Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • This topic is locked This topic is locked
18 replies to this topic

#1 fishpool

fishpool

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 20 October 2006 - 08:49 PM

I have been trying for the last week to eliminate this problem. I have scanned with all suggested as well as Zone Alarm Pro, Symantec and a bunch of others. In safe mode i can and find nothing but once i connect to the internet normally i get auto-protect results of Trojans about every 17 minutes or so. i had a fairly bad infection, of Trojan's, Dialers, Zlob, downloaders. Some files i also knew were infected as they were new and i couldn't get rid of them easily, they were only picked up by epest, and i quarantined them manually. A friend recommend doing a system restore to fix the registry, but i'd rather have help and not resort to that. I think i disabled them in the msconfig and have done as much as i know how to.
If theres any other info needed, let me know but thats the sum of the problem.

Thanks in advance for the help.

HIJACK LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:40 AM, on 10/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Documents and Settings\Larry\Desktop\Stuff\installers\HijackThis.exe

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {43463073-D6A1-82AD-8D69-025C19124124} - C:\WINDOWS\system32\knuqapk.dll (disabled by BHODemon)
O2 - BHO: (no name) - {49AA3991-E7E6-7C9F-F70A-061DE42541FA} - C:\WINDOWS\system32\efouinb.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C76CEC3-05DA-1033-0426-041120030001}\MyToolBar.dll (disabled by BHODemon)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C76CEC3-05DA-1033-0426-041120030001}\MyToolBar.dll__BHODemonDisabled (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127795160734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingqy32 - wingqy32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:02 AM

Posted 27 October 2006 - 02:29 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:
I apologize for the delay getting to your log, the helpers here are very busy.

If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your malware problems.
If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 27 October 2006 - 06:34 PM

MY auto protect will come up and it will find a Trojan Horse (Both Zone Alarm and Symantec) and it will keep finding new ones for hours. Win32 something. But when i do full system scans and such nothing comes up.

Thanks for your help.



Logfile of HijackThis v1.99.1
Scan saved at 9:30:35 AM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Larry\Desktop\Stuff\installers\HijackThis.exe

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {43463073-D6A1-82AD-8D69-025C19124124} - C:\WINDOWS\system32\knuqapk.dll (disabled by BHODemon)
O2 - BHO: (no name) - {49AA3991-E7E6-7C9F-F70A-061DE42541FA} - C:\WINDOWS\system32\efouinb.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C76CEC3-05DA-1033-0426-041120030001}\MyToolBar.dll (disabled by BHODemon)
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3C76CEC3-05DA-1033-0426-041120030001}\MyToolBar.dll__BHODemonDisabled (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127795160734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingqy32 - wingqy32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#4 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 28 October 2006 - 04:02 AM

Ad-Aware found some of the trojan, so heres a newer Hijack Log

Edit: Also the infect files are star with DWH or AP with a random 1-3 number/letter combo after with a temp.
Zone Alarm Picked it up as Win32SillyDI.AGC

Logfile of HijackThis v1.99.1
Scan saved at 6:59:42 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Larry\Desktop\Stuff\installers\HijackThis.exe

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {43463073-D6A1-82AD-8D69-025C19124124} - C:\WINDOWS\system32\knuqapk.dll (disabled by BHODemon)
O2 - BHO: (no name) - {49AA3991-E7E6-7C9F-F70A-061DE42541FA} - C:\WINDOWS\system32\efouinb.dll (disabled by BHODemon)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127795160734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingqy32 - wingqy32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by fishpool, 28 October 2006 - 08:23 PM.


#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:02 AM

Posted 28 October 2006 - 08:51 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {43463073-D6A1-82AD-8D69-025C19124124} - C:\WINDOWS\system32\knuqapk.dll (disabled by BHODemon)
O2 - BHO: (no name) - {49AA3991-E7E6-7C9F-F70A-061DE42541FA} - C:\WINDOWS\system32\efouinb.dll (disabled by BHODemon)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - Winlogon Notify: wingqy32 - wingqy32.dll (file missing)



Reboot your computer.


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 28 October 2006 - 10:16 PM

Heres the Log. When running zone alarm kept coming up with warnings, as would be expected. I said yes to all of them. The only suspicous one i thought was at the end. nmr or something along those lines, but as it was as an effect of the program running i'll assume its ok.

Thanks for all your assistance, I really appreciate it!



Larry - 06-10-29 14:05:51.89 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Larry\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\Safety Bar
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3C76CEC3-05DA-1033-0426-041120030001}
C:\Program Files\Common Files\{BC76CEC3-05DA-1033-0426-041120030001}


((((((((((((((((((((((((((((((( Files Created from 2006-09-29 to 2006-10-29 ))))))))))))))))))))))))))))))))))


2006-10-18 11:22 103 --a------ C:\WINDOWS\system32\mit.bat
2006-10-17 21:21 20,232 ---hs---- C:\WINDOWS\system32\wvuusqo.dll
2006-10-17 21:06 87,594 --a------ C:\WINDOWS\g28139182.dll
2006-10-17 18:45 87,594 --a------ C:\WINDOWS\g19690563.dll
2006-10-17 17:40 87,594 --a------ C:\WINDOWS\g15824193.dll
2006-10-17 17:04 87,594 --a------ C:\WINDOWS\g13641675.dll
2006-10-17 14:55 87,594 --a------ C:\WINDOWS\g5895907.dll
2006-10-17 13:33 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-17 12:40 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2006-10-16 04:29 541,733 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-10-16 04:29 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2006-10-16 04:29 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-10-16 04:29 108,453 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-10-04 11:35 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-04 11:35 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-04 11:35 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-29 14:07 -------- d-------- C:\Program Files\Common Files
2006-10-29 14:04 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-10-29 13:54 -------- d-------- C:\Documents and Settings\Larry\Application Data\Launchy
2006-10-29 13:50 -------- d-------- C:\Program Files\Symantec AntiVirus
2006-10-29 13:43 -------- d-------- C:\Documents and Settings\Larry\Application Data\Skype
2006-10-29 13:12 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-29 02:02 -------- d-------- C:\Documents and Settings\Larry\Application Data\.gaim
2006-10-28 23:56 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-21 16:28 -------- d-------- C:\Documents and Settings\Larry\Application Data\gtk-2.0
2006-10-21 13:11 -------- d-------- C:\Program Files\Gaim
2006-10-19 10:58 -------- d-------- C:\Program Files\Mozilla Sunbird
2006-10-19 10:05 -------- d-------- C:\Program Files\PDFCreator
2006-10-18 18:59 -------- d-------- C:\Program Files\MINITAB 14
2006-10-18 18:52 -------- d-------- C:\Program Files\Launchy
2006-10-18 18:49 -------- d-------- C:\Program Files\iTunes
2006-10-18 18:49 -------- d-------- C:\Program Files\Internet Explorer
2006-10-18 18:47 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-18 16:41 -------- d-------- C:\Program Files\Advanced System Optimizer
2006-10-18 16:41 -------- d-------- C:\Program Files\7-Zip
2006-10-18 11:29 -------- d-------- C:\Program Files\Trend Micro
2006-10-18 00:59 -------- d-------- C:\Program Files\DC++
2006-10-18 00:19 -------- d-------- C:\Program Files\Picasa
2006-10-18 00:17 -------- d--h----- C:\Program Files\Zero G Registry
2006-10-18 00:17 -------- d-------- C:\Program Files\Maple 10
2006-10-18 00:15 -------- d-------- C:\Program Files\Hewlett-Packard
2006-10-17 12:48 -------- d-------- C:\Program Files\545 Studios
2006-10-17 12:47 -------- d-------- C:\Documents and Settings\Larry\Application Data\Tenebril
2006-10-17 12:32 -------- d-------- C:\Program Files\Common Files\Scanner
2006-10-17 12:32 -------- d-------- C:\Program Files\CA
2006-10-16 23:47 -------- d-------- C:\Documents and Settings\Larry\Application Data\Lavasoft
2006-10-09 19:29 -------- d-------- C:\Documents and Settings\Larry\Application Data\AdobeUM
2006-10-09 15:56 -------- d-------- C:\Program Files\Picasa2
2006-10-07 18:08 -------- d-------- C:\Documents and Settings\Larry\Application Data\Adobe
2006-10-06 21:45 -------- d-------- C:\Program Files\iPod
2006-10-06 21:41 -------- d-------- C:\Program Files\QuickTime
2006-10-06 21:37 -------- d-------- C:\Program Files\Apple Software Update
2006-09-13 16:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-12 20:58 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-12 20:57 -------- d-------- C:\Program Files\Common Files\Real
2006-09-12 20:41 203776 --a------ C:\WINDOWS\system32\clrviddc.dll
2006-08-30 18:04 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-30 11:34 13000 --a------ C:\Documents and Settings\Larry\Application Data\Comma Separated Values (Windows).CAL
2006-08-30 11:31 -------- d-------- C:\Documents and Settings\Larry\Application Data\Mozilla
2006-08-29 21:43 -------- d-------- C:\Documents and Settings\Larry\Application Data\Thunderbird
2006-08-26 02:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 00:38 75776 --a------ C:\WINDOWS\zllsputility.exe
2006-08-21 23:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 20:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 22:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"nwiz"="nwiz.exe /installquiet"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,1a,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,1a,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,50,01,00,00,00,00,00,00,40,05,00,00,1a,04,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="KODAK Software Updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Novell Login.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Novell Login.lnk"
"backup"="C:\\WINDOWS\\pss\\Novell Login.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\loginw32.exe "
"item"="Novell Login"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SpyCatcher Protector.lnk"
"backup"="C:\\WINDOWS\\pss\\SpyCatcher Protector.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SPYCAT~1\\PROTEC~1.EXE "
"item"="SpyCatcher Protector"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WIRED Login.LNK]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WIRED Login.lnk"
"backup"="C:\\WINDOWS\\pss\\WIRED Login.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WIRED\\WIRED-~1.EXE "
"item"="WIRED Login"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^Scheduler.lnk]
"path"="C:\\Documents and Settings\\Larry\\Start Menu\\Programs\\Startup\\Scheduler.lnk"
"backup"="C:\\WINDOWS\\pss\\Scheduler.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\SPYCAT~1\\SCHEDU~1.EXE "
"item"="Scheduler"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^WASTE.lnk]
"path"="C:\\Documents and Settings\\Larry\\Start Menu\\Programs\\Startup\\WASTE.lnk"
"backup"="C:\\WINDOWS\\pss\\WASTE.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\WASTE\\WASTE.exe "
"item"="WASTE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOL"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\America Online 9.0a\\AOL.EXE\" -b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BCMSMMSG"
"hkey"="HKLM"
"command"="BCMSMMSG.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="caissdt"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpqcmon"
"hkey"="HKLM"
"command"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PPActiveDetection"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\eTrust PestPatrol Anti-Spyware\\PPActiveDetection.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gaim]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gaim"
"hkey"="HKCU"
"command"="C:\\Program Files\\Gaim\\gaim.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1114555602\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeScape Media Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PicasaMediaDetector"
"hkey"="HKLM"
"command"="C:\\Program Files\\Picasa\\PicasaMediaDetector.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ManifestEngine"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ISStart"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogiTray"
"hkey"="HKLM"
"command"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lytrzun.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lytrzun"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\lytrzun.dll,uscxvpc"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oqabusb.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oqabusb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\oqabusb.dll,qiqjjmd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyCatcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SpyCatcher 2006\\SpyCatcher.exe\" reminder"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"AOLService"=dword:00000002
"AOL ACS"=dword:00000002
"AOL TopSpeedMonitor"=dword:00000002

