Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nvcpl.exe


  • This topic is locked This topic is locked
4 replies to this topic

#1 gregugadawg

gregugadawg

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 31 October 2005 - 09:45 AM

I have done some research and have found the startup program nvcpl.exe to be a worm causing my computer resources to be at 100 percent after a fresh boot. I have tried to fix it using up to date mcafee virus scan, ad-aware, and spybot and nothing has worked. I haven't been able to find a whole lot about it on the internet so I decided to post my hijackthis log and maybe that will shed some light on the situation. Any help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 9:42:40 AM, on 10/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
c:\program files\common files\aol\1107020938\ee\services\antiSpywareApp\ver2_0_0\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1107020938\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\DOCUME~1\GREGFE~1\LOCALS~1\Temp\~AceTemp\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe
O9 - Extra button: Aztec Riches Poker - {7FCF69CA-B1D5-4b13-A6B0-31020DD5A976} - C:\Program Files\aztecrichesMPP\MPPoker.exe
O9 - Extra button: Piggs Peak Poker - {9A315457-791D-4dec-AFB0-9E7ACFF4B506} - C:\Program Files\piggspeakMPP\MPPoker.exe
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: 7Sultans Poker - {FD7CF1CF-331A-4d9e-A3D8-82BC1B1861DA} - C:\Program Files\7SultansMPP\MPPoker.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...77/mcinsctl.cab
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.aim.com/ygp/aol/plugin/u...AIM.9.5.1.7.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,18/mcgdmgr.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_216/w...OCX/FlashAX.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...613/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


m

#2 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:02:11 PM

Posted 02 November 2005 - 05:20 PM

Welcome to the forum. Sorry you've had to wait so long, but we've been real busy.

Download CleanUp 4.0, install and run it. This program will clean out all your temporary internet files.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

When Spy Sweeper has updated, reboot to safe mode.

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Open Spy Sweeper and click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove to remove any items found. Save the log.

Exit Spy Sweeper.

Reboot to normal mode and post the results from Spy Sweeper along with a new Hijack This log.

#3 gregugadawg

gregugadawg
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:11 PM

Posted 03 November 2005 - 12:05 AM

I tried using the clean up program but the download on the site isn't working. Instead I just did a search for *.tmp and deleted all of those files. Here is the results of the spy sweeper followed by the hijackthis long.

