005 - 03:31 AM

Please disable Webroot SpySweeper, as it hinders the removal of some entries. You can re-enable it after you're clean.
To disable Webroot SpySweeper:
  • Go to the Options>Program Options
  • Uncheck Load at Windows Startup
  • Click Shields & uncheck all items there
  • Uncheck Home page shield.
  • Automaticly restore default without notifiction
Then Have HijackThis fix these entries:

O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm117BNUS



Kindly post a fresh HJT log after that

Edited by sUBs, 25 October 2005 - 03:33 AM.


#10 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 25 October 2005 - 04:47 PM

Hello sUBs

My computer still registers with the incredimail thingy. My computer screen is back to shutting off regularly
I followed the instruction to uncheck eveything in Webroot.

Now, the computer is back to hibernating on its own when not in use and initailizing scanner every several minutes

Logfile of HijackThis v1.99.1
Scan saved at 4:16:15 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

:thumbsup: :flowers: :trumpet:

#11 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 25 October 2005 - 05:51 PM

My computer screen is back to shutting off regularly.

Now, the computer is back to hibernating on its own when not in use and initailizing scanner every several minutes


Not too sure what the comments mean? Is it suppose to be Good or Bad? Posted Image


Let's have another go with this incredimail entry.

Please check if this Incredimail is present in Add/Remove Programs section. If present, uninstall it:

Then have HijackThis fix this entry -

O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail


Finish off by running CleanUp with these settings.

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Please post a new log after that

#12 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 25 October 2005 - 10:48 PM

:thumbsup:

Ok.... previous comments. 1. computer screen going black when not set to.....(bad)
2. computer shutting down every two minutes and start up on its own
initializing scanner everytime( bad)... it stopped doing that for awhile( good)\
as ithe problem began just when this virus thing started happening.
3. Could not find automatic restore default in Webroot Spysweeper

No websearch line(good thing)

previous to my last post.... I had run Hijack this several times, checking and fixing checked everytime, (incredimail)logged off and restarted, and still this Incredimail is still there. it is not found in the add/remove programs. I followed your last instructions , and again, it is still there as per the following log. It does not appear at startup anymore...(good thing) and does not appear to affect anything(good thing). Computer is running fine otherwise to this point. Do we just call it a day and blow it off as "one of those things"? I am posting a HijackThis log below as requested.

Glad you know what you are reading....greek to me, am really appreciating your help!

Connie

Logfile of HijackThis v1.99.1
Scan saved at 10:25:52 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#13 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 26 October 2005 - 01:32 AM

I think something must have went cuckoo with your SpySweeper :thumbsup:

Let's uninstall it first. Before we do so, please launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log. I would like to have another look at it.

# If the uninstallation ask you to reboot, answer NO.

Then have HJT fix the 04 Incredimail entry.

Next, go to Start > Run - type powercfg.cpl <Press Enter>
Under the Power schemes tab, ensure that "Turn Off Monitor" is set to never
Then click Ok


Reboot your computer & delete this folder - C:\Program Files\Webroot\

Run CleanUp to flush it out of your system.

Then re-install SpySweeper (no point wasting your 14 day trial period) :flowers:

Let me know how it went.

#14 Justnameme

Justnameme
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:49 PM

Posted 26 October 2005 - 08:05 AM

Good morning

HJT log.... guess what, our favorite line item( this thing has a life of its own!) still appears, is there anything in this file or is it an empty shell?

Turn off monitor was preset to " Never" when I got there

C:\Program Files\Webroot - no file to delete ( I went into control panel, add/delete and into program files thru my computer.... was not in either, did I do this correctly?)