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wingqy32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis entries set to ignore ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WIND
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WIND
O23 - Service: LiveUpdate - Symantec Corporation - C:\PR
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIND
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WIND
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O2 - BH
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PR
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-10-29 14:09:05.20
C:\ComboFix.txt ... 06-10-29 14:09

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:02 AM

Posted 29 October 2006 - 05:12 PM

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lytrzun.dll]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oqabusb.dll]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


==============


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\mit.bat
    C:\WINDOWS\system32\wvuusqo.dll
    C:\WINDOWS\g28139182.dll
    C:\WINDOWS\g19690563.dll
    C:\WINDOWS\g15824193.dll
    C:\WINDOWS\g13641675.dll
    C:\WINDOWS\g5895907.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
===============



Please download AVG Anti-Spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

  • Clean out your Temporary Internet files.
    • Internet Explorer
      • Close Internet Explorer and close any instances of Windows Explorer.
      • Click Start -> Control Panel and then double-click Internet Options.
      • On the General tab, click Delete Files under Temporary Internet Files.
      • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
      • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
      • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
      • Click OK.
    • Firefox (In case you also have Firefox installed)
      • Open Firefox and go to Tools -> Options.
      • Click Privacy in the menu on the left side of the Options window.
      • Click the Clear button located to the right of each option (History, Cookies, Cache).
      • Click OK to close the Options window.
        Alternatively, you can clear all information stored while browsing by clicking Clear All.
        A confirmation dialog box will be shown before clearing the information.
    IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode.
Please post the results of the AVG Anti-Spyware scan report along with a new Hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 29 October 2006 - 09:25 PM

Ok, all thats been done. The requested logs are below. The PendingFileRename did not come up. Also, sorry about the cookies. I cleared my firefox stuff, and for some reason the cookies remained. MY history and other stuff is gone, but during the scan the cookies still showed up...

Also, looking at the hijack log, not that i know all that much, alot of the things i fixed last time appear to still be there, perhaps i made a mistake somewhere?

Thanks!




Pocket Killbox version 2.0.0.881
Running on Windows XP as Larry(Administrator)
was started @ Monday, October 30, 2006, 11:02 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\mit.bat


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\wvuusqo.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\g28139182.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\g19690563.dll


# 5 [Delete on Reboot]
Path = C:\WINDOWS\g15824193.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\g13641675.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\g5895907.dll


I Rebooted @ 11:04:03 AM
Killbox Closed(Exit) @ 11:04:11 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Larry(Administrator)
was started @ Monday, October 30, 2006, 11:14 AM

Killbox Closed(Exit) @ 11:14:36 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Larry(Administrator)
was started @ Monday, October 30, 2006, 1:19 PM




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:01:44 PM 10/30/2006

+ Scan result:



C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A43385F0-7113-496D-96D7-B9B550E3FCCA} -> Adware.Isearch : Cleaned with backup (quarantined).
C:\!KillBox\g13641675.dll -> Downloader.Delf.azq : Cleaned with backup (quarantined).
C:\!KillBox\g15824193.dll -> Downloader.Delf.azq : Cleaned with backup (quarantined).
C:\!KillBox\g19690563.dll -> Downloader.Delf.azq : Cleaned with backup (quarantined).
C:\!KillBox\g28139182.dll -> Downloader.Delf.azq : Cleaned with backup (quarantined).
C:\!KillBox\g5895907.dll -> Downloader.Delf.azq : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned.
:mozilla.12017:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12018:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12019:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12020:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12021:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12022:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12023:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12024:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12025:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12026:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12027:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12028:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12029:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.12030:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.40:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.608:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.635:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.636:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.637:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.12073:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.130:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.131:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.146:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.147:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.148:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.12037:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.166:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.167:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.168:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.169:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.179:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.34:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.100:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.95:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.96:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.97:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.98:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.99:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.12103:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.580:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.42:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.43:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.44:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.45:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.46:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.47:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.48:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.445:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.205:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.206:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.207:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.208:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.209:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.210:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.211:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.212:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.476:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.477:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.478:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.479:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.480:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.629:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.35:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.36:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.37:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.38:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.39:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.495:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.519:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.520:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.521:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.522:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.523:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.524:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.525:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.617:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.529:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.613:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.451:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.452:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.453:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.592:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.596:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.618:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.611:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.612:C:\Documents and Settings\Larry\Application Data\Mozilla\Firefox\Profiles\a2p7nqqp.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.

Logfile of HijackThis v1.99.1
Scan saved at 1:20:51 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Launchy\Launchy.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\Documents and Settings\Larry\Desktop\Stuff\installers\HijackThis.exe

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {43463073-D6A1-82AD-8D69-025C19124124} - (no file)
O2 - BHO: (no name) - {49AA3991-E7E6-7C9F-F70A-061DE42541FA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127795160734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wingqy32 - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


::Report end


Sorry its so long, i was going to remove the cookies, but wasn't sure if that would be the right thing to have done.

