Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log: Diagnose


  • Please log in to reply
25 replies to this topic

#1 hithereitstim

hithereitstim

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 10 January 2006 - 07:18 PM

Well, I'm about to install SP2 (I know I know, I'm late =/) and I read that I should be totally clean before I installed it so I just wanted to make sure that I was. Thanks for any help. :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 6:17:19 PM, on 1/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136565255437
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 11 January 2006 - 04:27 PM

I'm sorry to bump this but I just started my computer and Spybot Resident alerted me with some registry keys and I didn't know what they were so I denied it but it came back and there was no deny key so I pressed allow. :thumbsup:

new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 3:23:45 PM, on 1/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvvu.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136565255437
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 January 2006 - 06:21 PM

Hi hithereitstim and Welcome to the Bleeping Computer!


Please disable Microsoft Antispywares Real Time Protection is its enabled as it may interfere with this fix.


Please disable TeaTimer in Spybot S&D as it may prevent part of this fix:
Open Spybot and click on Mode, check Advanced Mode:
Check yes to next window.
Click on Tools in bottom left hand corner:
Click on Resident. Uncheck Resident "TeaTimer" box.
Close Spybot. Reboot your computer.


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning .
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\awvvu.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\uvvwa.*
    This will be the vundo filename spelt backwards. For example, if the vundo dll was vundo.dll you would enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\System32\awvvu.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

    O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Please post a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

#4 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  

Posted 12 January 2006 - 06:44 PM

Thanks for the help, Cretemonster.

Logfile of HijackThis v1.99.1
Scan saved at 5:40:28 PM, on 1/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136565255437
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\awvvu.dll

The second filepath entered was C:\WINDOWS\System32\uvvwa.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 136 'smss.exe'

Killing PID 704 'explorer.exe'


Killing PID 208 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\awvvu.dll Deleted sucessfully.
C:\WINDOWS\System32\uvvwa.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

And as I said in the first post, I'm going to install SP2 so do you mind helping me making sure my system is clean before I do that? Thanks.

#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 12 January 2006 - 08:17 PM

Ill do my best to have ya fit to install SP2.


How about the Panda Scan,any luck?


Download WinPFind:
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder



Restart Normal and post the results of the WinPFind Scan in the next reply.

#6 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 13 January 2006 - 04:22 PM

Thanks Cretemonster.

Pandascan didn't work, actually it hasn't worked the last couple times I tried it. =/

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
UPX! 12/20/2005 6:21:38 AM 481280 C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 2/12/2004 7:05:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 11/4/2005 4:27:24 PM 534280 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 1/4/2006 7:46:40 PM 2827616 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 2/12/2004 7:11:00 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2/11/2004 10:24:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/13/2006 3:12:08 PM S 2048 C:\WINDOWS\bootstat.dat
1/6/2006 10:38:30 AM H 0 C:\WINDOWS\inf\oem42.inf
1/10/2006 5:00:34 PM H 0 C:\WINDOWS\inf\oem43.inf
12/8/2005 6:58:40 PM HS 27661 C:\WINDOWS\system32\ddccy.dll
12/20/2005 9:10:10 PM HS 35341 C:\WINDOWS\system32\gebyv.dll
1/10/2006 8:52:46 PM HS 36877 C:\WINDOWS\system32\mljgf.dll
12/8/2005 6:58:42 PM HS 27661 C:\WINDOWS\system32\pmnnl.dll
11/22/2005 6:12:02 PM S 20273 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915-IE6SP1-20051122.175908.cat
12/1/2005 6:12:48 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/2/2006 5:09:36 PM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
11/21/2005 7:10:48 AM S 58715 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem45.CAT
1/13/2006 3:12:00 PM H 8192 C:\WINDOWS\system32\config\default.LOG
1/13/2006 3:12:22 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
1/13/2006 3:12:10 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
1/13/2006 3:13:20 PM H 98304 C:\WINDOWS\system32\config\software.LOG
1/13/2006 3:12:12 PM H 966656 C:\WINDOWS\system32\config\system.LOG
1/10/2006 5:04:28 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
1/6/2006 11:15:42 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\9f378a1f-f64e-4316-a93d-9398c4424587
1/6/2006 11:15:42 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/13/2006 3:11:06 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
8/19/2003 1:20:04 AM 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 2/11/2004 10:34:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 5/30/2003 3:17:20 PM 579584 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 2/12/2004 7:05:00 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 2/11/2004 10:30:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 2/11/2004 10:02:00 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 2/11/2004 10:11:00 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 2/11/2004 9:34:00 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 2/22/2004 10:44:42 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2/11/2004 9:34:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 2/11/2004 9:47:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2/11/2004 9:52:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 2/11/2004 10:01:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 2/20/2003 4:39:50 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 2/11/2004 9:56:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 2/11/2004 9:46:00 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2/11/2004 9:58:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 2/11/2004 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 2/11/2004 10:34:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 5/30/2003 3:17:20 PM 579584 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 2/12/2004 7:05:00 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 2/11/2004 10:30:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 2/11/2004 10:02:00 PM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 2/11/2004 10:11:00 PM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 2/11/2004 9:34:00 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 2/11/2004 9:34:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2/11/2004 9:47:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 2/11/2004 9:52:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2/11/2004 10:01:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 2/11/2004 10:07:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 2/11/2004 9:56:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 2/11/2004 9:54:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 2/11/2004 9:46:00 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 2/11/2004 9:58:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 2/11/2004 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation 2/10/2004 7:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 2:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0015\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
12/14/2004 2:43:40 PM 1926 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
4/9/2005 5:58:00 PM 1765 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
7/13/2004 10:01:40 PM 1903 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
4/2/2004 2:03:38 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
11/8/2005 7:21:58 PM 1815 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
11/8/2005 7:23:02 PM 1962 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
7/22/2004 9:18:42 PM 1738 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/2/2004 3:52:30 AM 675 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
4/1/2004 5:56:54 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
4/21/2005 5:52:38 PM 1215 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 2:03:38 AM HS 84 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
4/2/2004 4:02:28 AM 1560 C:\Documents and Settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