SPY SWEEPER

********
9:41 PM: | Start of Session, Wednesday, November 02, 2005 |
9:41 PM: Spy Sweeper started
9:41 PM: Sweep initiated using definitions version 564
9:41 PM: Starting Memory Sweep
9:42 PM: Memory Sweep Complete, Elapsed Time: 00:00:59
9:42 PM: Starting Registry Sweep
9:42 PM: Registry Sweep Complete, Elapsed Time:00:00:10
9:42 PM: Starting Cookie Sweep
9:42 PM: Found Spy Cookie: 2o7.net cookie
9:42 PM: greg fenwick@2o7[1].txt (ID = 1957)
9:42 PM: Found Spy Cookie: yieldmanager cookie
9:42 PM: greg fenwick@ad.yieldmanager[2].txt (ID = 3751)
9:42 PM: Found Spy Cookie: adecn cookie
9:42 PM: greg fenwick@adecn[1].txt (ID = 2063)
9:42 PM: Found Spy Cookie: adknowledge cookie
9:42 PM: greg fenwick@adknowledge[2].txt (ID = 2072)
9:42 PM: Found Spy Cookie: adrevolver cookie
9:42 PM: greg fenwick@adrevolver[1].txt (ID = 2088)
9:42 PM: greg fenwick@adrevolver[3].txt (ID = 2088)
9:42 PM: Found Spy Cookie: addynamix cookie
9:42 PM: greg fenwick@ads.addynamix[1].txt (ID = 2062)
9:42 PM: Found Spy Cookie: pointroll cookie
9:42 PM: greg fenwick@ads.pointroll[2].txt (ID = 3148)
9:42 PM: Found Spy Cookie: belnk cookie
9:42 PM: greg fenwick@belnk[1].txt (ID = 2292)
9:42 PM: Found Spy Cookie: casalemedia cookie
9:42 PM: greg fenwick@casalemedia[2].txt (ID = 2354)
9:42 PM: greg fenwick@dist.belnk[2].txt (ID = 2293)
9:42 PM: Found Spy Cookie: go.com cookie
9:42 PM: greg fenwick@espn.go[1].txt (ID = 2729)
9:42 PM: greg fenwick@go[2].txt (ID = 2728)
9:42 PM: Found Spy Cookie: clickandtrack cookie
9:42 PM: greg fenwick@hits.clickandtrack[2].txt (ID = 2397)
9:42 PM: Found Spy Cookie: questionmarket cookie
9:42 PM: greg fenwick@questionmarket[1].txt (ID = 3217)
9:42 PM: Found Spy Cookie: realmedia cookie
9:42 PM: greg fenwick@realmedia[1].txt (ID = 3235)
9:42 PM: Found Spy Cookie: reunion cookie
9:42 PM: greg fenwick@reunion[2].txt (ID = 3255)
9:42 PM: greg fenwick@rsi.espn.go[1].txt (ID = 2729)
9:42 PM: greg fenwick@sports.espn.go[1].txt (ID = 2729)
9:42 PM: Found Spy Cookie: tradedoubler cookie
9:42 PM: greg fenwick@tradedoubler[1].txt (ID = 3575)
9:42 PM: Found Spy Cookie: trafficmp cookie
9:42 PM: greg fenwick@trafficmp[1].txt (ID = 3581)
9:42 PM: Found Spy Cookie: webpower cookie
9:42 PM: greg fenwick@webpower[2].txt (ID = 3660)
9:42 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:42 PM: Starting File Sweep
9:43 PM: Found Adware: 180search assistant/zango
9:43 PM: c:\windows\system32\fleok (ID = -2147480556)
9:43 PM: Found Adware: delfin
9:43 PM: c:\documents and settings\all users\application data\pcsvc (27 subtraces) (ID = -2147481135)
9:43 PM: Found Adware: media-motor
9:43 PM: roing17.inf (ID = 74131)
9:44 PM: delfinst.ebd (ID = 57692)
9:44 PM: delfintg.ebd (ID = 57693)
9:45 PM: Found Adware: gsim
9:45 PM: gsim.inf (ID = 61964)
9:46 PM: Found Adware: apropos
9:46 PM: exec.exe (ID = 50118)
9:52 PM: tracker9.exe (ID = 57793)
9:53 PM: Found Trojan Horse: all_files downloader
9:53 PM: all_files9.exe (ID = 49706)
9:53 PM: ~mysetup.exe (ID = 57829)
9:53 PM: ink_inkline011.dfn (ID = 57716)
9:53 PM: ink_inkline023-t.dfn (ID = 57718)
9:54 PM: Found Adware: tvmedia
9:54 PM: tvmuknwrd.dll (ID = 81759)
9:54 PM: delfinbd.edx (ID = 57683)
9:54 PM: delfinco.edx (ID = 57683)
9:54 PM: delfined.edx (ID = 57683)
9:54 PM: delfinid.edx (ID = 57691)
