Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack.. Redirects Me To Other Web Pages


  • This topic is locked This topic is locked
22 replies to this topic

#1 karenc31

karenc31

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 19 March 2006 - 06:17 PM

Hi there

This is the second time my browser has been hijacked, problems i experience is when using
google im redirected to other pages. NIGHTMARE

The first time i fixed it by restoring my computer but have tried to do that but just kept saying
unable to restore. Have ran ad-aware and spy bot numerous times, and i have removed critical objects but
as soon as i go back on to the internet again my searches are redirected.

I have read about HJT on the forums but im worried about using it as im worried about deleting things i shouldnt. and im also not very good when it comes to computers

Would appreciate some help, please can you keep it as simple as possible

Thanks Karen



Full Edit
Quick Edit
jgweed Yesterday, 09:57 AM Post #2


Global Moderator


Group: Global Moderator
Posts: 7578
Joined: 11-April 04
From: Chicago, Il.
Member No.: 113



It is wise to worry about deleting things that you shouldn't, since it could do serious harm to your computer.

You can submit a HJT log to our volunteer team of experts who will use it to analyse your problem and then walk you though deleting the malware stop by step. This way you do not have to worry about making a mistake.

Instructions for posting a log are here:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Help is on the way!

Regards,
John




--------------------

Whereof one cannot speak, thereof one should be silent.



Full Edit
Quick Edit
karenc31 Yesterday, 08:13 PM Post #3


New Member


Group: Members
Posts: 3
Joined: Yesterday, 08:07 AM
Member No.: 59759



hi there

Thanx for getting back to me so quickly. I hope someone can help me get rid of this browser hijacker
I have followed the link you sent me and i have also installed a firewall now... really technical stuff for
me

Below is the notepad results of HJT, i hope it this is ok, as i'm not sure what i was doing but i think that this is right ..

Many thanx Karen

Logfile of HijackThis v1.99.1
Scan saved at 01:01:21, on 19/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\dmbuf.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Karen Tait\Desktop\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {61C55C2A-14AD-4382-8239-48DD8BF6FA01} - C:\WINDOWS\System32\jpio.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: (no name) - {F6243730-FCF8-D554-D0EE-D30FA5964DC7} - C:\WINDOWS\System32\lszhcmu.dll (file missing)
O2 - BHO: (no name) - {F624374A-FCFE-A055-D0E6-D40FA7904DCD} - C:\WINDOWS\System32\lszhcmu.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NsaSBb] C:\WINDOWS\lwderf.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [bO#y-] C:\WINDOWS\lwderf.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [bO/G%)fNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lwderf.exe
O4 - HKLM\..\Run: [zdablpu] c:\windows\system32\zdablpu.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [dmbuf.exe] C:\WINDOWS\System32\dmbuf.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [KY Control Settings] KYSVCCD.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [KY Control Settings] KYSVCCD.EXE
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [Eoub] C:\Program Files\aemu\ucio.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{111BF597-95EB-4358-816B-5CCDD04A4144}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{816A3747-56BA-4EA9-A68C-A7536ADB945B}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5BA0824-1320-4957-967C-3A7FD370CE19}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAF753EC-AE5D-4D3F-8637-3E0107661FD4}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC45C3E-738E-4EFB-A69F-AB0ED7BC92A3}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{111BF597-95EB-4358-816B-5CCDD04A4144}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CS2\Services\Tcpip\..\{111BF597-95EB-4358-816B-5CCDD04A4144}: NameServer = 85.255.113.131,85.255.112.123
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 02:08 PM