Checking files in %USERPROFILE%\Application Data folder...
4/1/2004 5:56:54 PM HS 62 C:\Documents and Settings\Owner\Application Data\desktop.ini
9/11/2005 10:12:28 AM 43608 C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZipZag
{A965C8E0-54A7-11D6-BF08-00079500BB23} = C:\PROGRA~1\ZipZag\zipzagcm.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZipZag
{A965C8E0-54A7-11D6-BF08-00079500BB23} = C:\PROGRA~1\ZipZag\zipzagcm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
hpsysdrv c:\windows\system\hpsysdrv.exe
KBD C:\HP\KBD\KBD.EXE
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
VTTimer VTTimer.exe
AGRSMMSG AGRSMMSG.exe
PS2 C:\WINDOWS\system32\ps2.exe
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
BJCFD C:\Program Files\BroadJump\Client Foundation\CFD.exe
IPInSightLAN 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
Motive SmartBridge C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
avast! C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
Logitech Utility Logi_MwX.Exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
WinampAgent C:\Program Files\Winamp\winampa.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqtra08.exe
item HP Digital Imaging Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqthb08.exe -s
item HP Image Zone Fast Start
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\HEWLET~1\DIGITA~1\bin\hpqthb08.exe -s
item HP Image Zone Fast Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\SBCSEL~1\bin\matcli.exe -boot
item SBC Self Support Tool
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SBC Self Support Tool.lnk
backup C:\WINDOWS\pss\SBC Self Support Tool.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\SBCSEL~1\bin\matcli.exe -boot
item SBC Self Support Tool

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ClubBox
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpotdd01
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpotdd01
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeviceDiscovery
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpotdd01
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpotdd01
hkey HKLM
command C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Software Update
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item HPWuSchd2
hkey HKLM
command "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
0aMCPClient {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} =
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/13/2006 3:18:23 PM

#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 13 January 2006 - 04:55 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\ddccy.dll
    C:\WINDOWS\system32\gebyv.dll
    C:\WINDOWS\system32\mljgf.dll
    C:\WINDOWS\system32\pmnnl.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Restart Normal and Try this,Open IE and Click Tools-> Internet Options-> Programs and then click "Reset Web Settings"

Now go back and Click the Advanced Tab and then Click "Restore Defaults"

Lets also check some of the IE Settings

1. From within Internet Explorer click the Tools menu and then click on Internet Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.A.) Change the Download signed ActiveX controls to Prompt
B.) Change the Download unsigned ActiveX controls to Disable
C.) Change the Initialize and script ActiveX controls not marked as safe to Disable
D.) Change the File Download to Prompt
E.) Change the Installation of desktop items to Prompt
F.) Change the Launching programs and files in an IFRAME to Prompt
G.) Change the Navigate sub-frames across different domains to Prompt
5. Click 'OK' and save the settings if prompted.
6. Click Apply and then 'OK' to exit the Internet Properties page.