9:54 PM: delfindl.edx (ID = 57683)
9:54 PM: delfinaf.edx (ID = 57679)
9:54 PM: delfinky.edx (ID = 57685)
9:54 PM: delfinsi.edx (ID = 57691)
9:54 PM: Found Adware: abetterinternet
9:54 PM: biini.inf (ID = 83199)
9:54 PM: belt.inf (ID = 83154)
9:54 PM: delfinld.edx (ID = 57683)
9:54 PM: Found Adware: ieplugin
9:54 PM: wininit.ini (ID = 63389)
9:54 PM: Found Adware: mindset interactive - favoriteman
9:54 PM: atpartners.inf (ID = 69817)
9:55 PM: File Sweep Complete, Elapsed Time: 00:12:34
9:55 PM: Full Sweep has completed. Elapsed time 00:13:57
9:55 PM: Traces Found: 75
9:55 PM: Removal process initiated
9:55 PM: Quarantining All Traces: abetterinternet
9:55 PM: Quarantining All Traces: 180search assistant/zango
9:55 PM: Quarantining All Traces: all_files downloader
9:55 PM: Quarantining All Traces: apropos
9:55 PM: Quarantining All Traces: delfin
9:55 PM: Quarantining All Traces: gsim
9:55 PM: Quarantining All Traces: ieplugin
9:55 PM: Quarantining All Traces: media-motor
9:55 PM: Quarantining All Traces: mindset interactive - favoriteman
9:55 PM: Quarantining All Traces: tvmedia
9:55 PM: Quarantining All Traces: 2o7.net cookie
9:55 PM: Quarantining All Traces: addynamix cookie
9:55 PM: Quarantining All Traces: adecn cookie
9:55 PM: Quarantining All Traces: adknowledge cookie
9:55 PM: Quarantining All Traces: adrevolver cookie
9:55 PM: Quarantining All Traces: belnk cookie
9:55 PM: Quarantining All Traces: casalemedia cookie
9:55 PM: Quarantining All Traces: clickandtrack cookie
9:55 PM: Quarantining All Traces: go.com cookie
9:55 PM: Quarantining All Traces: pointroll cookie
9:55 PM: Quarantining All Traces: questionmarket cookie
9:55 PM: Quarantining All Traces: realmedia cookie
9:55 PM: Quarantining All Traces: reunion cookie
9:55 PM: Quarantining All Traces: tradedoubler cookie
9:55 PM: Quarantining All Traces: trafficmp cookie
9:55 PM: Quarantining All Traces: webpower cookie
9:55 PM: Quarantining All Traces: yieldmanager cookie
9:55 PM: Removal process completed. Elapsed time 00:00:08
********
1:34 AM: | Start of Session, Tuesday, November 01, 2005 |
1:34 AM: Spy Sweeper started
1:34 AM: Sweep initiated using definitions version 564
1:34 AM: Starting Memory Sweep
1:38 AM: Memory Sweep Complete, Elapsed Time: 00:04:36
1:38 AM: Starting Registry Sweep
1:39 AM: Registry Sweep Complete, Elapsed Time:00:00:13
1:39 AM: Starting Cookie Sweep
1:39 AM: Found Spy Cookie: 2o7.net cookie
1:39 AM: greg fenwick@2o7[2].txt (ID = 1957)
1:39 AM: Found Spy Cookie: spylog cookie
1:39 AM: greg fenwick@spylog[2].txt (ID = 3415)
1:39 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
1:39 AM: Starting File Sweep
1:39 AM: Found Adware: delfin
1:39 AM: c:\documents and settings\all users\application data\pcsvc (27 subtraces) (ID = -2147481135)
1:39 AM: Found Adware: 180search assistant/zango
1:39 AM: c:\windows\system32\fleok (ID = -2147480556)
1:39 AM: Found Adware: media-motor
1:39 AM: roing17.inf (ID = 74131)
1:41 AM: delfinst.ebd (ID = 57692)
1:41 AM: delfintg.ebd (ID = 57693)
1:42 AM: Found Adware: gsim
1:42 AM: gsim.inf (ID = 61964)
1:43 AM: Found Adware: apropos
1:43 AM: exec.exe (ID = 50118)
1:53 AM: tracker9.exe (ID = 57793)
1:54 AM: Found Trojan Horse: all_files downloader
1:54 AM: all_files9.exe (ID = 49706)
