Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware-yazzle?


  • Please log in to reply
7 replies to this topic

#1 jhansen007

jhansen007

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 05 October 2006 - 06:21 PM

I got some sort of Trojan on my computer today at work through google toolbar perhaps? Its using internet explorer to pop-up random windows. Can someone help me remove this? Below is my hijackthis log;

Logfile of HijackThis v1.99.1
Scan saved at 4:55:48 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\Program Files\Scansoft\PaperPort\xdcla.exe
C:\WINDOWS\system32\taskmgr.exe
C:\office2000\Office\EXCEL.EXE
C:\Program Files\Winamp\Winamp.exe
C:\Autodesk 2007\Land Dekstop\acad.exe
C:\DOCUME~1\jhansen\LOCALS~1\Temp\AdskCleanup.0001
C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
C:\Program Files\HEC\HEC-RAS\3.1.3\ras.exe
C:\OFFICE~1\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\InstallFiles\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\Scansoft\PaperPort\xdcla.exe
O4 - Global Startup: Microsoft Office.lnk = C:\office2000\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.200
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://10.0.0.200/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://10.0.0.200/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://10.0.0.200/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\Software\..\Telephony: DomainName = denver.hws-con.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: InterPlot IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe




****Also, not sure if this is helpful but here is my McAffee Virusscan log from the crap it was finding today;

10/5/2006 10:00:16 AM Engine version = 4.4.00
10/5/2006 10:00:16 AM DAT version = 4866
10/5/2006 10:00:16 AM Number of virus signatures in EXTRA.DAT = None
10/5/2006 10:00:16 AM Names of viruses that EXTRA.DAT can detect = None
10/5/2006 10:18:48 AM Deleted DENVER\jhansen YazzleBundle-12 C:\Program Files\Common Files\Yazzle1281OinAdmin.exe Downloader-EV (Trojan)
10/5/2006 10:19:03 AM Move failed (Clean failed) DENVER\jhansen drsmartload.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\IDWRGVC7\RDFX4[1].exe Zquest (Trojan)
10/5/2006 10:19:03 AM Deleted DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\WhAgent.exe Spyware-WebHancer (Spyware)
10/5/2006 10:19:03 AM Deleted DENVER\jhansen drsmartload.exe C:\RDFX4.exe Zquest (Trojan)
10/5/2006 10:19:04 AM Deleted DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\WhSurvey.exe Spyware-WebHancer (Spyware)
10/5/2006 10:19:04 AM Moved (Clean failed) DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\Webhdll.dll Spyware-WebHancer (Spyware)
10/5/2006 10:19:05 AM Moved (Clean failed) DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\whiehlpr.dll Spyware-WebHancer (Spyware)
10/5/2006 10:19:08 AM Move failed (Clean failed) DENVER\jhansen mmxsnet.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SLQH85IB\optimize[1].exe Adware-DFC (Adware)
10/5/2006 10:19:10 AM Deleted DENVER\jhansen i22.tmp C:\Documents and Settings\jhansen\Local Settings\Temp\DxcUpdater3.exe Adware-TVMedia (Adware)
10/5/2006 10:19:10 AM Moved (Clean failed) DENVER\jhansen mmxsnet.exe C:\WINDOWS\optimize.exe Adware-DFC (Adware)
10/5/2006 10:19:15 AM Deleted DENVER\jhansen i22.tmp C:\Documents and Settings\jhansen\Local Settings\Temp\DxcUpdater3.exe Adware-TVMedia (Adware)
10/5/2006 10:19:21 AM Deleted DENVER\jhansen i22.tmp C:\Documents and Settings\jhansen\Local Settings\Temp\DxcUpdater3.exe Adware-TVMedia (Adware)
10/5/2006 10:19:27 AM Deleted DENVER\jhansen i22.tmp C:\Documents and Settings\jhansen\Local Settings\Temp\DxcUpdater3.exe Adware-TVMedia (Adware)
10/5/2006 10:19:47 AM Move failed (Clean failed) DENVER\jhansen drsmartload.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\YBOV0DCB\Installer[1].exe Adware-Look2Me (Adware)
10/5/2006 10:19:47 AM Deleted DENVER\jhansen drsmartload.exe C:\warebundlenewer.exe Adware-Look2Me (Adware)
10/5/2006 10:23:23 AM Move failed (Clean failed) DENVER\jhansen drsmartload.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\JMTG5V3R\installerwnus[1].exe Qoolaid (Trojan)
10/5/2006 10:23:23 AM Deleted DENVER\jhansen drsmartload.exe C:\installerwnusnewer.exe Qoolaid (Trojan)
10/5/2006 10:24:27 AM Deleted DENVER\jhansen pre.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SHQ3W9U7\xload[1].exe Generic Downloader.b (Trojan)
10/5/2006 10:24:29 AM Deleted DENVER\jhansen pre.exe C:\Documents and Settings\jhansen\Local Settings\Temp\xload.exe Generic Downloader.b (Trojan)
10/5/2006 10:24:57 AM Moved (Clean failed) DENVER\jhansen explorer.exe C:\Documents and Settings\jhansen\Local Settings\Temp\rpmnjoue.dll Vundo (Trojan)