Spysweeper log as requested. From results ( saved file)

Have reinstalled Webroot spyware from internet site, back on

Have a great day sUBs


******
4:58 PM: | Start of Session, Saturday, October 22, 2005 |
4:58 PM: Spy Sweeper started
4:58 PM: Sweep initiated using definitions version 560
4:58 PM: Starting Memory Sweep
4:58 PM: Warning: Failed to load image: C:\WINDOWS\system32\geedc.dll
4:59 PM: Found Adware: virtumonde
4:59 PM: Detected running threat: C:\WINDOWS\system32\geedc.dll (ID = 77)
5:02 PM: Memory Sweep Complete, Elapsed Time: 00:03:45
5:02 PM: Starting Registry Sweep
5:02 PM: HKCR\msevents.msevents\ (5 subtraces) (ID = 749130)
5:02 PM: HKCR\msevents.msevents.1\ (3 subtraces) (ID = 749136)
5:02 PM: HKLM\software\classes\msevents.msevents\ (5 subtraces) (ID = 749153)
5:02 PM: HKLM\software\classes\msevents.msevents.1\ (3 subtraces) (ID = 749157)
5:02 PM: HKCR\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812324)
5:02 PM: HKLM\software\classes\clsid\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (12 subtraces) (ID = 812338)
5:02 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{52b1dfc7-aafc-4362-b103-868b0683c697}\ (ID = 812351)
5:02 PM: Registry Sweep Complete, Elapsed Time:00:00:31
5:02 PM: Starting Cookie Sweep
5:02 PM: Found Spy Cookie: 2o7.net cookie
5:02 PM: hp_owner@112.2o7[2].txt (ID = 1958)
5:02 PM: Found Spy Cookie: 247realmedia cookie
5:02 PM: hp_owner@247realmedia[2].txt (ID = 1953)
5:02 PM: hp_owner@2o7[2].txt (ID = 1957)
5:02 PM: Found Spy Cookie: tribalfusion cookie
5:02 PM: hp_owner@a.tribalfusion[1].txt (ID = 3590)
5:02 PM: Found Spy Cookie: about cookie
5:02 PM: hp_owner@about[2].txt (ID = 2037)
5:02 PM: Found Spy Cookie: yieldmanager cookie
5:02 PM: hp_owner@ad.yieldmanager[2].txt (ID = 3751)
5:02 PM: Found Spy Cookie: specificclick.com cookie
5:02 PM: hp_owner@adopt.specificclick[2].txt (ID = 3400)
5:02 PM: Found Spy Cookie: adprofile cookie
5:02 PM: hp_owner@adprofile[1].txt (ID = 2084)
5:02 PM: Found Spy Cookie: adrevolver cookie
5:02 PM: hp_owner@adrevolver[2].txt (ID = 2088)
5:02 PM: hp_owner@adrevolver[3].txt (ID = 2088)
5:02 PM: Found Spy Cookie: addynamix cookie
5:02 PM: hp_owner@ads.addynamix[1].txt (ID = 2062)
5:02 PM: Found Spy Cookie: ads.adsag cookie
5:02 PM: hp_owner@ads.adsag[1].txt (ID = 2108)
5:02 PM: Found Spy Cookie: belointeractive cookie
5:02 PM: hp_owner@ads.belointeractive[2].txt (ID = 2295)
5:02 PM: Found Spy Cookie: pointroll cookie
5:02 PM: hp_owner@ads.pointroll[1].txt (ID = 3148)
5:02 PM: Found Spy Cookie: ads.tripod.lycos.com cookie
5:02 PM: hp_owner@ads.tripod.lycos[2].txt (ID = 2133)
5:02 PM: Found Spy Cookie: advertising cookie
5:02 PM: hp_owner@advertising[1].txt (ID = 2175)
5:02 PM: Found Spy Cookie: associated new media cookie
5:02 PM: hp_owner@anm.co[2].txt (ID = 2223)
5:02 PM: Found Spy Cookie: apmebf cookie
5:02 PM: hp_owner@apmebf[1].txt (ID = 2229)
5:02 PM: Found Spy Cookie: ask cookie
5:02 PM: hp_owner@ask[1].txt (ID = 2245)
5:02 PM: Found Spy Cookie: atlas dmt cookie
5:02 PM: hp_owner@atdmt[2].txt (ID = 2253)
5:02 PM: Found Spy Cookie: belnk cookie
5:02 PM: hp_owner@ath.belnk[1].txt (ID = 2293)
5:02 PM: Found Spy Cookie: atwola cookie