Hello,

I see mainly leftovers from previous infections and one active infection.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {61C55C2A-14AD-4382-8239-48DD8BF6FA01} - C:\WINDOWS\System32\jpio.dll (file missing)
O2 - BHO: (no name) - {F6243730-FCF8-D554-D0EE-D30FA5964DC7} - C:\WINDOWS\System32\lszhcmu.dll (file missing)
O2 - BHO: (no name) - {F624374A-FCFE-A055-D0E6-D40FA7904DCD} - C:\WINDOWS\System32\lszhcmu.dll (file missing)
O4 - HKLM\..\Run: [NsaSBb] C:\WINDOWS\lwderf.exe
O4 - HKLM\..\Run: [bO#y-] C:\WINDOWS\lwderf.exe
O4 - HKLM\..\Run: [bO/G%)fNbC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\lwderf.exe
O4 - HKLM\..\Run: [zdablpu] c:\windows\system32\zdablpu.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [dmbuf.exe] C:\WINDOWS\System32\dmbuf.exe
O4 - HKLM\..\RunServices: [KY Control Settings] KYSVCCD.EXE
O4 - HKCU\..\Run: [KY Control Settings] KYSVCCD.EXE
O4 - HKCU\..\Run: [Eoub] C:\Program Files\aemu\ucio.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{111BF597-95EB-4358-816B-5CCDD04A4144}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{816A3747-56BA-4EA9-A68C-A7536ADB945B}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{E5BA0824-1320-4957-967C-3A7FD370CE19}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAF753EC-AE5D-4D3F-8637-3E0107661FD4}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFC45C3E-738E-4EFB-A69F-AB0ED7BC92A3}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{111BF597-95EB-4358-816B-5CCDD04A4144}: NameServer = 85.255.113.131,85.255.112.123
O17 - HKLM\System\CS2\Services\Tcpip\..\{111BF597-95EB-4358-816B-5CCDD04A4144}: NameServer = 85.255.113.131,85.255.112.123
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 03:08 PM

Hi miekiemoes

Thanyou very much for taking the time to help me,

can i just tellyou what happened while following your instructions

1,couldnt find 04-HKLM\..\Run:{dmbuf.exe]C:\WINDOWS\System32\dmbuf.exe

2, fixed checked the rest no problem

3, download Fixwareout, black box asking me to press any key which i did and a notepad came up woth some info. I closed down and rebooted myself, then did a new HJT log
now my laptop is making odd sounds like a fan noise not sure what this is ???

Info you requested

Fixwareout[u]

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):00
.....
End vxd check
.....
please post this at the forum

Logfile of HijackThis v1.99.1
Scan saved at 20:00:06, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\dmccc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Karen Tait\Desktop\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [dmccc.exe] C:\WINDOWS\System32\dmccc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 03:16 PM

Hello,

1,couldnt find 04-HKLM\..\Run:{dmbuf.exe]C:\WINDOWS\System32\dmbuf.exe


Yes, that's because it renames all the time. Now it's O4 - HKLM\..\Run: [dmccc.exe] C:\WINDOWS\System32\dmccc.exe
But fixwareout deals with that. But we need to fix that error in it first, otherwise fixwareout won't work.

Let's fix the autoexec.nt error first.

If you are having XP home download and use next:
http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe

If you are having XP Professional download and use next:
http://homepage.ntlworld.com/spencer.greys.../XPProfiles.exe

Then run fixwareout again.
normally the fix should work as I explained before with the automatic reboot.

Post the fixwareout log and new hijackthislog in next reply.

Edited by miekiemoes, 20 March 2006 - 03:17 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 03:49 PM

hi there,

No problems this time :thumbsup:

Fixwareout

Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\cccmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmccc.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...
* csr.exe C:\WINDOWS\System32\CSYNH.EXE

Misc files

Checking for older varients covered by the Rem3 tool


New HJT log

Logfile of HijackThis v1.99.1
Scan saved at 20:46:32, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Karen Tait\Desktop\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINDOWS\System32\SCardClnt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 03:55 PM

Great!