Download The Hoster from here:
http://www.funkytoad.com/download/hoster.zip

Right Click the Zip Folder and Select "Extract All"

Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled

Click "Back up Host files"

Press "Restore Original Hosts" and press "OK"

Exit the Program.


Restart once more and try the Panda scan again,be sure you are using Internet Explorer and when prompted by IE to install the ActiveX content,please install and run the scan.

#8 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  

Posted 13 January 2006 - 11:27 PM

Ran Killbox, that went fine.

Under File Download, there was no Prompt, just Disable amd Enable. I left it on enable.

"Open Hoster and Make sure that the "Make Hosts Writable?" button in the upper right corner is Enabled"

By that you meant click it so it reads Make Hosts Readonly? right? because I did that.

When trying to run the Pandascan, Avast pop ups with some virus thing, I read that it was a false postitive or something. What do you want me to do?

Edited by hithereitstim, 13 January 2006 - 11:33 PM.


#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2006 - 05:35 AM

I gotta go fix those instructions.

You want to make sure the Hosts File editable,dont lock the file down by making it read only.

If you did go back and click that same tab again to make it writable.

Avast always flags Pandas installation of ActiveX but there is nothing to worry about,as you said,its a false positive,so go ahead with the scan please.

#10 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 14 January 2006 - 10:49 AM

When I click it to make it writeable, I can't select any of the options, so I'm assuming I did it right the first time.

Panda:

Incident Status Location

Spyware:spyware/searchcentrix Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fx2q0yux.Tim\cookies.txt[.statcounter.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fx2q0yux.Tim\cookies.txt[.go.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fx2q0yux.Tim\cookies.txt[.toplist.cz/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fx2q0yux.Tim\cookies.txt[.com.com/]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[.ask.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[searchportal.information.com/]
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\ddccy.dll
Virus:Bck/Obot.C Disinfected C:\!KillBox\gebyv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\mljgf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\pmnnl.dll
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\fx2q0yux.Tim\cookies.txt[]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\to8dtqlr.default\cookies.txt[]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-23f72ea5.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-23f72ea5.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-23f72ea5.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-23f72ea5.zip[NewURLClassLoader.class]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\VundoFix\VundoFix\process.exe
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[16847762]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[60960915]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@ath.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@dist.belnk[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@realmedia[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@stats1.reliablestats[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Tiffany\Cookies\tiffany@winfixer[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Tracey\Application Data\Mozilla\Firefox\Profiles\qs6c48tb.default\cookies.txt[]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe


HJT if you need it:
Logfile of HijackThis v1.99.1
Scan saved at 9:48:42 AM, on 1/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare Software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136565255437
O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2006 - 11:08 AM

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab

O16 - DPF: {340CCF52-D65F-4A11-80B3-13DC23697B59} (BugsInstall Control) - http://player.bugs.co.kr/install/BugsInstall_2005_11_06.cab

O16 - DPF: {85AF9A98-3423-45E4-8BAD-85645F16AC31} (P3 Bugs VoD Loader Class) - http://player.bugs.co.kr/install/mv/p3bvset.cab


O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/XTools.cab

O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Use Killbox and Delete this file

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-bdf1f78-23f72ea5.zip


Open FireFox-> Click Tools-> Options-> Privacy-> Clear All


Open Internet Explorer,
Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning)


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Restart and Scan once more with Panda and lets see those results please.

#12 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  

Posted 14 January 2006 - 12:02 PM

I forgot to say Good morning. Good morning Cretemonster. =]


Incident Status Location





Spyware:spyware/searchcentrix Not disinfected

Windows Registry


Spyware:Spyware/Virtumonde Not disinfected C:\

!KillBox\ddccy.dll


Adware:Adware/CWS.Searchmeup Not disinfected

C:\!KillBox\java.jar-bdf1f78-23f72ea5[GetAccess.class]


Adware:Adware/CWS.Searchmeup Not disinfected

C:\!KillBox\java.jar-bdf1f78-23f72ea5[Installer.class]