- ><>

Edited by fishpool, 29 October 2006 - 09:33 PM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:02 AM

Posted 30 October 2006 - 07:18 PM

That's ok. Cookies are not really a problem for anyone.

You must disable Spybot's Teatimer function before proceeding with this fix. Otherwise it will intefere with hijackthis.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
Once you have Teatimer disabled, fix these lines with Hijackthis.

O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: (no name) - {43463073-D6A1-82AD-8D69-025C19124124} - (no file)
O2 - BHO: (no name) - {49AA3991-E7E6-7C9F-F70A-061DE42541FA} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O20 - Winlogon Notify: wingqy32 - C:\WINDOWS\



=============


We need to update your version of Java.
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 from HERE
    • Scroll down to where it says Java Runtime Environment (JRE) 5.0 Update 9
    • Click the "Download" button to the right.
    • Accept the license agreement.
    • Click Windows Offline Installation, Multi-language to download the file.
  • Once the program has finished downloading:
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
      • It should have next icon next to it: Posted Image
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.
  • Go back into the Control Panel and double-click the Java Icon.
    • Under Temporary Internet Files, click the Delete Files button.
    • There are three options in the window to clear the cache - Leave ALL 3 Checked
      • Downloaded Applets
      • Downloaded Applications
      • Other Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Java Control Panel.
===========


Reboot and post a new hijackthis log.
How is your computer running now?

Edited by Buckeye_Sam, 30 October 2006 - 07:18 PM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 30 October 2006 - 09:10 PM

I'd love to say its all fixed, but i left my computer after restarting to load up and i came back with my Auto Protects saying they have Virus, the same ones i have had. Symantec quarantines them and Zone Alarm says it has an error. I assume that Symantec is getting it first?

Symantec defines it as Trojan Horse and Zone Alarm has it called Win32.SillyDI.AGC

Also weird was when i tried to delete some from Quarantine, before this just now, it failed to delete them. Same infection i think. Any other ideas on cleaning out the system? I have run both multiple times in SafeMode, and they don't find anything. I quarantined some suspected files on my own, which it says are clean, but i am fairly certain otherwise. Also weird is they only come up when i contact to the Internet. Or am do you think formatting is going to become a necessity? Is there a log in Zone Alarm or Symantec that could help?

Anyway, heres the Log, thanks for your help again

><>

Logfile of HijackThis v1.99.1
Scan saved at 1:06:47 PM, on 10/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Larry\Desktop\Stuff\installers\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127795160734
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SX Service (SXServ) - Unknown owner - C:\WINDOWS\system32\sxserv101.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:02 AM

Posted 31 October 2006 - 12:17 PM

No I don't think we're anywhere near talking about a format yet. In fact, I've never recommended one.
Can you provide any information about the files that Symentec is finding? Filename and location?

Let's run a few more scans that dig a little deeper into your system and see what we can turn up.

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.


=============


Download WinPFind2.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.
  • Open the folder and double-click on winpfind2.exe to start the program.
  • Click on the Services tab.
  • From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
  • Click on the Configuration tab.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Under File Options click Select All
  • Under Other Options put a check to both Show All boxes
  • Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 31 October 2006 - 08:51 PM

A fair number of the Trojans have the name APQ and then what appears to be a random groups of numbers and letters that progresses. they are located in
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp

I also have in my log a large number of Scan Omissions, that its says were done manual, but I didn't.

Zone Alarm found a Trojan Called CoolWebSearch
and two infections Year 1992/2 and Win32.SillyDI.AGC (this is the one that appears when auto protect comes up. I think Symantec simply calls it Trojan Horse. It four over 300 the other day, but once i restart they simply stop appearing. Its like a virus it seems in that it replicates, but that doesn't make sense for a Trojan)



GMER 1.0.12.11867 - http://www.gmer.net
Rootkit scan 2006-11-01 11:56:42
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys F47FF13B

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 200 804E2724 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 224 804E273C 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 240 804E274C 4 Bytes
.text ntoskrnl.exe!_abnormal_termination + 260 804E2760 12 Bytes
.text ntoskrnl.exe!_abnormal_termination + 276 804E2770 4 Bytes
.text ...

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F6AFD2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F6AFD2A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03AC0006.VBN:SummaryInformation
ADS C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03AC0006.VBN:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\Larry\My Documents\My eBooks\steve.mat:SummaryInformation
ADS C:\Documents and Settings\Larry\My Documents\My eBooks\steve.mat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

---- EOF - GMER 1.0.12 ----



Logfile created on: 11/01/2006 12:41
WinPFind2 by OldTimer - Version 1.0.12 Folder = C:\Documents and Settings\Larry\Desktop\WinPFind2\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)