10/5/2006 10:24:58 AM Deleted DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\WhAgent.exe Spyware-WebHancer (Spyware)
10/5/2006 10:24:58 AM Deleted DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\WhSurvey.exe Spyware-WebHancer (Spyware)
10/5/2006 10:24:58 AM Moved (Clean failed) DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\Webhdll.dll Spyware-WebHancer (Spyware)
10/5/2006 10:24:59 AM Moved (Clean failed) DENVER\jhansen whCC-GIANT.exe C:\Program Files\whInstall\whiehlpr.dll Spyware-WebHancer (Spyware)
10/5/2006 10:25:04 AM Move failed (Clean failed) DENVER\jhansen mshta.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SLQH85IB\elitepop06[1].exe QLowZones-12 (Trojan)
10/5/2006 10:25:05 AM Moved (Clean failed) DENVER\jhansen mshta.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SHQ3W9U7\optimize[1].exe Adware-DFC (Adware)
10/5/2006 10:25:06 AM Move failed (Clean failed) DENVER\jhansen mshta.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SHQ3W9U7\mtrslib2[1].js Downloader-QG (Trojan)
10/5/2006 10:25:06 AM Deleted DENVER\jhansen mshta.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SHQ3W9U7\mtrslib2[1].js Downloader-AGC (Trojan)
10/5/2006 10:25:06 AM Deleted DENVER\jhansen mshta.exe C:\WINDOWS\elitepop06.exe QLowZones-12 (Trojan)
10/5/2006 10:25:08 AM Deleted DENVER\jhansen mshta.exe C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SHQ3W9U7\ac3_0002[1].exe Downloader-AXF (Trojan)
10/5/2006 10:25:09 AM Deleted DENVER\jhansen Setup90.exe C:\WINDOWS\tapeG22.exe Generic Downloader.s (Trojan)
10/5/2006 10:25:09 AM Deleted DENVER\jhansen Setup90.exe C:\WINDOWS\uninst104.exe Generic Downloader.s (Trojan)
10/5/2006 10:25:17 AM Deleted DENVER\jhansen YazzleBundle-12 C:\Program Files\Common Files\Yazzle1281OinAdmin.exe Downloader-EV (Trojan)
10/5/2006 10:25:50 AM Deleted DENVER\jhansen Setup90.exe C:\Documents and Settings\jhansen\Desktop\TagASaurus.exe Generic AdClicker.p (Trojan)
10/5/2006 10:26:06 AM Move failed (Clean failed) DENVER\jhansen drsmartload1.ex C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\01UFGTQ3\RDFX4[1].exe Zquest (Trojan)
10/5/2006 10:26:11 AM Deleted DENVER\jhansen drsmartload1.ex C:\RDFX4.exe Zquest (Trojan)
10/5/2006 10:26:16 AM Move failed (Clean failed) DENVER\jhansen drsmartload1.ex C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\SHQ3W9U7\Installer[1].exe Adware-Look2Me (Adware)
10/5/2006 10:26:16 AM Deleted DENVER\jhansen drsmartload1.ex C:\warebundlenewer.exe Adware-Look2Me (Adware)
10/5/2006 10:26:50 AM Move failed (Clean failed) DENVER\jhansen drsmartload1.ex C:\Documents and Settings\jhansen\Local Settings\Temporary Internet Files\Content.IE5\896F0TEF\installerwnus[1].exe Qoolaid (Trojan)
10/5/2006 10:26:50 AM Deleted DENVER\jhansen drsmartload1.ex C:\installerwnusnewer.exe Qoolaid (Trojan)
10/5/2006 10:32:16 AM Not scanned (scan timed out) DENVER\jhansen explorer.exe C:\919_133.exe (Virus)
10/5/2006 11:07:42 AM Deleted DENVER\jhansen Ad-Aware.exe C:\quarantine\optimize.exe.Vir Adware-DFC (Adware)
10/5/2006 11:07:58 AM Deleted DENVER\jhansen Ad-Aware.exe C:\quarantine\optimize[1].exe.Vir Adware-DFC (Adware)
10/5/2006 11:08:04 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\rpmnjoue.dll.Vir Vundo (Trojan)
10/5/2006 11:08:09 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\rpmnjoue.dll.Vir Vundo (Trojan)
10/5/2006 11:08:14 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\rpmnjoue.dll.Vir Vundo (Trojan)
10/5/2006 11:08:20 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\rpmnjoue.dll.Vir Vundo (Trojan)
10/5/2006 11:08:26 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\rpmnjoue.dll.Vir Vundo (Trojan)
10/5/2006 11:08:27 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\Webhdll.dll.Vir Spyware-WebHancer (Spyware)
10/5/2006 11:08:29 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\Webhdll.dll.Vir.0 Spyware-WebHancer (Spyware)
10/5/2006 11:08:31 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\whiehlpr.dll.Vir Spyware-WebHancer (Spyware)
10/5/2006 11:08:34 AM Moved (Clean failed) DENVER\jhansen Ad-Aware.exe C:\quarantine\whiehlpr.dll.Vir.0 Spyware-WebHancer (Spyware)
10/5/2006 11:13:36 AM Engine version = 4.4.00
10/5/2006 11:13:36 AM DAT version = 4866
10/5/2006 11:13:36 AM Number of virus signatures in EXTRA.DAT = None
10/5/2006 11:13:36 AM Names of viruses that EXTRA.DAT can detect = None
10/5/2006 11:40:56 AM Deleted DENVER\jhansen Ad-Aware.exe C:\quarantine\Webhdll.dll.Vir Spyware-WebHancer (Spyware)
10/5/2006 11:41:05 AM Deleted DENVER\jhansen Ad-Aware.exe C:\quarantine\Webhdll.dll.Vir.0 Spyware-WebHancer (Spyware)
10/5/2006 11:41:13 AM Deleted DENVER\jhansen Ad-Aware.exe C:\quarantine\whiehlpr.dll.Vir Spyware-WebHancer (Spyware)
10/5/2006 11:41:21 AM Deleted DENVER\jhansen Ad-Aware.exe C:\quarantine\whiehlpr.dll.Vir.0 Spyware-WebHancer (Spyware)