Now delete next file:

C:\WINDOWS\System32\CSYNH.EXE

Better to check if next file is still present and delete it as well:

C:\WINDOWS\System32\dmccc.exe

Then go to start > run and copy and paste next in the field:

sc delete SCardClnt <click ok>

As a final checkup, I also want you to perform next online scan to see what else is still present there.
* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 04:50 PM

hi there

WOW... dont think that looks too good, should i cry now or is it ok

Panda scan report


Incident Status Location

Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\Karen Tait\Local Settings\Temp\ICD2.tmp\v3cab.inf
Virus:Trj/LowZones.BB Disinfected C:\Documents and Settings\Karen Tait\Local Settings\Temp\Temporary Internet Files\Content.IE5\OVKH2DI9\up[1].jpg
Adware:Adware/DelFinMedia Not disinfected C:\Documents and Settings\Karen Tait\Local Settings\Temp\motoin.exe
Dialer:Dialer.BMS Not disinfected C:\Documents and Settings\Karen Tait\Local Settings\Temp\ICD5.tmp\99930080.exe
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\Documents and Settings\Karen Tait\Local Settings\Temp\sa1.exe
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Karen Tait\Cookies\karen tait@xiti[1].txt
Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Karen Tait\Cookies\karen tait@qsrch[2].txt
Potentially unwanted tool:Application/Zango Not disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\kansy.reg
Virus:Trj/LowZones.BB Disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\p.bat
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp1.html
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp2.html
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp3.html
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp4.html
Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp5.html
Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/CWS.Aboutblank Not disinfected C:\Recycled\Q330995.exe
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\1024\ld8E4C.tmp
Virus:Trj/LowZones.BB Disinfected C:\WINDOWS\system32\up.exe
Potentially unwanted tool:Application/Zango Not disinfected C:\WINDOWS\system32\%SYSROOT%\kansy.reg
Virus:Trj/LowZones.BB Disinfected C:\WINDOWS\system32\%SYSROOT%\p.bat
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\%SYSROOT%\update-sp1.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\%SYSROOT%\update-sp2.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\%SYSROOT%\update-sp3.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\%SYSROOT%\update-sp4.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\%SYSROOT%\update-sp5.html
Adware:adware/imgiant Not disinfected C:\WINDOWS\inf\adrmimg.inf
Virus:Trj/LowZones.BB Disinfected C:\WINDOWS\p.bat
Potentially unwanted tool:Application/Zango Not disinfected C:\WINDOWS\kansy.reg
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\update-sp1.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\update-sp2.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\update-sp3.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\update-sp4.html
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\update-sp5.html
Adware:adware/transponder Not disinfected C:\WINDOWS\LastGood\INF\ceres.inf
Dialer:Dialer.GPO Not disinfected C:\WINDOWS\Downloaded Program Files\gba2335.exe
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\joyiconsbbb.exe
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Spyware:spyware/adclicker Not disinfected C:\WINDOWS\usta33.ini

New HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 21:46:22, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10MT2.EXE
C:\Documents and Settings\Karen Tait\Desktop\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Edited by karenc31, 20 March 2006 - 04:56 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 05:08 PM

Hello,

Delete next files:

C:\Documents and Settings\Karen Tait\%SYSROOT%\kansy.reg
C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp1.html
C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp2.html
C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp3.html
C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp4.html
C:\Documents and Settings\Karen Tait\%SYSROOT%\update-sp5.html
C:\Program Files\Aprps <== folder
C:\WINDOWS\system32\1024 <== folder
C:\WINDOWS\system32\%SYSROOT%\kansy.reg
C:\WINDOWS\system32\%SYSROOT%\update-sp1.html
C:\WINDOWS\system32\%SYSROOT%\update-sp2.html
C:\WINDOWS\system32\%SYSROOT%\update-sp3.html
C:\WINDOWS\system32\%SYSROOT%\update-sp4.html
C:\WINDOWS\system32\%SYSROOT%\update-sp5.html
C:\WINDOWS\inf\adrmimg.inf
C:\WINDOWS\joyiconsbbb.exe
C:\WINDOWS\ubber60.ini
C:\WINDOWS\usta33.ini
C:\WINDOWS\kansy.reg
C:\WINDOWS\update-sp1.html
C:\WINDOWS\update-sp2.html
C:\WINDOWS\update-sp3.html
C:\WINDOWS\update-sp4.html
C:\WINDOWS\update-sp5.html
C:\WINDOWS\LastGood\INF\ceres.inf

Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

Now search and delete:

C:\WINDOWS\Downloaded Program Files\gba2335.exe

Go to start > run and type regsvr32 occache.dll
Click OK

Can you tell me what else is in next folders after deleting above files?

C:\Documents and Settings\Karen Tait\%SYSROOT%
C:\WINDOWS\system32\%SYSROOT%

Looks like these folders are created by this infection, buggy install maybe -- so I want to be sure here.

Also perform next:

* Clean your IE cookies and cache:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
Empty your recycle bin.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 05:40 PM

hi again

C:\Documents and Settings\Karen Tait\%SYSROOT%

In this file there is two things

protect_new_55x55
WindowsXP_masthead_ltr

C:\WINDOWS\system32\%SYSROOT%

also in this file is

protect_new_55x55
WindowsXP_masthead_ltr


thanx karen

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 05:53 PM

Yes, must be set by this malware. Most probably an attempt to install it in Windows folder, but failed there.

Delete the next folders:

C:\WINDOWS\system32\%SYSROOT%
C:\Documents and Settings\Karen Tait\%SYSROOT%

Also look if next are present and delete them:

C:\Windows\protect_new_55x55
C:\Windows\WindowsXP_masthead_ltr

Looks like this one is also responsible for changing the ActiveX security settings.
To fix this...Open Internet Explorer > internet options > security > internet.
Press default level > OK.
Press custom level
In the ActiveX part:
Set "Download signed and unsigned ActiveX controls" to prompt.
Set 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Let me know in your next reply how things are running now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 06:11 PM

hello

i have deleted those last files, and emptied my recycle bin

My settings in my internet options were already set at the ones you asked me to change them to :thumbsup:

everything seems to be running ok,

just wondering what this address is in my home page cant delete it and i keep getting redirected to it

http://67.29.139.199/redirect/?affiliate=A...3&Terms=browser has been hijacked&alid=&v3=Z3010569533@@QPmVmcmETPoFmJzBjcy9mM2MDN0gjbxdzM3IHOvVDMygjbxADMx4mc0AnNzAXc4Yzb3gTO5IzMxEXc0EncxYjbzFXczM3NxFnc0EnbwAzc0EXOvZTMxgzbzNzN4I3MxhTc54GMyNHOygTMylzNyNzb4czcxInNwQzN442My4GOw52M1EHN2QjbzBnN4E3Mykjc5gjMxNHM5A3Nx82M5kTNvJHM2czN04WO0kzb5QTM3cjbxJTNyMzN5ADNzEzNz9mc2QTc18GOzIDNuNjNzUTNvFTNyJ3M3kjb5MnM3UDOulTc1Mncz82M2M3M4E3NyQjbz42MzgDO5kTcw8WNvJHc2UDczgjM2gzMwFnc1gzcvFDc3UDOwgTMuBXMvJ3czhzbzMXcxQDMuVDcwNnMy92NyJnM5EXNwRzbwZTN0IHMxNnbyZDOwgTMuVzc0QDcw4WR1UicGNTJrNmZu5icnZXZxFmcxZkMlY2ZjZXZwZmRyUCeo5iYw5iY05WZ2pnLqpmaGJTJGJTJBNTJjd2Z11DdmIGduVmda1TZm0DZyNnJwgzN0gjNyQTMx0TZtlGdmkjNzETMxQjL0kzMzgTMM1DZpxmJ1ITMuUTOukzNx4SM40DcpVnJ9QnYm0DZpRnYm0TZwlHdm0DZpxWYm0DZpFmJ0cTNuATPiZSME5UQ9YWY