5:02 PM: hp_owner@atwola[2].txt (ID = 2255)
5:02 PM: hp_owner@belnk[1].txt (ID = 2292)
5:02 PM: hp_owner@belointeractive[2].txt (ID = 2294)
5:02 PM: Found Spy Cookie: bizrate cookie
5:02 PM: hp_owner@bizrate[1].txt (ID = 2308)
5:02 PM: Found Spy Cookie: bluestreak cookie
5:02 PM: hp_owner@bluestreak[1].txt (ID = 2314)
5:02 PM: Found Spy Cookie: bravenet cookie
5:02 PM: hp_owner@bravenet[1].txt (ID = 2322)
5:02 PM: Found Spy Cookie: bs.serving-sys cookie
5:02 PM: hp_owner@bs.serving-sys[2].txt (ID = 2330)
5:02 PM: Found Spy Cookie: burstnet cookie
5:02 PM: hp_owner@burstnet[2].txt (ID = 2336)
5:02 PM: Found Spy Cookie: enhance cookie
5:02 PM: hp_owner@c.enhance[1].txt (ID = 2614)
5:02 PM: Found Spy Cookie: goclick cookie
5:02 PM: hp_owner@c.goclick[2].txt (ID = 2733)
5:02 PM: Found Spy Cookie: gostats cookie
5:02 PM: hp_owner@c2.gostats[2].txt (ID = 2748)
5:02 PM: Found Spy Cookie: casalemedia cookie
5:02 PM: hp_owner@casalemedia[1].txt (ID = 2354)
5:02 PM: Found Spy Cookie: centrport net cookie
5:02 PM: hp_owner@centrport[2].txt (ID = 2374)
5:02 PM: Found Spy Cookie: clickagents cookie
5:02 PM: hp_owner@clickagents[1].txt (ID = 2394)
5:02 PM: Found Spy Cookie: clickbank cookie
5:02 PM: hp_owner@clickbank[1].txt (ID = 2398)
5:02 PM: Found Spy Cookie: commission junction cookie
5:02 PM: hp_owner@commission-junction[2].txt (ID = 2455)
5:02 PM: hp_owner@cornerstone.122.2o7[1].txt (ID = 1958)
5:02 PM: Found Spy Cookie: hitslink cookie
5:02 PM: hp_owner@counter.hitslink[2].txt (ID = 2790)
5:02 PM: hp_owner@counter2.hitslink[1].txt (ID = 2790)
5:02 PM: Found Spy Cookie: 360i cookie
5:02 PM: hp_owner@ct.360i[1].txt (ID = 1962)
5:02 PM: Found Spy Cookie: customer cookie
5:02 PM: hp_owner@customer[2].txt (ID = 2481)
5:02 PM: Found Spy Cookie: coremetrics cookie
5:02 PM: hp_owner@data.coremetrics[1].txt (ID = 2472)
5:02 PM: Found Spy Cookie: dealtime cookie
5:02 PM: hp_owner@dealtime[1].txt (ID = 2505)
5:02 PM: Found Spy Cookie: did-it cookie
5:02 PM: hp_owner@did-it[1].txt (ID = 2523)
5:02 PM: hp_owner@dist.belnk[1].txt (ID = 2293)
5:02 PM: Found Spy Cookie: ru4 cookie
5:02 PM: hp_owner@edge.ru4[1].txt (ID = 3269)
5:02 PM: Found Spy Cookie: go.com cookie
5:02 PM: hp_owner@espn.go[1].txt (ID = 2729)
5:02 PM: Found Spy Cookie: fastclick cookie
5:02 PM: hp_owner@fastclick[1].txt (ID = 2651)
5:02 PM: Found Spy Cookie: fe.lea.lycos.com cookie
5:02 PM: hp_owner@fe.lea.lycos[2].txt (ID = 2660)
5:02 PM: Found Spy Cookie: findwhat cookie
5:02 PM: hp_owner@findwhat[1].txt (ID = 2674)
5:02 PM: hp_owner@go[1].txt (ID = 2728)
5:02 PM: Found Spy Cookie: starware.com cookie
5:02 PM: hp_owner@h.starware[1].txt (ID = 3442)
5:02 PM: Found Spy Cookie: humanclick cookie
5:02 PM: hp_owner@hc2.humanclick[2].txt (ID = 2810)
5:02 PM: hp_owner@homepage.belointeractive[1].txt (ID = 2295)
5:02 PM: Found Spy Cookie: homestore cookie
5:02 PM: hp_owner@homestore[2].txt (ID = 2793)
5:02 PM: hp_owner@horses.about[1].txt (ID = 2038)
5:02 PM: Found Spy Cookie: infospace cookie
5:02 PM: hp_owner@infospace[2].txt (ID = 2865)
5:02 PM: Found Spy Cookie: linksynergy cookie
5:02 PM: hp_owner@linksynergy[1].txt (ID = 2926)
5:02 PM: Found Spy Cookie: maxserving cookie