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:11 AM

Posted 06 October 2006 - 03:24 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is strange that there are no 02's or 020's in the log.
A new infection is hiding these entries from a Hijackthis scan.
This means certain infections cannot be seen and are therefore hidden to the helper.
Go to this folder where Hijackthis is kept and rename the hijackthis application to "analyse".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "analyse.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

#3 jhansen007

jhansen007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 09 October 2006 - 09:29 AM

Thanks David! Ok, I re-ran hijackthis w/o renaming it yet and it looks like some O2 an O20 lines are showing up now. Here's what I have now;

Logfile of HijackThis v1.99.1
Scan saved at 8:26:53 AM, on 10/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\Program Files\Scansoft\PaperPort\xdcla.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\office2000\Office\OUTLOOK.EXE
C:\InstallFiles\HIJACKTHIS\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {47C2A038-18E6-48D3-B03C-8FEDACC4741A} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\Scansoft\PaperPort\xdcla.exe
O4 - Global Startup: Microsoft Office.lnk = C:\office2000\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.200
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://10.0.0.200/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://10.0.0.200/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://10.0.0.200/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\Software\..\Telephony: DomainName = denver.hws-con.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: InterPlot IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:11 AM

Posted 09 October 2006 - 11:07 AM

Hey there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

David

#5 jhansen007

jhansen007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 09 October 2006 - 02:07 PM

Hey David. I ran FixVundo (off of Symantec site) last friday and it completed and told me that Vundo was not found on my computer. However, this morning when I signed on, my McAffee anti-virus found Vundo Trojan and removed it again...so somehow its slipping by? This is on my machine at work so perhaps it is on our network? I will try running VundoFix and see how it goes as it looks like a different program than the one from Symantec. Thanks.