Is this still part of the infection

Thanx for everything this evening you have been brilliant

karen

#12 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 06:12 PM

hello

i have deleted those last files, and emptied my recycle bin

My settings in my internet options were already set at the ones you asked me to change them to :thumbsup:

everything seems to be running ok,

just wondering what this address is in my home page cant delete it and i keep getting redirected to it

http://67.29.139.199/redirect/?affiliate=A...3&Terms=browser has been hijacked&alid=&v3=Z3010569533@@QPmVmcmETPoFmJzBjcy9mM2MDN0gjbxdzM3IHOvVDMygjbxADMx4mc0AnNzAXc4Yzb3gTO5IzMxEXc0EncxYjbzFXczM3NxFnc0EnbwAzc0EXOvZTMxgzbzNzN4I3MxhTc54GMyNHOygTMylzNyNzb4czcxInNwQzN442My4GOw52M1EHN2QjbzBnN4E3Mykjc5gjMxNHM5A3Nx82M5kTNvJHM2czN04WO0kzb5QTM3cjbxJTNyMzN5ADNzEzNz9mc2QTc18GOzIDNuNjNzUTNvFTNyJ3M3kjb5MnM3UDOulTc1Mncz82M2M3M4E3NyQjbz42MzgDO5kTcw8WNvJHc2UDczgjM2gzMwFnc1gzcvFDc3UDOwgTMuBXMvJ3czhzbzMXcxQDMuVDcwNnMy92NyJnM5EXNwRzbwZTN0IHMxNnbyZDOwgTMuVzc0QDcw4WR1UicGNTJrNmZu5icnZXZxFmcxZkMlY2ZjZXZwZmRyUCeo5iYw5iY05WZ2pnLqpmaGJTJGJTJBNTJjd2Z11DdmIGduVmda1TZm0DZyNnJwgzN0gjNyQTMx0TZtlGdmkjNzETMxQjL0kzMzgTMM1DZpxmJ1ITMuUTOukzNx4SM40DcpVnJ9QnYm0DZpRnYm0TZwlHdm0DZpxWYm0DZpFmJ0cTNuATPiZSME5UQ9YWY


Is this still part of the infection

Thanx for everything this evening you have been brilliant

karen

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 06:19 PM

So you are still getting redirected? Hmmm..

Anyway, can you also check and fix next in hijackthis please?

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

Then run fixwareout again, because it looks like something is still present there.

Post a new hijackthislog and log from Fixwareout in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:37 AM

Posted 20 March 2006 - 06:32 PM

Hi Karen,

I also want you to perform some other things as well.
I notice your windows is unpatched.
You don't have even ServicePack1 installed!
Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems.
Please visit http://www.microsoft.com/windowsxp/downloa...p1/network.mspx and update to Service Pack 1. Without this update, you're wide open to re-infection.
When your system is clean afterwards, then update to SP2, because updating to SP2 CAN cause problems as long as you are infected.

I also want you to perform next:

Download winpfind

Reboot in SAFE MODE !! Important !!
To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Doubleclick winpfind.exe
Click start Scan.
It will scan for a while, so please be patient.
Let it finish the job.

Reboot back to normal mode.

Post the contents of winpfind.txt which is present in the winpfind-folder in your also in your next reply.

I won't be able to reply immediately from now on, because It's already midnight here and I need my bed. :thumbsup: But I will reply tomorrow in the morning before going to work.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 karenc31

karenc31
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:03:37 AM

Posted 20 March 2006 - 06:35 PM

hi

it has been redirecting me since we have been working on it, but im just worried because it is there
Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Search by size and names...

Misc files

Checking for older varients covered by the Rem3 tool


Logfile of HijackThis v1.99.1
Scan saved at 23:32:00, on 20/03/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Karen Tait\Desktop\HijackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users