5:02 PM: hp_owner@maxserving[2].txt (ID = 2966)
5:02 PM: hp_owner@microsoftwga.112.2o7[1].txt (ID = 1958)
5:02 PM: hp_owner@msnportal.112.2o7[2].txt (ID = 1958)
5:02 PM: Found Spy Cookie: mywebsearch cookie
5:02 PM: hp_owner@mywebsearch[1].txt (ID = 3051)
5:02 PM: Found Spy Cookie: nextag cookie
5:02 PM: hp_owner@nextag[2].txt (ID = 5014)
5:02 PM: Found Spy Cookie: overture cookie
5:02 PM: hp_owner@overture[2].txt (ID = 3105)
5:02 PM: hp_owner@perf.overture[1].txt (ID = 3106)
5:02 PM: Found Spy Cookie: pricegrabber cookie
5:02 PM: hp_owner@pricegrabber[2].txt (ID = 3185)
5:02 PM: Found Spy Cookie: pub cookie
5:02 PM: hp_owner@pub[2].txt (ID = 3205)
5:02 PM: Found Spy Cookie: qksrv cookie
5:02 PM: hp_owner@qksrv[2].txt (ID = 3213)
5:02 PM: Found Spy Cookie: questionmarket cookie
5:02 PM: hp_owner@questionmarket[1].txt (ID = 3217)
5:02 PM: Found Spy Cookie: realmedia cookie
5:02 PM: hp_owner@realmedia[2].txt (ID = 3235)
5:02 PM: hp_owner@rsi.espn.go[1].txt (ID = 2729)
5:02 PM: Found Spy Cookie: sympaticoca cookie
5:02 PM: hp_owner@saymail.sympatico[2].txt (ID = 3484)
5:02 PM: Found Spy Cookie: domain sponsor cookie
5:02 PM: hp_owner@searchportal.domainsponsor[2].txt (ID = 2534)
5:02 PM: Found Spy Cookie: servedby advertising cookie
5:02 PM: hp_owner@servedby.advertising[2].txt (ID = 3335)
5:02 PM: Found Spy Cookie: server.iad.liveperson cookie
5:02 PM: hp_owner@server.iad.liveperson[1].txt (ID = 3341)
5:02 PM: Found Spy Cookie: web-stat cookie
5:02 PM: hp_owner@server3.web-stat[1].txt (ID = 3649)
5:02 PM: Found Spy Cookie: serving-sys cookie
5:02 PM: hp_owner@serving-sys[1].txt (ID = 3343)
5:02 PM: Found Spy Cookie: servlet cookie
5:02 PM: hp_owner@servlet[2].txt (ID = 3345)
5:02 PM: hp_owner@servlet[3].txt (ID = 3345)
5:02 PM: hp_owner@sports.espn.go[1].txt (ID = 2729)
5:02 PM: hp_owner@stat.dealtime[2].txt (ID = 2506)
5:02 PM: Found Spy Cookie: onestat.com cookie
5:02 PM: hp_owner@stat.onestat[2].txt (ID = 3098)
5:02 PM: Found Spy Cookie: statcounter cookie
5:02 PM: hp_owner@statcounter[2].txt (ID = 3447)
5:02 PM: Found Spy Cookie: reliablestats cookie
5:02 PM: hp_owner@stats1.reliablestats[2].txt (ID = 3254)
5:02 PM: Found Spy Cookie: webtrendslive cookie
5:02 PM: hp_owner@statse.webtrendslive[2].txt (ID = 3667)
5:02 PM: hp_owner@test.coremetrics[1].txt (ID = 2472)
5:02 PM: Found Spy Cookie: tracking cookie
5:02 PM: hp_owner@tracking[2].txt (ID = 3571)
5:02 PM: Found Spy Cookie: trafficmp cookie
5:02 PM: hp_owner@trafficmp[1].txt (ID = 3581)
5:02 PM: hp_owner@tribalfusion[1].txt (ID = 3589)
5:02 PM: Found Spy Cookie: tripod cookie
5:02 PM: hp_owner@tripod[1].txt (ID = 3591)
5:02 PM: hp_owner@usgovinfo.about[2].txt (ID = 2038)
5:02 PM: Found Spy Cookie: realtracker cookie
5:02 PM: hp_owner@web4.realtracker[2].txt (ID = 3242)
5:02 PM: Found Spy Cookie: 123count cookie
5:02 PM: hp_owner@www.123count[2].txt (ID = 1928)
5:02 PM: Found Spy Cookie: adminder cookie
5:02 PM: hp_owner@www.adminder[2].txt (ID = 2079)
5:02 PM: Found Spy Cookie: burstbeacon cookie
5:02 PM: hp_owner@www.burstbeacon[1].txt (ID = 2335)
5:02 PM: Found Spy Cookie: esurance cookie
5:02 PM: hp_owner@www.esurance[2].txt (ID = 2626)
5:02 PM: hp_owner@www.homestore[1].txt (ID = 2794)