< All Processes >
\systemroot\system32\smss.exe - (Microsoft Corporation )
\??\c:\windows\system32\csrss.exe - (Microsoft Corporation )
\??\c:\windows\system32\winlogon.exe - (Microsoft Corporation )
c:\windows\system32\services.exe - (Microsoft Corporation )
c:\windows\system32\lsass.exe - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K DCOMLAUNCH] - (Microsoft Corporation )
(DcomLaunch) C:\WINDOWS\system32\rpcss.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
(TermService) C:\WINDOWS\System32\termsrv.dll - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST -K RPCSS] - (Microsoft Corporation )
(RpcSs) C:\WINDOWS\system32\rpcss.dll - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETSVCS] - (Microsoft Corporation )
(AppMgmt) C:\WINDOWS\System32\appmgmts.dll - (Microsoft Corporation )
(AudioSrv) C:\WINDOWS\System32\audiosrv.dll - (Microsoft Corporation )
(BITS) C:\WINDOWS\System32\qmgr.dll - (Microsoft Corporation )
(Browser) C:\WINDOWS\System32\browser.dll - (Microsoft Corporation )
(CryptSvc) C:\WINDOWS\System32\cryptsvc.dll - (Microsoft Corporation )
(Dhcp) C:\WINDOWS\System32\dhcpcsvc.dll - (Microsoft Corporation )
(dmserver) C:\WINDOWS\System32\dmserver.dll - (Microsoft Corp. )
(ERSvc) C:\WINDOWS\System32\ersvc.dll - (Microsoft Corporation )
(EventSystem) C:\WINDOWS\System32\es.dll - (Microsoft Corporation )
(FastUserSwitchingCompatibility) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(helpsvc) %WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - (File not found))
(HidServ) C:\WINDOWS\System32\hidserv.dll - (Microsoft Corporation )
(lanmanserver) C:\WINDOWS\System32\srvsvc.dll - (Microsoft Corporation )
(lanmanworkstation) C:\WINDOWS\System32\wkssvc.dll - (Microsoft Corporation )
(Messenger) C:\WINDOWS\System32\msgsvc.dll - (Microsoft Corporation )
(Netman) C:\WINDOWS\System32\netman.dll - (Microsoft Corporation )
(Nla) C:\WINDOWS\System32\mswsock.dll - (Microsoft Corporation )
(NtmsSvc) C:\WINDOWS\system32\ntmssvc.dll - (Microsoft Corporation )
(RasAuto) C:\WINDOWS\System32\rasauto.dll - (Microsoft Corporation )
(RasMan) C:\WINDOWS\System32\rasmans.dll - (Microsoft Corporation )
(RemoteAccess) C:\WINDOWS\System32\mprdim.dll - (Microsoft Corporation )
(Schedule) C:\WINDOWS\system32\schedsvc.dll - (Microsoft Corporation )
(seclogon) C:\WINDOWS\System32\seclogon.dll - (Microsoft Corporation )
(SENS) C:\WINDOWS\system32\sens.dll - (Microsoft Corporation )
(SharedAccess) C:\WINDOWS\System32\ipnathlp.dll - (Microsoft Corporation )
(ShellHWDetection) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(srservice) C:\WINDOWS\System32\srsvc.dll - (Microsoft Corporation )
(TapiSrv) C:\WINDOWS\System32\tapisrv.dll - (Microsoft Corporation )
(Themes) C:\WINDOWS\System32\shsvcs.dll - (Microsoft Corporation )
(TrkWks) C:\WINDOWS\system32\trkwks.dll - (Microsoft Corporation )
(W32Time) C:\WINDOWS\System32\w32time.dll - (Microsoft Corporation )
(winmgmt) C:\WINDOWS\system32\wbem\WMIsvc.dll - (Microsoft Corporation )
(WmdmPmSN) C:\WINDOWS\system32\MsPMSNSv.dll - (Microsoft Corporation )
(Wmi) C:\WINDOWS\System32\advapi32.dll - (Microsoft Corporation )
(wscsvc) C:\WINDOWS\system32\wscsvc.dll - (Microsoft Corporation )
(wuauserv) C:\WINDOWS\system32\wuauserv.dll - (Microsoft Corporation )
(WZCSVC) C:\WINDOWS\System32\wzcsvc.dll - (Microsoft Corporation )
(xmlprov) C:\WINDOWS\System32\xmlprov.dll - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K NETWORKSERVICE] - (Microsoft Corporation )
(Dnscache) C:\WINDOWS\System32\dnsrslvr.dll - (Microsoft Corporation )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K LOCALSERVICE] - (Microsoft Corporation )
(Alerter) C:\WINDOWS\system32\alrsvc.dll - (Microsoft Corporation )
(LmHosts) C:\WINDOWS\System32\lmhsvc.dll - (Microsoft Corporation )
(RemoteRegistry) C:\WINDOWS\system32\regsvc.dll - (Microsoft Corporation )
(SSDPSRV) C:\WINDOWS\System32\ssdpsrv.dll - (Microsoft Corporation )
(upnphost) C:\WINDOWS\System32\upnphost.dll - (Microsoft Corporation )
(WebClient) C:\WINDOWS\System32\webclnt.dll - (Microsoft Corporation )
c:\program files\common files\symantec shared\ccevtmgr.exe - (Symantec Corporation )
c:\program files\common files\symantec shared\ccsetmgr.exe - (Symantec Corporation )
c:\windows\system32\lexbces.exe - (Lexmark International, Inc. )
c:\windows\system32\lexpps.exe - (Lexmark International, Inc. )
c:\windows\system32\spoolsv.exe - (Microsoft Corporation )
c:\windows\explorer.exe - (Microsoft Corporation )
c:\program files\grisoft\avg anti-spyware 7.5\guard.exe - (Anti-Malware Development a.s. )
c:\windows\system32\lvcomsx.exe - (Logitech Inc. )
c:\program files\common files\symantec shared\ccapp.exe - (Symantec Corporation )
c:\progra~1\symant~1\vptray.exe - (Symantec Corporation )
c:\program files\itunes\ituneshelper.exe - (Apple Computer, Inc. )
c:\program files\zone labs\zonealarm\zlclient.exe - (Zone Labs, LLC )
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe - (Anti-Malware Development a.s. )
c:\program files\symantec antivirus\defwatch.exe - (Symantec Corporation )
c:\program files\java\jre1.5.0_09\bin\jusched.exe - (Sun Microsystems, Inc. )
c:\windows\system32\nvsvc32.exe - (NVIDIA Corporation )
c:\program files\common files\new boundary\prismxl\prismxl.sys - (New Boundary Technologies, Inc. )
c:\windows\system32\svchost.exe [C:\WINDOWS\SYSTEM32\SVCHOST.EXE -K IMGSVC] - (Microsoft Corporation )
(stisvc) C:\WINDOWS\system32\wiaservc.dll - (Microsoft Corporation )
c:\program files\launchy\launchy.exe - (Code Jelly )
c:\program files\symantec antivirus\rtvscan.exe - (Symantec Corporation )
c:\windows\system32\wdfmgr.exe - (Microsoft Corporation )
c:\windows\system32\zonelabs\vsmon.exe - (Zone Labs, LLC )
c:\windows\system32\wltrysvc.exe - ( )
c:\windows\system32\bcmwltry.exe - (Dell Computer Corporation )
c:\program files\ipod\bin\ipodservice.exe - (Apple Computer, Inc. )
c:\windows\system32\zonelabs\isafe.exe - (Computer Associates International, Inc. )
c:\windows\system32\alg.exe - (Microsoft Corporation )
c:\progra~1\zonela~1\zoneal~1\mailfr~1\mantispm.exe - ( )
c:\program files\mozilla firefox\firefox.exe - (Mozilla Corporation )
c:\documents and settings\larry\desktop\winpfind2\winpfind2.exe - (OldTimer Tools )

< Registry Entries >

[>> Internet Explorer Settings <<]
HKLM->Main\\Start Page - http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
HKLM->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Default_Page_URL - http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM->Main\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKLM->Main\\Local Page - %SystemRoot%\system32\blank.htm
HKCU->Main\\Start Page - about:blank
HKCU->Main\\Search Page - http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
HKCU->Main\\Local Page - C:\WINDOWS\system32\blank.htm
HKLM->Search\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM->Search\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU->URLSearchHooks\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
HKCU->Internet Settings\\ProxyEnable - 0

[>> BHO's <<]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated )
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - SSVHelper Class = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc. )

[>> Internet Explorer Bars, Toolbars and Extensions <<]

[HKLM-> Internet Explorer Bars]
{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )
{FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - Real.com = C:\WINDOWS\system32\Shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer Bars]
{32683183-48a0-441b-a342-7c2a440a9478} - Reg Data - Key not found = Reg Data - Key not found (File not found)
{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation )

[HKCU-> Internet Explorer ToolBars]
ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
WebBrowser\\{4982D40A-C53B-4615-B15B-B5B5E98D167C} - Reg Data - Key not found = Reg Data - Key not found (File not found)

[HKCU-> Internet Explorer CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8198 - Sun Java Console
{4982D40A-C53B-4615-B15B-B5B5E98D167C} - 8195 - Reg Data - Key not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - 8193 - Reg Data - Value does not exist
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8197 - Reg Data - Value does not exist
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - 8196 - Reg Data - Value does not exist
{FB5F1910-F110-11d2-BB9E-00C04F795683} - 8194 - Windows Messenger
NextId - 8199

[HKLM-> Internet Explorer Extensions]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (Sun Microsystems, Inc. )
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} (HKCU CLSID) - MenuText: Sun Java Console = C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll (Sun Microsystems, Inc. )
{92780B25-18CC-41C8-B9BE-3C9C571A8263} - ButtonText: Research = Reg Data - Value does not exist (File not found)
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\AIM\aim.exe (America Online, Inc. )
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - ButtonText: Real.com = Reg Data - Value does not exist (File not found)
{FB5F1910-F110-11d2-BB9E-00C04F795683} - ButtonText: Messenger = C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation )
CmdMapping - MenuText: Reg Data - Value does not exist = Reg Data - Key not found (File not found)

[HKCU-> Internet Explorer Menu Extensions]
E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 (Microsoft Corporation )

[>> Approved Shell Extensions (Non-Microsoft only) <<]

[HKLM-> Approved Shell Extensions]
{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = Reg Data - Key not found (File not found)
{1CDB2949-8F65-4355-8456-263E7C208A5D} - Desktop Explorer = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{1E9B04FB-F9E5-4718-997B-B8DA88302A47} - Desktop Explorer Menu = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{1E9B04FB-F9E5-4718-997B-B8DA88302A48} - nView Desktop Context Menu = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
{23170F69-40C1-278A-1000-000100020000} - 7-Zip Shell Extension = C:\Program Files\7-Zip\7-zip.dll ( )
{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = Reg Data - Key not found (File not found)
{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3} - My Logitech Pictures = C:\Program Files\Logitech\Video\Namespc2.dll (Logitech Inc. )
{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll (File not found)
{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = Reg Data - Key not found (File not found)
{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = Reg Data - Key not found (File not found)
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = Reg Data - Key not found (File not found)
{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc. )
{A70C977A-BF00-412C-90B7-034C51DA2439} - NvCpl DesktopContext Class = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )
{acb4a560-3606-11d3-aef4-00104bd0f92d} - KodakShellExtension = C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll (Eastman Kodak Company )
{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc. )
{BDA77241-42F6-11d0-85E2-00AA001FE28C} - LDVP Shell Extensions = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation )
{D9872D13-7651-4471-9EEE-F0A00218BEBB} - Multiscan = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC )
{E00B6F60-F60C-11d4-8BF7-00104B94A20F} - PrismXL Shell Extension = C:\PROGRA~1\COMMON~1\NEWBOU~1\PrismXL\PTSHLEXT.DLL (New Boundary Technologies, Inc. )
{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} - Shell Extensions for RealOne Player = C:\Program Files\Real\RealPlayer\rpshell.dll (RealNetworks, Inc. )
{FFB699E0-306A-11d3-8BD1-00104B6F7516} - Play on my TV helper = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )

[>> ContextMenuHandlers (Non-Microsoft only) <<]

[HKLM-> ContextMenuHandlers]
* - 7-Zip - {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll ( )
* - AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s. )
* - FileEncrypt - {90A07ACC-0331-4aee-9AAD-A854A9C37667} = C:\Program Files\Advanced System Optimizer\ShellExt.dll (Systweak Inc )
* - LDVPMenu - {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation )
* - NetWareMenuItems - {e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = Reg Data - Key not found (File not found)
* - WinRAR - Reg Data - Value does not exist = Reg Data - Key not found (File not found)
* - ZLAVShExt - {D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC )
Directory - 7-Zip - {23170F69-40C1-278A-1000-000100020000} = C:\Program Files\7-Zip\7-zip.dll ( )
Directory - AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s. )
Directory - FileEncrypt - {90A07ACC-0331-4aee-9AAD-A854A9C37667} = C:\Program Files\Advanced System Optimizer\ShellExt.dll (Systweak Inc )
Directory - WinRAR - Reg Data - Value does not exist = Reg Data - Key not found (File not found)
Directory\Background - 00nView - {1E9B04FB-F9E5-4718-997B-B8DA88302A48} = C:\WINDOWS\system32\nvshell.dll (NVIDIA Corporation )
Directory\Background - NvCplDesktopContext - {A70C977A-BF00-412C-90B7-034C51DA2439} = C:\WINDOWS\system32\nvcpl.dll (NVIDIA Corporation )
Folder - LDVPMenu - {BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll (Symantec Corporation )
Folder - NetWareMenuItems - {e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = Reg Data - Key not found (File not found)
Folder - WinRAR - Reg Data - Value does not exist = Reg Data - Key not found (File not found)
Folder - ZLAVShExt - {D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll (Zone Labs, LLC )

[>> ColumnHandlers (Non-Microsoft only) <<]

[HKLM-> ColumnHandlers]
Folder - {F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Shell Extension = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll (Adobe Systems, Inc. )

[>> File Associations Keys <<]
HKLM->SOFTWARE\Classes\.bat\\'' - batfile
HKLM->SOFTWARE\Classes\batfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.cmd\\'' - cmdfile
HKLM->SOFTWARE\Classes\cmdfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.com\\'' - comfile
HKLM->SOFTWARE\Classes\comfile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.exe\\'' - exefile
HKLM->SOFTWARE\Classes\exefile\shell\open\command\\'' - "%1" %*
HKLM->SOFTWARE\Classes\.hta\\'' - htafile
HKLM->SOFTWARE\Classes\htafile\shell\open\command\\'' - C:\WINDOWS\System32\mshta.exe "%1" %*
HKLM->SOFTWARE\Classes\.js\\'' - JSFile
HKLM->SOFTWARE\Classes\jsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.jse\\'' - JSEFile
HKLM->SOFTWARE\Classes\jsefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.scr\\'' - scrfile
HKLM->SOFTWARE\Classes\scrfile\shell\open\command\\'' - "%1" /S
HKLM->SOFTWARE\Classes\.vbe\\'' - VBEFile
HKLM->SOFTWARE\Classes\vbefile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.vbs\\'' - VBSFile
HKLM->SOFTWARE\Classes\vbsfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsf\\'' - WSFFile
HKLM->SOFTWARE\Classes\wsffile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.wsh\\'' - WSHFile
HKLM->SOFTWARE\Classes\wshfile\shell\open\command\\'' - %SystemRoot%\System32\WScript.exe "%1" %*
HKLM->SOFTWARE\Classes\.txt\\'' - txtfile
HKLM->SOFTWARE\Classes\txtfile\shell\open\command\\'' - %SystemRoot%\system32\NOTEPAD.EXE %1

[>> Registry Run Keys <<]
HKLM->Run\\!AVG Anti-Spyware - "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized (Anti-Malware Development a.s. )
HKLM->Run\\{0228e555-4f9c-4e35-a3ec-b109a192b4c2} - C:\Program Files\Google\Gmail Notifier\gnotify.exe (Google Inc. )
HKLM->Run\\ccApp - "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" (Symantec Corporation )
HKLM->Run\\iTunesHelper - "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Computer, Inc. )
HKLM->Run\\LVCOMSX - C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc. )
HKLM->Run\\NvCplDaemon - RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (File not found)
HKLM->Run\\nwiz - nwiz.exe /installquiet (NVIDIA Corporation )
HKLM->Run\\SunJavaUpdateSched - "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" (Sun Microsystems, Inc. )
HKLM->Run\\vptray - C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation )
HKLM->Run\\Zone Labs Client - "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" (Zone Labs, LLC )
HKLM->RunOnceEx\\ - (File not found)
HKLM->Run\OptionalComponents\IMAIL - Installed = 1
HKLM->Run\OptionalComponents\MAPI - Installed = 1
HKLM->Run\OptionalComponents\MSFS - Installed = 1

[>> Miscellaneous Startup Keys <<]

[AppInit DLLs]
AppInit_DLL - (File not found)

[Image File Execution Options]
Your Image File Name Here without a path - Debugger = ntsd -d

[Shell Service Object Delay Load]
CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation )
SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation )
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation )

[Shell Execute Hooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s. )
{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation )

[Shared Task Scheduler]
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )
{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\System32\browseui.dll (Microsoft Corporation )

[SafeBoot Option]

[HKLM Command Processor AutoRun]
HKLM->Command Processor\\AutoRun -

[HKCU Command Processor AutoRun]

[Security Providers]
SecurityProviders\\SecurityProviders - msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

[BootExecute]
Session Manager\\BootExecute - autocheck autochk *;

[PendingFileRenameOperations]

[FileRenameOperations]

[ExcludeFromKnownDlls]
Session Manager\\ExcludeFromKnownDlls -

[>> Disabled MSConfig Items <<]
Services - AOL ACS
Services - AOL TopSpeedMonitor
Services - AOLService
Services - iPodService
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk - America Online 9.0 Tray Icon = C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check (File not found)
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk - Kodak EasyShare software = C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -hx ( )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk - KODAK Software Updater = C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE ( )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk - Logitech Desktop Messenger = C:\PROGRA~1\Logitech\DESKTO~1\8876480\Program\LDMConf.exe /start (Logitech )
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Novell Login.lnk - Novell Login = C:\WINDOWS\system32\loginw32.exe (File not found)
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk - SpyCatcher Protector = C:\PROGRA~1\SPYCAT~1\PROTEC~1.EXE (File not found)
StartUpFolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WIRED Login.LNK - WIRED Login = C:\PROGRA~1\WIRED\WIRED-~1.EXE ( )
StartUpFolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^Scheduler.lnk - Scheduler = C:\PROGRA~1\SPYCAT~1\SCHEDU~1.EXE (File not found)
StartUpFolder\C:^Documents and Settings^Larry^Start Menu^Programs^Startup^WASTE.lnk - WASTE = C:\PROGRA~1\WASTE\WASTE.exe (GNU )
StartUpReg\AOL Fast Start - AOL = "C:\Program Files\America Online 9.0a\AOL.EXE" -b (File not found)
StartUpReg\AOL Spyware Protection - AOLSP Scheduler = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" (File not found)
StartUpReg\AOLDialer - AOLDial = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe (File not found)
StartUpReg\BCMSMMSG - BCMSMMSG = BCMSMMSG.exe (Broadcom Corporation )
StartUpReg\CaISSDT - caissdt = "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" (Computer Associates International, Inc. )
StartUpReg\CamMonitor - hpqcmon = c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe (File not found)
StartUpReg\DVDLauncher - DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" (CyberLink Corp. )
StartUpReg\eTrustPPAP - PPActiveDetection = "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" (Computer Associates )
StartUpReg\Gaim - gaim = C:\Program Files\Gaim\gaim.exe (The Gaim developer community )
StartUpReg\Google Desktop Search - GoogleDesktop = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup ( )
StartUpReg\HostManager - AOLSoftware = C:\Program Files\Common Files\AOL\1114555602\ee\AOLSoftware.exe (File not found)
StartUpReg\iTunesHelper - iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc. )
StartUpReg\LifeScape Media Detector - PicasaMediaDetector = C:\Program Files\Picasa\PicasaMediaDetector.exe (File not found)
StartUpReg\LogitechSoftwareUpdate - ManifestEngine = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot (Logitech Inc. )
StartUpReg\LogitechVideoRepair - ISStart = C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc. )
StartUpReg\LogitechVideoTray - LogiTray = C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc. )
StartUpReg\MsnMsgr - MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (Microsoft Corporation )
StartUpReg\nwiz - nwiz = nwiz.exe /installquiet (NVIDIA Corporation )
StartUpReg\Pure Networks Port Magic - PortAOL = "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run (File not found)
StartUpReg\QuickTime Task - qttask = "C:\Program Files\QuickTime\qttask.exe" -atboottime (Apple Computer, Inc. )
StartUpReg\RealTray - RealPlay = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER (RealNetworks, Inc. )
StartUpReg\Share-to-Web Namespace Daemon - hpgs2wnd = c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe (File not found)
StartUpReg\SpyCatcher Reminder - SpyCatcher = "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder (File not found)
StartUpReg\TkBellExe - realsched = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (RealNetworks, Inc. )