1:54 AM: ~mysetup.exe (ID = 57829)
1:54 AM: ink_inkline011.dfn (ID = 57716)
1:54 AM: ink_inkline023-t.dfn (ID = 57718)
1:55 AM: delfinbd.edx (ID = 57683)
1:55 AM: delfinco.edx (ID = 57683)
1:55 AM: delfined.edx (ID = 57683)
1:55 AM: delfinid.edx (ID = 57691)
1:55 AM: delfindl.edx (ID = 57683)
1:55 AM: delfinaf.edx (ID = 57679)
1:55 AM: delfinky.edx (ID = 57685)
1:55 AM: Found Adware: tvmedia
1:55 AM: tvmuknwrd.dll (ID = 81759)
1:55 AM: delfinsi.edx (ID = 57691)
1:55 AM: Found Adware: abetterinternet
1:55 AM: biini.inf (ID = 83199)
1:55 AM: belt.inf (ID = 83154)
1:55 AM: delfinld.edx (ID = 57683)
1:55 AM: Found Adware: ieplugin
1:55 AM: wininit.ini (ID = 63389)
1:55 AM: Found Adware: mindset interactive - favoriteman
1:55 AM: atpartners.inf (ID = 69817)
9:10 PM: Updating spyware definitions
9:10 PM: Your definitions are up to date.
9:11 PM: Processing Startup Alerts
9:11 PM: Removed Startup entry: VirusScan Online
9:11 PM: Removed Startup entry: VSOCheckTask
9:11 PM: Removed Startup entry: QuickTime Task
9:11 PM: Removed Startup entry: NvCplDaemon
9:11 PM: Removed Startup entry: AIM
********
5:53 PM: | Start of Session, Monday, October 31, 2005 |
5:53 PM: Spy Sweeper started
5:53 PM: Sweep initiated using definitions version 564
5:54 PM: Starting Memory Sweep
6:20 PM: Memory Sweep Complete, Elapsed Time: 00:25:58
6:20 PM: Starting Registry Sweep
6:32 PM: Found Adware: delfin
6:32 PM: HKLM\software\dsi\ (ID = 124852)
6:33 PM: Found Adware: gsim
6:33 PM: HKLM\software\microsoft\windows\currentversion\uninstall\gsim\ (2 subtraces) (ID = 127019)
6:34 PM: Found Adware: ieplugin
6:34 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} (ID = 128178)
6:37 PM: Found Adware: minigolf
6:37 PM: HKLM\software\minigolf\ (ID = 135062)
6:46 PM: Found Adware: clientman
6:46 PM: HKCR\appid\urlcli.dll\ (1 subtraces) (ID = 701476)
6:46 PM: HKLM\software\classes\appid\urlcli.dll\ (1 subtraces) (ID = 701492)
6:49 PM: Found Adware: keenvalue/perfectnav
6:49 PM: HKU\S-1-5-21-1424036007-3211629993-1255282001-1007\software\microsoft\internet explorer\urlsearchhooks\ || _{5d60ff48-95be-4956-b4c6-6bb168a70310} (ID = 129470)
7:06 PM: Registry Sweep Complete, Elapsed Time:00:46:16
7:06 PM: Starting Cookie Sweep
7:06 PM: Found Spy Cookie: 735 cookie
7:06 PM: greg fenwick@735[1].txt (ID = 2009)
7:06 PM: Found Spy Cookie: websponsors cookie
7:06 PM: greg fenwick@a.websponsors[2].txt (ID = 3665)
7:06 PM: Found Spy Cookie: yieldmanager cookie
7:06 PM: greg fenwick@ad.yieldmanager[1].txt (ID = 3751)
7:06 PM: Found Spy Cookie: adecn cookie
7:06 PM: greg fenwick@adecn[2].txt (ID = 2063)
7:06 PM: Found Spy Cookie: adknowledge cookie
7:06 PM: greg fenwick@adknowledge[1].txt (ID = 2072)
7:06 PM: Found Spy Cookie: adlegend cookie
7:06 PM: greg fenwick@adlegend[1].txt (ID = 2074)
7:06 PM: Found Spy Cookie: hbmediapro cookie
7:06 PM: greg fenwick@adopt.hbmediapro[2].txt (ID = 2768)
7:06 PM: Found Spy Cookie: specificclick.com cookie
7:06 PM: greg fenwick@adopt.specificclick[2].txt (ID = 3400)
7:06 PM: Found Spy Cookie: cc214142 cookie
7:06 PM: greg fenwick@ads.cc214142[2].txt (ID = 2367)
7:06 PM: Found Spy Cookie: pointroll cookie
7:06 PM: greg fenwick@ads.pointroll[2].txt (ID = 3148)
7:06 PM: Found Spy Cookie: ask cookie
7:06 PM: greg fenwick@ask[1].txt (ID = 2245)