5:02 PM: Found Spy Cookie: pollstar cookie
5:02 PM: hp_owner@www.pollstar[1].txt (ID = 3152)
5:02 PM: hp_owner@www.starware[1].txt (ID = 3442)
5:02 PM: hp_owner@www.web-stat[2].txt (ID = 3649)
5:02 PM: Found Spy Cookie: adserver cookie
5:02 PM: hp_owner@z1.adserver[1].txt (ID = 2142)
5:02 PM: Found Spy Cookie: zedo cookie
5:02 PM: hp_owner@zedo[1].txt (ID = 3762)
5:02 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
5:03 PM: Starting File Sweep
5:29 PM: File Sweep Complete, Elapsed Time: 00:26:54
5:29 PM: Full Sweep has completed. Elapsed time 00:31:32
5:29 PM: Traces Found: 151
5:36 PM: Removal process initiated
5:37 PM: Quarantining All Traces: virtumonde
5:37 PM: virtumonde is in use. It will be removed on reboot.
5:37 PM: C:\WINDOWS\system32\geedc.dll is in use. It will be removed on reboot.
5:37 PM: Quarantining All Traces: 123count cookie
5:37 PM: Quarantining All Traces: 247realmedia cookie
5:37 PM: Quarantining All Traces: 2o7.net cookie
5:37 PM: Quarantining All Traces: 360i cookie
5:37 PM: Quarantining All Traces: about cookie
5:37 PM: Quarantining All Traces: addynamix cookie
5:37 PM: Quarantining All Traces: adminder cookie
5:37 PM: Quarantining All Traces: adprofile cookie
5:37 PM: Quarantining All Traces: adrevolver cookie
5:37 PM: Quarantining All Traces: ads.adsag cookie
5:37 PM: Quarantining All Traces: ads.tripod.lycos.com cookie
5:37 PM: Quarantining All Traces: adserver cookie
5:37 PM: Quarantining All Traces: advertising cookie
5:37 PM: Quarantining All Traces: apmebf cookie
5:37 PM: Quarantining All Traces: ask cookie
5:37 PM: Quarantining All Traces: associated new media cookie
5:37 PM: Quarantining All Traces: atlas dmt cookie
5:37 PM: Quarantining All Traces: atwola cookie
5:37 PM: Quarantining All Traces: belnk cookie
5:37 PM: Quarantining All Traces: belointeractive cookie
5:37 PM: Quarantining All Traces: bizrate cookie
5:37 PM: Quarantining All Traces: bluestreak cookie
5:37 PM: Quarantining All Traces: bravenet cookie
5:37 PM: Quarantining All Traces: bs.serving-sys cookie
5:37 PM: Quarantining All Traces: burstbeacon cookie
5:37 PM: Quarantining All Traces: burstnet cookie
5:37 PM: Quarantining All Traces: casalemedia cookie
5:37 PM: Quarantining All Traces: centrport net cookie
5:37 PM: Quarantining All Traces: clickagents cookie
5:37 PM: Quarantining All Traces: clickbank cookie
5:37 PM: Quarantining All Traces: commission junction cookie
5:37 PM: Quarantining All Traces: coremetrics cookie
5:37 PM: Quarantining All Traces: customer cookie
5:37 PM: Quarantining All Traces: dealtime cookie
5:37 PM: Quarantining All Traces: did-it cookie
5:37 PM: Quarantining All Traces: domain sponsor cookie
5:37 PM: Quarantining All Traces: enhance cookie
5:37 PM: Quarantining All Traces: esurance cookie
5:37 PM: Quarantining All Traces: fastclick cookie
5:37 PM: Quarantining All Traces: fe.lea.lycos.com cookie
5:37 PM: Quarantining All Traces: findwhat cookie
5:37 PM: Quarantining All Traces: go.com cookie
5:37 PM: Quarantining All Traces: goclick cookie
5:37 PM: Quarantining All Traces: gostats cookie
5:37 PM: Quarantining All Traces: hitslink cookie
5:37 PM: Quarantining All Traces: homestore cookie