[>> User Agent Post Platform <<]
SV1 -

[>> Winlogon <<]
HMLM->AltDefaultDomainName - LARRY-S0XX9IJHE
HMLM->AltDefaultUserName - Larry
HMLM->AutoAdminLogon - Reg Data - Value does not exist
HMLM->DefaultDomainName - LARRY-S0XX9IJHE
HMLM->DefaultUserName - Larry
HKLM->Shell - Explorer.exe (Microsoft Corporation )
HKLM->System - (File not found)
HMLM->UserInit - C:\WINDOWS\System32\userinit.exe, (Microsoft Corporation )
HKLM->VMApplet - rundll32 shell32,Control_RunDLL "sysdm.cpl"
Notify\crypt32chain - crypt32.dll (Microsoft Corporation )
Notify\cryptnet - cryptnet.dll (Microsoft Corporation )
Notify\cscdll - cscdll.dll (Microsoft Corporation )
Notify\NavLogon - C:\WINDOWS\system32\NavLogon.dll (Symantec Corporation )
Notify\ScCertProp - wlnotify.dll (Microsoft Corporation )
Notify\Schedule - wlnotify.dll (Microsoft Corporation )
Notify\sclgntfy - sclgntfy.dll (Microsoft Corporation )
Notify\SensLogn - WlNotify.dll (Microsoft Corporation )
Notify\termsrv - wlnotify.dll (Microsoft Corporation )
Notify\WgaLogon - WgaLogon.dll (Microsoft Corporation )
Notify\wlballoon - wlnotify.dll (Microsoft Corporation )

[>> DNS Name Servers <<]
{02993549-BCF3-4010-9B13-2909BDCF32D9} - (Broadcom 440x 10/100 Integrated Controller)
{10419813-AF77-450C-BB51-E234AE9F9CBA} - (1394 Net Adapter)
{1ECE8485-2D43-4A74-BFFA-E128539FFDE5} - (Dell Wireless WLAN 1450 Dual Band WLAN Mini-PCI Card)
{A4448FA8-554A-4761-A39E-8FC6A04C64C4} - ()

[>> All Winsock2 Catalogs <<]
NameSpace_Catalog5\Catalog_Entries\000000000001 (Tcpip) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000002 (NTDS) - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation )
NameSpace_Catalog5\Catalog_Entries\000000000003 (Network Location Awareness (NLA) Namespace) - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000001 - CC:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll ( )
Protocol_Catalog9\Catalog_Entries\000000000002 - CC:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll ( )
Protocol_Catalog9\Catalog_Entries\000000000003 - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll (Computer Associates International, Inc. )
Protocol_Catalog9\Catalog_Entries\000000000004 - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll (Computer Associates International, Inc. )
Protocol_Catalog9\Catalog_Entries\000000000005 - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll (Computer Associates International, Inc. )
Protocol_Catalog9\Catalog_Entries\000000000006 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000007 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000008 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000009 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000010 - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000011 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000012 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000013 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000014 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000015 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000016 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000017 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000018 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000019 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000020 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000021 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000022 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000023 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000024 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000025 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000026 - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation )
Protocol_Catalog9\Catalog_Entries\000000000027 - CC:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork1.dll ( )
Protocol_Catalog9\Catalog_Entries\000000000028 - CC:\WINDOWS\system32\ZoneLabs\vetredir.dll (Computer Associates International, Inc. )

[>> Protocol Handlers (Non-Microsoft only) <<]
ipp - (File not found)
msdaipp - (File not found)

[>> Protocol Filters (Non-Microsoft only) <<]