7:06 PM: Found Spy Cookie: belnk cookie
7:06 PM: greg fenwick@ath.belnk[1].txt (ID = 2293)
7:06 PM: Found Spy Cookie: atwola cookie
7:06 PM: greg fenwick@atwola[2].txt (ID = 2255)
7:06 PM: Found Spy Cookie: banner cookie
7:06 PM: greg fenwick@banner[2].txt (ID = 2276)
7:06 PM: greg fenwick@belnk[1].txt (ID = 2292)
7:06 PM: Found Spy Cookie: burstnet cookie
7:06 PM: greg fenwick@burstnet[2].txt (ID = 2336)
7:06 PM: Found Spy Cookie: cassava cookie
7:06 PM: greg fenwick@cassava[1].txt (ID = 2362)
7:07 PM: Found Spy Cookie: ccbill cookie
7:07 PM: greg fenwick@ccbill[1].txt (ID = 2369)
7:07 PM: Found Spy Cookie: 2o7.net cookie
7:07 PM: greg fenwick@cnn.122.2o7[1].txt (ID = 1958)
7:07 PM: Found Spy Cookie: 360i cookie
7:07 PM: greg fenwick@ct.360i[2].txt (ID = 1962)
7:07 PM: greg fenwick@dist.belnk[2].txt (ID = 2293)
7:07 PM: Found Spy Cookie: ru4 cookie
7:07 PM: greg fenwick@edge.ru4[2].txt (ID = 3269)
7:07 PM: Found Spy Cookie: empnads cookie
7:07 PM: greg fenwick@empnads[2].txt (ID = 5012)
7:07 PM: Found Spy Cookie: go.com cookie
7:07 PM: greg fenwick@espn.go[2].txt (ID = 2729)
7:07 PM: greg fenwick@games.espn.go[1].txt (ID = 2729)
7:07 PM: greg fenwick@go[1].txt (ID = 2728)
7:07 PM: Found Spy Cookie: clickandtrack cookie
7:07 PM: greg fenwick@hits.clickandtrack[1].txt (ID = 2397)
7:07 PM: greg fenwick@insider.espn.go[1].txt (ID = 2729)
7:07 PM: greg fenwick@log.go[1].txt (ID = 2729)
7:07 PM: greg fenwick@microsoftwga.112.2o7[1].txt (ID = 1958)
7:07 PM: greg fenwick@msnportal.112.2o7[2].txt (ID = 1958)
7:07 PM: Found Spy Cookie: nextag cookie
7:07 PM: greg fenwick@nextag[2].txt (ID = 5014)
7:07 PM: Found Spy Cookie: offeroptimizer cookie
7:07 PM: greg fenwick@offeroptimizer[1].txt (ID = 3087)
7:07 PM: Found Spy Cookie: outster cookie
7:07 PM: greg fenwick@outster[2].txt (ID = 3103)
7:07 PM: Found Spy Cookie: touchclarity cookie
7:07 PM: greg fenwick@partypoker.touchclarity[1].txt (ID = 3567)
7:07 PM: Found Spy Cookie: partypoker cookie
7:07 PM: greg fenwick@partypoker[1].txt (ID = 3111)
7:07 PM: Found Spy Cookie: pokerroom cookie
7:07 PM: greg fenwick@pokerroom[2].txt (ID = 3149)
7:07 PM: Found Spy Cookie: paypopup cookie
7:07 PM: greg fenwick@popunder.paypopup[1].txt (ID = 3120)
7:07 PM: greg fenwick@proxy.espn.go[2].txt (ID = 2729)
7:07 PM: Found Spy Cookie: questionmarket cookie
7:07 PM: greg fenwick@questionmarket[1].txt (ID = 3217)
7:07 PM: Found Spy Cookie: rc cookie
7:07 PM: greg fenwick@rc[1].txt (ID = 3231)
7:07 PM: Found Spy Cookie: reunion cookie
7:07 PM: greg fenwick@reunion[2].txt (ID = 3255)
7:07 PM: Found Spy Cookie: rn11 cookie
7:07 PM: greg fenwick@rn11[2].txt (ID = 3261)
7:07 PM: Found Spy Cookie: adjuggler cookie
7:07 PM: greg fenwick@rotator.adjuggler[1].txt (ID = 2071)
7:07 PM: greg fenwick@rsi.espn.go[1].txt (ID = 2729)
7:07 PM: greg fenwick@search.espn.go[1].txt (ID = 2729)
7:07 PM: greg fenwick@sento.122.2o7[1].txt (ID = 1958)
7:07 PM: greg fenwick@sports-att.espn.go[1].txt (ID = 2729)
7:07 PM: greg fenwick@sports.espn.go[2].txt (ID = 2729)
7:07 PM: Found Spy Cookie: dealtime cookie
7:07 PM: greg fenwick@stat.dealtime[2].txt (ID = 2506)
7:07 PM: Found Spy Cookie: tracking cookie
7:07 PM: greg fenwick@tracking[1].txt (ID = 3571)
7:07 PM: Found Spy Cookie: webpower cookie
7:07 PM: greg fenwick@webpower[2].txt (ID = 3660)