5:37 PM: Quarantining All Traces: humanclick cookie
5:37 PM: Quarantining All Traces: infospace cookie
5:37 PM: Quarantining All Traces: linksynergy cookie
5:37 PM: Quarantining All Traces: maxserving cookie
5:37 PM: Quarantining All Traces: mywebsearch cookie
5:37 PM: Quarantining All Traces: nextag cookie
5:37 PM: Quarantining All Traces: onestat.com cookie
5:37 PM: Quarantining All Traces: overture cookie
5:37 PM: Quarantining All Traces: pointroll cookie
5:37 PM: Quarantining All Traces: pollstar cookie
5:37 PM: Quarantining All Traces: pricegrabber cookie
5:37 PM: Quarantining All Traces: pub cookie
5:37 PM: Quarantining All Traces: qksrv cookie
5:37 PM: Quarantining All Traces: questionmarket cookie
5:37 PM: Quarantining All Traces: realmedia cookie
5:37 PM: Quarantining All Traces: realtracker cookie
5:37 PM: Quarantining All Traces: reliablestats cookie
5:37 PM: Quarantining All Traces: ru4 cookie
5:37 PM: Quarantining All Traces: servedby advertising cookie
5:37 PM: Quarantining All Traces: server.iad.liveperson cookie
5:37 PM: Quarantining All Traces: serving-sys cookie
5:37 PM: Quarantining All Traces: servlet cookie
5:37 PM: Quarantining All Traces: specificclick.com cookie
5:37 PM: Quarantining All Traces: starware.com cookie
5:37 PM: Quarantining All Traces: statcounter cookie
5:37 PM: Quarantining All Traces: sympaticoca cookie
5:37 PM: Quarantining All Traces: tracking cookie
5:37 PM: Quarantining All Traces: trafficmp cookie
5:37 PM: Quarantining All Traces: tribalfusion cookie
5:37 PM: Quarantining All Traces: tripod cookie
5:37 PM: Quarantining All Traces: web-stat cookie
5:37 PM: Quarantining All Traces: webtrendslive cookie
5:37 PM: Quarantining All Traces: yieldmanager cookie
5:37 PM: Quarantining All Traces: zedo cookie
5:37 PM: Preparing to restart your computer. Please wait...
5:37 PM: Removal process completed. Elapsed time 00:01:18
4:57 PM: Your spyware definitions have been updated.
7:18 AM: IE Tracking Cookies Shield: Removed atlas dmt cookie
********
4:51 PM: | Start of Session, Saturday, October 22, 2005 |
4:51 PM: Spy Sweeper started
4:54 PM: Your spyware definitions have been updated.
4:58 PM: | End of Session, Saturday, October 22, 2005 |




Logfile of HijackThis v1.99.1
Scan saved at 7:23:31 AM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sierra\Planner\Plnrnote.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...lion&pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[2].exe -startup -product IncrediMail
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqna/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#15 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 26 October 2005 - 08:53 AM

Dont you just hate Incredimail? I know I do... Posted Image

Please do this...

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ImInstaller_IncrediMail"=-

Open Notepad.
Then Copy/Paste the text above into it.
Save the files as "del.reg" (inclusive of quotes)
Double click on the file & answer Yes when prompted to merge into the Registry

Launch HijackThis & check if that entry is still there.

If not, reboot your computer & check again




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users