< All Services >
Abiosdsk (Abiosdsk) - (File not found)) [Disabled - Stopped - Kernel driver]
abp480n5 (abp480n5) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft ACPI Driver (ACPI) - \SystemRoot\System32\DRIVERS\ACPI.sys (Microsoft Corporation ) [ - Running - Kernel driver]
ACPIEC (ACPIEC) - (File not found)) [Disabled - Stopped - Kernel driver]
Adobe LM Service (Adobe LM Service) - "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" ( ) [On Demand - Stopped - Win32, running in it's own process]
adpu160m (adpu160m) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Kernel Acoustic Echo Canceller (aec) - system32\drivers\aec.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
AFD Networking Support Environment (AFD) - \SystemRoot\System32\drivers\afd.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Intel AGP Bus Filter (agp440) - \SystemRoot\System32\DRIVERS\agp440.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Aha154x (Aha154x) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78u2 (aic78u2) - (File not found)) [Disabled - Stopped - Kernel driver]
aic78xx (aic78xx) - (File not found)) [Disabled - Stopped - Kernel driver]
Alerter (Alerter) - C:\WINDOWS\System32\svchost.exe -k LocalService (Microsoft Corporation ) [Disabled - Stopped - Win32, running in a shared process]
Application Layer Gateway Service (ALG) - C:\WINDOWS\System32\alg.exe (Microsoft Corporation ) [On Demand - Running - Win32, running in it's own process]
AliIde (AliIde) - (File not found)) [Disabled - Stopped - Kernel driver]
amsint (amsint) - (File not found)) [Disabled - Stopped - Kernel driver]
AOL TopSpeed Monitor (AOL TopSpeedMonitor) - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe (File not found)) [Disabled - Stopped - Win32, running in it's own process]
Application Management (AppMgmt) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
1394 ARP Client Protocol (Arp1394) - System32\DRIVERS\arp1394.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
asc (asc) - (File not found)) [Disabled - Stopped - Kernel driver]
asc3350p (asc3350p) - (File not found)) [Disabled - Stopped - Kernel driver]
asc3550 (asc3550) - (File not found)) [Disabled - Stopped - Kernel driver]
RAS Asynchronous Media Driver (AsyncMac) - System32\DRIVERS\asyncmac.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
Standard IDE/ESDI Hard Disk Controller (atapi) - \SystemRoot\System32\DRIVERS\atapi.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Atdisk (Atdisk) - (File not found)) [Disabled - Stopped - Kernel driver]
ATM ARP Client Protocol (Atmarpc) - System32\DRIVERS\atmarpc.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Windows Audio (AudioSrv) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Audio Stub Driver (audstub) - System32\DRIVERS\audstub.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
AVG Anti-Spyware Driver (AVG Anti-Spyware Driver) - \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ( ) [ - Running - Kernel driver]
AVG Anti-Spyware Guard (AVG Anti-Spyware Guard) - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s. ) [Automatic - Running - Win32, running in it's own process]
AVG Anti-Spyware Clean Driver (AvgAsCln) - System32\DRIVERS\AvgAsCln.sys (GRISOFT, s.r.o. ) [ - Running - Kernel driver]
Dell Wireless WLAN Card Driver (BCM43XX) - System32\DRIVERS\bcmwl5.sys (Broadcom Corporation ) [On Demand - Stopped - Kernel driver]
Broadcom 440x 10/100 Integrated Controller XP Driver (bcm4sbxp) - System32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation ) [On Demand - Running - Kernel driver]
BCM V.92 56K Modem (BCMModem) - System32\DRIVERS\BCMSM.sys (Broadcom Corporation ) [On Demand - Running - Kernel driver]
Beep (Beep) - (File not found)) [ - Running - Kernel driver]
Background Intelligent Transfer Service (BITS) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
MAC Bridge (BRIDGE) - system32\DRIVERS\bridge.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
MAC Bridge Miniport (BridgeMP) - system32\DRIVERS\bridge.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Computer Browser (Browser) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
CA ISafe (CAISafe) - C:\WINDOWS\system32\ZoneLabs\isafe.exe (Computer Associates International, Inc. ) [On Demand - Running - Win32, running in it's own process]
cbidf2k (cbidf2k) - (File not found)) [Disabled - Stopped - Kernel driver]
Closed Caption Decoder (CCDECODE) - system32\DRIVERS\CCDECODE.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Symantec Event Manager (ccEvtMgr) - "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
Symantec Settings Manager (ccSetMgr) - "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
cd20xrnt (cd20xrnt) - (File not found)) [Disabled - Stopped - Kernel driver]
Cdaudio (Cdaudio) - (File not found)) [ - Stopped - Kernel driver]
Cdfs (Cdfs) - (File not found)) [Disabled - Running - Filesystem driver]
CD-ROM Driver (Cdrom) - System32\DRIVERS\cdrom.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Changer (Changer) - (File not found)) [ - Stopped - Kernel driver]
Indexing Service (cisvc) - C:\WINDOWS\System32\cisvc.exe (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
ClipBook (ClipSrv) - C:\WINDOWS\system32\clipsrv.exe (Microsoft Corporation ) [Disabled - Stopped - Win32, running in it's own process]
Microsoft ACPI Control Method Battery Driver (CmBatt) - System32\DRIVERS\CmBatt.sys (Microsoft Corporation ) [On Demand - Running - Kernel driver]
CmdIde (CmdIde) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Composite Battery Driver (Compbatt) - \SystemRoot\System32\DRIVERS\compbatt.sys (Microsoft Corporation ) [ - Running - Kernel driver]
COM+ System Application (COMSysApp) - C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (Microsoft Corporation ) [On Demand - Stopped - Win32, running in it's own process]
Cpqarray (Cpqarray) - (File not found)) [Disabled - Stopped - Kernel driver]
Cryptographic Services (CryptSvc) - C:\WINDOWS\system32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
dac960nt (dac960nt) - (File not found)) [Disabled - Stopped - Kernel driver]
Kodak Camera Proxy (DcCam) - system32\DRIVERS\DcCam.sys (Eastman Kodak Company ) [ - Running - Kernel driver]
DcFpoint (DcFpoint) - system32\DRIVERS\DcFpoint.sys (Eastman Kodak Company ) [On Demand - Stopped - Kernel driver]
Kodak DCFS2K Driver (DCFS2K) - system32\drivers\dcfs2k.sys (Eastman Kodak Company ) [Automatic - Running - Kernel driver]
Legacy Polling Service (DcLps) - system32\DRIVERS\DcLps.sys (Eastman Kodak Company ) [On Demand - Stopped - Kernel driver]
DCOM Server Process Launcher (DcomLaunch) - C:\WINDOWS\system32\svchost -k DcomLaunch (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
dcptp (DcPTP) - system32\DRIVERS\DcPTP.sys (Eastman Kodak Company ) [On Demand - Stopped - Kernel driver]
Symantec AntiVirus Definition Watcher (DefWatch) - "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (Symantec Corporation ) [Automatic - Running - Win32, running in it's own process]
DHCP Client (Dhcp) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Disk Driver (Disk) - \SystemRoot\System32\DRIVERS\disk.sys (Microsoft Corporation ) [ - Running - Kernel driver]
Logical Disk Manager Administrative Service (dmadmin) - C:\WINDOWS\System32\dmadmin.exe /com (Microsoft Corp., Veritas Software ) [On Demand - Stopped - Win32, running in a shared process]
dmboot (dmboot) - System32\drivers\dmboot.sys (Microsoft Corp., Veritas Software ) [Disabled - Stopped - Kernel driver]
dmio (dmio) - System32\drivers\dmio.sys (Microsoft Corp., Veritas Software ) [Disabled - Stopped - Kernel driver]
dmload (dmload) - System32\drivers\dmload.sys (Microsoft Corp., Veritas Software. ) [Disabled - Stopped - Kernel driver]
Logical Disk Manager (dmserver) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Stopped - Win32, running in a shared process]
Microsoft Kernel DLS Syntheiszer (DMusic) - system32\drivers\DMusic.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
DNS Client (Dnscache) - C:\WINDOWS\System32\svchost.exe -k NetworkService (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
dpti2o (dpti2o) - (File not found)) [Disabled - Stopped - Kernel driver]
Microsoft Kernel DRM Audio Descrambler (drmkaud) - system32\drivers\drmkaud.sys (Microsoft Corporation ) [On Demand - Stopped - Kernel driver]
Dtdislmapvs (Dtdislmapvs) - (File not found)) [On Demand - Stopped - Kernel driver]
Symantec Eraser Control driver (eeCtrl) - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys (Symantec Corporation ) [ - Running - Kernel driver]
EraserUtilRebootDrv (EraserUtilRebootDrv) - \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys (Symantec Corporation ) [On Demand - Running - Kernel driver]
Error Reporting Service (ERSvc) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
Event Log (Eventlog) - C:\WINDOWS\system32\services.exe (Microsoft Corporation ) [Automatic - Running - Win32, running in a shared process]
COM+ Event System (EventSystem) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Exportit (Exportit) - system32\DRIVERS\exportit.sys (Eastman Kodak Company ) [ - Stopped - Kernel driver]
Fastfat (Fastfat) - (File not found)) [Disabled - Stopped - Filesystem driver]
Fast User Switching Compatibility (FastUserSwitchingCompatibility) - C:\WINDOWS\System32\svchost.exe -k netsvcs (Microsoft Corporation ) [On Demand - Running - Win32, running in a shared process]
Fdc (Fdc) - (File not found)) [ - Stoppe

#13 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 31 October 2006 - 08:52 PM

CPL files
C:\WINDOWS\SYSTEM32\access.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\appwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 549888 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL - (Dell Computer Corporation [Ver = 3.40.74.0 | Size = 983040 bytes | Date = 07/10/2004 07:41 | Attr = ])
C:\WINDOWS\SYSTEM32\bthprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 110592 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\camcpl.cpl - (Logitech Inc. [Ver = 8.4.7.1034 | Size = 282624 bytes | Date = 06/09/2005 06:13 | Attr = ])
C:\WINDOWS\SYSTEM32\desk.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 135168 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\firewall.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 80384 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 155136 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 358400 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 129536 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 380416 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.03.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 68608 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 5.0.90.3 | Size = 49265 bytes | Date = 10/12/2006 03:10 | Attr = ])
C:\WINDOWS\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 618496 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\netsetup.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 25600 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nusrmgr.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 257024 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\nvtuicpl.cpl - (NVIDIA Corporation [Ver = 6.14.10.6742 | Size = 73728 bytes | Date = 10/27/2004 04:01 | Attr = ])
C:\WINDOWS\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.525.1117.0 (xpsp_sp2_rtm.040803-2158) | Size = 32768 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\plotman.cpl - (Autodesk, Inc. [Ver = 7.0.15.90 | Size = 454718 bytes | Date = 06/12/2000 17:09 | Attr = ])
C:\WINDOWS\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) | Size = 114688 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\stac97.cpl - (SigmaTel Inc. [Ver = 1, 0, 0, 10 | Size = 102481 bytes | Date = 10/30/2003 00:40 | Attr = ])
C:\WINDOWS\SYSTEM32\styleman.cpl - (Autodesk, Inc. [Ver = 7.0.15.90 | Size = 454719 bytes | Date = 06/12/2000 17:09 | Attr = ])
C:\WINDOWS\SYSTEM32\sysdm.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 298496 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 94208 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wscui.cpl - (Microsoft Corporation [Ver = 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) | Size = 148480 bytes | Date = 08/04/2004 15:56 | Attr = ])
C:\WINDOWS\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 19:16 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\main.cpl - (Microsoft Corporation [Ver = 5.1.2403.1 | Size = 187904 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 35840 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 36864 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl - (Microsoft Corporation [Ver = 5.1.2600.0 (xpclient.010817-1148) | Size = 28160 bytes | Date = 08/23/2001 23:00 | Attr = ])
C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 19:16 | Attr = ])
C:\WINDOWS\SYSTEM32\ReinstallBackups\0009\DriverFiles\nvtuicpl.cpl - (NVIDIA Corporation [Ver = 6.14.10.4586 | Size = 143360 bytes | Date = 01/09/2004 06:26 | Attr = ])
Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Date = 11/05/1999 07:06 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated [Ver = 7.0.5.2005092300 | Size = 29696 bytes | Date = 09/24/2005 17:05 | Attr = ])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 08/22/2004 02:23 | Attr = HS])
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Launchy.lnk - C:\Program Files\Launchy\Launchy.exe (Code Jelly [Ver = 1.0.0 | Size = 446464 bytes | Date = 09/10/2006 20:58 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Larry\Start Menu\Programs\Startup
C:\Documents and Settings\Larry\Start Menu\Programs\Startup\desktop.ini - ( [Ver = | Size = 84 bytes | Date = 08/22/2004 02:23 | Attr = HS])