Spyware:Spyware/Virtumonde Not disinfected C:\

!KillBox\mljgf.dll


Spyware:Spyware/Virtumonde Not disinfected C:\

!KillBox\pmnnl.dll


Potentially unwanted tool:Application/Processor Not disinfected

C:\Documents and Settings\Owner\Desktop\VundoFix\VundoFix\process.exe




Spyware:Cookie/Casalemedia Not disinfected C:

\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.

default\cookies.txt[]


Spyware:Cookie/Server.iad.Liveperson Not disinfected C:

\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.

default\cookies.txt[16847762]


Spyware:Cookie/Server.iad.Liveperson Not disinfected C:

\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.

default\cookies.txt[60960915]


Spyware:Cookie/onestat.com Not disinfected C:

\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.

default\cookies.txt[]


Spyware:Cookie/YieldManager Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@ad.yieldmanager[1].txt




Spyware:Cookie/Belnk Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@ath.belnk[2].txt




Spyware:Cookie/Belnk Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@belnk[1].txt


Spyware:Cookie/Belnk Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@dist.belnk[1].txt


Spyware:Cookie/RealMedia Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@realmedia[2].txt




Spyware:Cookie/Reliablestats Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@stats1.reliablestats[1].txt




Spyware:Cookie/WinFixer Not disinfected C:

\Documents and Settings\Tiffany\Cookies\tiffany@winfixer[2].txt


Spyware:Cookie/YieldManager Not disinfected C:

\Documents and Settings\Tracey\Application Data\Mozilla\Firefox\Profiles\qs6c48tb.

default\cookies.txt[]


Potentially unwanted tool:Application/KillApp.B Not disinfected C

:\hp\bin\KillIt.exe

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2006 - 12:21 PM

And a fine mornin to you too! :thumbsup:

Use Pocket Killbox and delete these files

C:\Documents and Settings\Tracey\Application Data\Mozilla\Firefox\Profiles\qs6c48tb.default\cookies.txt[]
C:\Documents and Settings\Tiffany\Cookies\tiffany@ad.yieldmanager[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@ath.belnk[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@belnk[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@dist.belnk[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@realmedia[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@stats1.reliablestats[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@winfixer[2].txt



One last Online Scan,please.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 14 January 2006 - 12:56 PM

EDIT:

Files for Killbox

C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[]
C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[16847762]
C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[60960915]
C:\Documents and Settings\Tracey\Application Data\Mozilla\Firefox\Profiles\qs6c48tb.default\cookies.txt[]
C:\Documents and Settings\Tiffany\Cookies\tiffany@ad.yieldmanager[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@ath.belnk[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@belnk[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@dist.belnk[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@realmedia[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@stats1.reliablestats[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@winfixer[2].txt


#15 hithereitstim

hithereitstim
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:23 PM

Posted 14 January 2006 - 01:39 PM

EDIT:

Files for Killbox

C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[]
C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[16847762]
C:\Documents and Settings\Tiffany\Application Data\Mozilla\Firefox\Profiles\4l7ydqqj.default\cookies.txt[60960915]

C:\Documents and Settings\Tracey\Application Data\Mozilla\Firefox\Profiles\qs6c48tb.default\cookies.txt[]
C:\Documents and Settings\Tiffany\Cookies\tiffany@ad.yieldmanager[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@ath.belnk[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@belnk[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@dist.belnk[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@realmedia[2].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@stats1.reliablestats[1].txt
C:\Documents and Settings\Tiffany\Cookies\tiffany@winfixer[2].txt


More?! :thumbsup:

I already finished the online scan and deleted the ones in black (the red one didn't exist and the green ones you just edited), do you want me to delete these again? Also, was I supposed to check "delete after reboot" because I left it on "Standard File Kill" and didn't reboot after; I went straight to the online scan.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, January 14, 2006 12:34:16
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/01/2006
Kaspersky Anti-Virus database records: 171797
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 81460
Number of viruses found: 3
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 3626 sec

Infected Object Name - Virus Name
C:\!KillBox\ddccy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\!KillBox\java.jar-bdf1f78-23f72ea5/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\!KillBox\java.jar-bdf1f78-23f72ea5/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\!KillBox\java.jar-bdf1f78-23f72ea5 Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\!KillBox\mljgf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\!KillBox\pmnnl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP19\A0003246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP19\A0004345.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP19\A0004346.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP19\A0004347.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP19\A0004348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen
C:\System Volume Information\_restore{ED1AD764-6EE8-45D8-B9BD-559926E4C6F0}\RP19\A0004434.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen

Scan process completed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users