7:07 PM: Found Spy Cookie: burstbeacon cookie
7:07 PM: greg fenwick@www.burstbeacon[1].txt (ID = 2335)
7:07 PM: greg fenwick@www.burstnet[1].txt (ID = 2337)
7:07 PM: greg fenwick@yieldmanager[1].txt (ID = 3749)
7:07 PM: Found Spy Cookie: adserver cookie
7:07 PM: greg fenwick@z1.adserver[1].txt (ID = 2142)
7:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:25
7:07 PM: Starting File Sweep
7:16 PM: Sweep Canceled
7:16 PM: File Sweep Complete, Elapsed Time: 00:09:08
7:16 PM: Traces Found: 67
7:18 PM: Removal process initiated
7:18 PM: Quarantining All Traces: clientman
7:19 PM: Quarantining All Traces: delfin
7:19 PM: Quarantining All Traces: gsim
7:19 PM: Quarantining All Traces: ieplugin
7:19 PM: Quarantining All Traces: keenvalue/perfectnav
7:19 PM: Quarantining All Traces: minigolf
7:19 PM: Quarantining All Traces: 2o7.net cookie
7:19 PM: Quarantining All Traces: 360i cookie
7:19 PM: Quarantining All Traces: 735 cookie
7:19 PM: Quarantining All Traces: adecn cookie
7:19 PM: Quarantining All Traces: adjuggler cookie
7:19 PM: Quarantining All Traces: adknowledge cookie
7:19 PM: Quarantining All Traces: adlegend cookie
7:19 PM: Quarantining All Traces: adserver cookie
7:19 PM: Quarantining All Traces: ask cookie
7:19 PM: Quarantining All Traces: atwola cookie
7:19 PM: Quarantining All Traces: banner cookie
7:19 PM: Quarantining All Traces: belnk cookie
7:19 PM: Quarantining All Traces: burstbeacon cookie
7:19 PM: Quarantining All Traces: burstnet cookie
7:19 PM: Quarantining All Traces: cassava cookie
7:19 PM: Quarantining All Traces: cc214142 cookie
7:19 PM: Quarantining All Traces: ccbill cookie
7:19 PM: Quarantining All Traces: clickandtrack cookie
7:19 PM: Quarantining All Traces: dealtime cookie
7:19 PM: Quarantining All Traces: empnads cookie
7:19 PM: Quarantining All Traces: go.com cookie
7:19 PM: Quarantining All Traces: hbmediapro cookie
7:19 PM: Quarantining All Traces: nextag cookie
7:19 PM: Quarantining All Traces: offeroptimizer cookie
7:19 PM: Quarantining All Traces: outster cookie
7:19 PM: Quarantining All Traces: partypoker cookie
7:19 PM: Quarantining All Traces: paypopup cookie
7:19 PM: Quarantining All Traces: pointroll cookie
7:19 PM: Quarantining All Traces: pokerroom cookie
7:19 PM: Quarantining All Traces: questionmarket cookie
7:19 PM: Quarantining All Traces: rc cookie
7:19 PM: Quarantining All Traces: reunion cookie
7:19 PM: Quarantining All Traces: rn11 cookie
7:19 PM: Quarantining All Traces: ru4 cookie
7:19 PM: Quarantining All Traces: specificclick.com cookie
7:19 PM: Quarantining All Traces: touchclarity cookie
7:19 PM: Quarantining All Traces: tracking cookie
7:19 PM: Quarantining All Traces: webpower cookie
7:19 PM: Quarantining All Traces: websponsors cookie
7:19 PM: Quarantining All Traces: yieldmanager cookie
7:20 PM: Removal process completed. Elapsed time 00:02:00
1:34 AM: Processing Startup Alerts
1:34 AM: Allowed Startup entry: MSConfig
1:34 AM: Allowed Startup entry: Symantec NetDriver Monitor
1:34 AM: Allowed Startup entry: ccApp
1:34 AM: | End of Session, Tuesday, November 01, 2005 |
********
5:50 PM: | Start of Session, Monday, October 31, 2005 |
5:50 PM: Spy Sweeper started
5:53 PM: Your spyware definitions have been updated.
5:53 PM: | End of Session, Monday, October 31, 2005 |