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - Explorer.exe
Wininit.ini: Line 1 - [RENAME]
Wininit.ini: Line 2 - NUL=C:\DOCUME~1\Larry\LOCALS~1\Temp\nstmp\uninstall.exe
Wininit.ini: Line 3 - NUL=C:\DOCUME~1\Larry\LOCALS~1\Temp\nstmp\uninstall.ini
Wininit.ini: Line 4 - NUL=C:\DOCUME~1\Larry\LOCALS~1\Temp\nstmp
Wininit.ini: Line 5 - NUL=C:\DOCUME~1\Larry\LOCALS~1\Temp\nstmp1\uninstall.exe
Wininit.ini: Line 6 - NUL=C:\DOCUME~1\Larry\LOCALS~1\Temp\nstmp1\uninstall.ini
Wininit.ini: Line 7 - NUL=C:\DOCUME~1\Larry\LOCALS~1\Temp\nstmp1
Config.nt: Line 54 - dos=high, umb
Config.nt: Line 55 - device=%SystemRoot%\system32\himem.sys
Config.nt: Line 56 - files=40
Config.nt: Line 58 - device=%SystemRoot%\system32\haspdos.sys
AutoExec.nt: Line 1 - @echo off
AutoExec.nt: Line 8 - lh %SystemRoot%\system32\mscdexnt.exe
AutoExec.nt: Line 11 - lh %SystemRoot%\system32\redir
AutoExec.nt: Line 14 - lh %SystemRoot%\system32\dosx
AutoExec.nt: Line 36 - SET BLASTER=A220 I5 D1 P330 T3
AutoExec.bat: Line 1 - SET PATH=%PATH%;C:\PROGRA~1\COMMON~1\AUTODE~1

Miscellaneous Folders

AllUsers ApplicationData Folder
C:\Documents and Settings\All Users\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/21/2004 22:15 | Attr = HS])
C:\Documents and Settings\All Users\Application Data\Installer.log - ( [Ver = | Size = 770 bytes | Date = 07/09/2006 08:35 | Attr = ])
C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache - ( [Ver = | Size = 1408 bytes | Date = 05/06/2006 04:19 | Attr = ])

CurrentUser ApplicationData Folder
C:\Documents and Settings\Larry\Application Data\Comma Separated Values (Windows).CAL - ( [Ver = | Size = 13000 bytes | Date = 08/30/2006 11:34 | Attr = ])
C:\Documents and Settings\Larry\Application Data\desktop.ini - ( [Ver = | Size = 62 bytes | Date = 08/21/2004 22:15 | Attr = HS])
C:\Documents and Settings\Larry\Application Data\dm.ini - ( [Ver = | Size = 0 bytes | Date = 08/22/2004 06:33 | Attr = ])
C:\Documents and Settings\Larry\Application Data\Tab Separated Values (Windows).ADR - ( [Ver = | Size = 26955 bytes | Date = 08/26/2004 07:31 | Attr = ])

Program Files Folder

Common Files Folder

DPF files
{215B8138-A3CF-44C5-803F-8226143CFC0A} - Trend Micro ActiveX Scan Agent 6.5 - CodeBase = http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
{56393399-041A-4650-94C7-13DFCB1F4665} - PSFormX Control - CodeBase = http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdat...b?1127795160734
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
{B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - - CodeBase = http://www.trendmicro.com/spyware-scan/as4web.cab
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_09 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Microsoft XML Parser for Java - - CodeBase =
ppctlcab - - CodeBase = http://www.pestscan.com/scanner/ppctlcab.cab

Hosts file = 734 bytes. Reading all entries. C:\WINDOWS\System32\drivers\etc\Hosts
# Copyright © 1993-1999 Microsoft Corp. -
# -
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. -
# -
# This file contains the mappings of IP addresses to host names. Each -
# entry should be kept on an individual line. The IP address should -
# be placed in the first column followed by the corresponding host name. -
# The IP address and the host name should be separated by at least one -
# space. -
# -
# Additionally, comments (such as these) may be inserted on individual -
# lines or following the machine name denoted by a '#' symbol. -
# -
# For example: -
# -
# 102.54.94.97 rhino.acme.com # source server -
# 38.25.63.10 x.acme.com # x client host -
-
127.0.0.1 localhost -

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 5
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 5
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 50 01 00 00 00 00 00 00 40 05 00 00 1A 04 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 04 00 00 40
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 50 01 00 00 00 00 00 00 40 05 00 00 1A 04 00 00 04 00 00 40
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 50 01 00 00 00 00 00 00 40 05 00 00 1A 04 00 00 01 00 00 00
Desktop\General -
Desktop\General\\BackupWallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\WallpaperFileTime - 20 17 3F 84 2B F3 C6 01
Desktop\General\\WallpaperLocalFileTime - 20 27 EB 55 7F F3 C6 01
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper - %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
Desktop\General\\ComponentsPositioned - 1
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 90 06 00 00 1A 04 00 00
Desktop\SafeMode -
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display -

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\explorer -
policies\explorer\run -
policies\Ext -
policies\Ext\CLSID -
policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} - 1
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} - 1073741857
policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - 32
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1
policies\system\\undockwithoutlogon - 1

KEY - HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Associations -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 0
policies\Explorer\Run -
policies\System -
policies\System\\DisableRegistryTools - 0

KEY - HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run -

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 145

< End of report >



I think thats everything. Thanks!

><>

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:02 AM

Posted 31 October 2006 - 09:10 PM

Win32.SillyDI.AGC (this is the one that appears when auto protect comes up. I think Symantec simply calls it Trojan Horse.

What is the name and location of this file?


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer, turn it back on and create a restore point.

Create a restore point:
  • Click Start and point to All Programs.
  • Mouse over Accessories, then System Tools, and select System Restore.
  • In the System Restore wizard, select the box next the text labeled "Create a
    restore point" and click the Next button.
  • Type a description for your new restore point. Something like "After
    cleanup". Click Create and you're done.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 fishpool

fishpool
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 31 October 2006 - 09:38 PM

From Zone Alarm it is located in : C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp

the name of the file is APQ317.tmp

Symantec has the same file location and names with a different ending. For more history on the infection, if it helps. i'd say it started the 17th with a few files i suspected and quarninted on my own, including cool.exe
also at that time picked up by symantec were more Trojan Horses, fontexa.dll.tmp, win95B.tmp, g9794593,.dll and a few more, including some generic dialers. The beginning files were in C:\Windows or C:\Windows\Temp and the ones i suspected and quarantined on my own were in System 32.

I shut system restore off once i realized i had an infection. I have set the System Restore Point.

Does the computer look clean from the last report? The previous ones i had an idea of what it was you were looking at while the last two left me dumbfounded.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users