#6 jhansen007

jhansen007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 09 October 2006 - 02:28 PM

Ok. Ran VundoFix and heres what it found. Still getting popups at this point.


VundoFix V6.2.1
Checking Java version...
Java version is 1.5.0.6
Scan started at 1:09:23 PM 10/9/2006
Listing files found while scanning....
C:\WINDOWS\system32\ldvmlkcl.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ldvmlkcl.exe
C:\WINDOWS\system32\ldvmlkcl.exe Has been deleted!
Performing Repairs to the registry.
Done!

NEW HIJACKTHIS LOG;

Logfile of HijackThis v1.99.1
Scan saved at 1:27:28 PM, on 10/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\Program Files\Scansoft\PaperPort\xdcla.exe
C:\Documents and Settings\jhansen\Desktop\VundoFix.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\InstallFiles\HIJACKTHIS\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E0B811E1-0E12-44CB-A55F-848F2B5CEFB7} - C:\WINDOWS\system32\awtsp.dll
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\Scansoft\PaperPort\xdcla.exe
O4 - Global Startup: Microsoft Office.lnk = C:\office2000\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.200
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://10.0.0.200/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://10.0.0.200/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://10.0.0.200/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\Software\..\Telephony: DomainName = denver.hws-con.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: awtsp - C:\WINDOWS\system32\awtsp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: InterPlot IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

#7 jhansen007

jhansen007
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 09 October 2006 - 02:54 PM

Ok, I ran VundoFix again and it found 2 more files which got removed upon reboot. I've re-run VundoFix again and it seems to be off my computer for now. Here is my final VundoFix log;


VundoFix V6.2.1
Checking Java version...
Java version is 1.5.0.6
Scan started at 1:09:23 PM 10/9/2006
Listing files found while scanning....
C:\WINDOWS\system32\ldvmlkcl.exe
Beginning removal...Attempting to delete C:\WINDOWS\system32\ldvmlkcl.exe
C:\WINDOWS\system32\ldvmlkcl.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.1
Checking Java version...
Java version is 1.5.0.6
Scan started at 1:23:40 PM 10/9/2006
Listing files found while scanning....
C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\pstwa.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awtsp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\pstwa.ini
C:\WINDOWS\system32\pstwa.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\awtsp.dll
C:\WINDOWS\system32\awtsp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.2.1
Checking Java version...
Java version is 1.5.0.6
Scan started at 1:34:03 PM 10/9/2006
Listing files found while scanning....
No infected files were found.

And Here is my latest HIJACKTHIS log;

Logfile of HijackThis v1.99.1
Scan saved at 1:54:25 PM, on 10/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
C:\Program Files\Scansoft\PaperPort\xdcla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\InstallFiles\HIJACKTHIS\analyse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E0B811E1-0E12-44CB-A55F-848F2B5CEFB7} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [StartCounterSpyIconApp] C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgentIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: DLO Agent.lnk = C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOClientu.exe
O4 - Global Startup: Image Retriever.lnk = C:\Program Files\Scansoft\PaperPort\xdcla.exe
O4 - Global Startup: Microsoft Office.lnk = C:\office2000\Office\OSA9.EXE
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://10.0.0.200
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://10.0.0.200/auroraweb/BSTeReportsCE9.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://10.0.0.200/auroraweb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://10.0.0.200/auroraweb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\Software\..\Telephony: DomainName = denver.hws-con.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = denver.hws-con.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: CounterSpyAgent - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\Agent\CounterSpyAgent.exe
O23 - Service: InterPlot IMF Printer Driver Service - Unknown owner - C:\win32app\ingr\ipshare\clntutil\bin\pidrpcs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec Backup Exec DLO Agent Change Journal Reader (VRTSChangeJournalReader) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\DLO\DLOChangeLogSvcu.exe

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:09:11 AM

Posted 09 October 2006 - 04:16 PM

Hey there,

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A55581DC-2CDB-4089-8878-71A080B22342} - (no file)
O2 - BHO: (no name) - {E0B811E1-0E12-44CB-A55F-848F2B5CEFB7} - C:\WINDOWS\system32\awtsp.dll (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\system32\adrotate.dll (file missing)
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

By the way, do you know anything about the IP 10.0.0.200?
I get the following search result = Internet Assigned Numbers Authority.

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users