[b]HIJACK THIS


Logfile of HijackThis v1.99.1
Scan saved at 12:03:29 AM, on 11/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinAce\WinAce.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\GREGFE~1\LOCALS~1\Temp\~AceTemp\hijackthis-4\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe
O9 - Extra button: Aztec Riches Poker - {7FCF69CA-B1D5-4b13-A6B0-31020DD5A976} - C:\Program Files\aztecrichesMPP\MPPoker.exe
O9 - Extra button: Piggs Peak Poker - {9A315457-791D-4dec-AFB0-9E7ACFF4B506} - C:\Program Files\piggspeakMPP\MPPoker.exe
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: 7Sultans Poker - {FD7CF1CF-331A-4d9e-A3D8-82BC1B1861DA} - C:\Program Files\7SultansMPP\MPPoker.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/m...77/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://131.204.99.250/activex/AxisCamControl.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.aim.com/ygp/aol/plugin/u...AIM.9.5.1.7.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/m...,18/mcgdmgr.cab
O16 - DPF: {D670D0B3-05AB-4115-9F87-D983EF1AC747} (AOL Downloader Plugin) - http://pak02.pictures.aol.com/ygp/aol/plug...US.9.1.6.18.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_216/w...OCX/FlashAX.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...613/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:02:11 PM

Posted 03 November 2005 - 10:19 AM

I notice that you are using more than one antivirus program. This is very dangerous, as multiple AVs can interfere with one another and actually allow MORE viruses to get through. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning, and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program.

You have Hijack This running from a temporary folder. It is important that it be run from a permenant folder, because it creates backups of what we fix, in the event there are problems. If you leave it in a temporary folder, it will be deleted as part of the process of cleaning things up, and hence, no backups will be available.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

After you have moved it to a permanent folder, scan with Hijack This and put a checkmark next to the following entries:
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
O9 - Extra button: World Poker Exchange - {76028735-BBF1-4044-8DE2-5B90F0C7A77C} - C:\Program Files\WorldPokerExchange\GameClient.exe
O9 - Extra button: Aztec Riches Poker - {7FCF69CA-B1D5-4b13-A6B0-31020DD5A976} - C:\Program Files\aztecrichesMPP\MPPoker.exe
O9 - Extra button: Piggs Peak Poker - {9A315457-791D-4dec-AFB0-9E7ACFF4B506} - C:\Program Files\piggspeakMPP\MPPoker.exe
O9 - Extra button: The Gaming Club Poker - {A18AC347-2CA3-4e5d-AB86-33BFC7EEB931} - C:\Program Files\gamingclubMPP\MPPoker.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: POKER - {FB389F33-303A-4490-9E18-B301A493FBF2} - C:\Program Files\PokermMPP\MPPoker.exe
O9 - Extra button: 7Sultans Poker - {FD7CF1CF-331A-4d9e-A3D8-82BC1B1861DA} - C:\Program Files\7SultansMPP\MPPoker.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_216/w...OCX/FlashAX.cab

Close all windows and browsers and click "fix checked"

Restart your computer, run Spy Sweeper again and post another Hijack This log along with the Spy Sweeper report.

#5 viccy

viccy

    Malware Exterminator


  • Security Colleague
  • 433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas
  • Local time:02:11 PM

Posted 25 November 2005 - 11:41 AM

Due to the lack of feedback this Topic is closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users