Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log


  • This topic is locked This topic is locked
22 replies to this topic

#1 dumafach

dumafach

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oklahoma
  • Local time:03:30 PM

Posted 12 November 2006 - 10:22 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:14:56 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\windows\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\drwtsn32.exe
C:\windows\system32\drwtsn32.exe
C:\windows\system32\taskmgr.exe
C:\windows\explorer.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141962591593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142570135828
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...90d11e55ab221c8
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 21 November 2006 - 11:02 AM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 22 November 2006 - 09:51 AM

I will have more instructions for you soon. This requires your attention: you may be using more than one firewall and more than one antivirus program.

Two firewalls?

The following HijackThis entries indicate that you may be using more than one firewall, ZoneAlarm and the CA Internet Security Suite which may contain a firewall.

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"


Running multiple software firewalls is unnecessary for typical home computers, home networking, and small-business networking scenarios. Using two firewalls on the same connection could cause issues with connectivity to the Internet or other unexpected behavior. One firewall, whether it is the Windows XP Internet Connection Firewall or a different software firewall, can provide substantial protection for your computer. Microsoft specifically says not to use more than one firewall, because it can result in some programs not working correctly. There's even a Help and Support Center topic in XP SP2 called Why you should only use one firewall. In any event, having two firewalls running simultaneously is most certainly an unnecessary drain on system resources. I strongly suggest that you go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one firewall.

Two antivirus programs?

The entries below indicate that you may have two antivirus programs, Trend Micro Internet Security Suite which may contain an antivirus program and the CA Internet Security Suite\CA Anti-Virus, on your computer.

O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
tmas.exe is a process belonging to which protects your computer against Internet-bound threats such as spyware and trojans which can be distributed through e-mail or attack directly to the computer allowing unauthorized access to your computer.
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"

When you have more than one antivirus running at the same time, they conflict with each other rendering the computer vulnerable or unusable. It may even cause crashes. Please review this information:
Should you run more than one antivirus program at the same time?
Microsoft recommends that you have only one anti-virus program installed on your computer.

There are basically two types of antivirus programs:
On-Access and On-Demand

On-Access Scanners
As the name implies, it runs in the background all the time the PC is turned on and running. The main function of an on-access scanner is to monitor activity on your machine.

On-Demand Scanners
As the name implies, are scanners that only run when you ask them to.
Such as:
Online Scans and scanners that run on your machine but are not actively scanning your machine

Antivirus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two antivirus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. I notice that you are using more than one antivirus program. This is very dangerous, as multiple antivirus programs can interfere with one another and actually allow MORE viruses to get through. Running two antivirus programs at the same time could lead to both of them trying to scan the same file at the same time, scan the same email at the same time and so on which could lead to conflicts. I strongly suggest you either (1) configure only one antivirus program to enable automatic realtime scanning and leave the rest disabled most of the time, or (2) go to Start -> Control Panel -> Add/Remove Programs and uninstall all but one antivirus program.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 22 November 2006 - 11:06 AM

Your Java Runtime Environment is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove the older versions of Java Runtime Environment..
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer after all Java components are removed.
  • Download the latest Java Runtime Environment
    • Scroll down to where it says The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
    • Click the Download button to the right.
    • Check the box that says: Accept License Agreement.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • On your desktop, double-click on jre-1_5_0_09-windowsi586-p.exe to install the newest version.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 22 November 2006 - 12:01 PM

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

Please download Ad-Aware SE.
Using Ad-Aware To Remove Spyware From Your Computer. Please check this link for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 2

To help prevent further infection, please download SpywareBlaster.
SpywareBlaster helps to:
  • Prevent the installation of Active X-based spyware, Ad-Aware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Step 3

Please download a-squared Free 2.1.
  • Follow all the instructions given by the installer.
  • Once installed, the a-squared Updater will automatically start. Downloading updates will take some time.
  • Please go to Start > Programs > a-squared Free and click a-squared StartCenter.
  • Click Scan your computer for malware infections.
  • Make sure all three setting options are checked. Click Scan selected folders. The scan will start.
  • Click Save HTML-Report. Save the report to somewhere convenient for you to remember the location such as your desktop.
  • If malware is found, click the button Remove Selected Malware.
  • Please post the log from a-squared Free 2.1 in your next reply.
To continue to use a-squared Free 2. 1, you will need to use the a-squared Updator to manually update the program. Click Security Status > Update Now. The a-squared Free 2.1 program contains only the basic scanner. Background Guard, Automatic Updates, Scheduled Scans and HiJackFree are only available with the paid version, a-squared Anti-Malware 2.1.

Step 4

ewido anti-spyware 4.0 guard has been replaced by AVG Anti-Spyware . Please uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs).

ewido anti-spyware 4.0

Please print out the following instructions as this page will be unavailable to you while you are working in Safe Mode.

Please download and install AVG Anti-Spyware (formerly Ewido).
  • Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update successful message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
  • If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates .
  • Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Scan With AVG Anti-Spyware
  • Close ALL open Windows / Programs / Folders. Reboot to safe mode. (without networking support !) If you donít know how to boot in safe mode, here is a tutorial, How To Start Windows in Safe Mode.
  • Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All boxes should be checked.
      • Under Possibly unwanted software:
        • All boxes should be checked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
  • Reboot in Normal Mode.
Step 5

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the following browsers: Microsoft Internet Explorer, Mozilla Firefox
When you have completed the scans, if you get a report of files that canít be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 6

Please download the ATF-Cleaner.
ATF-Cleaner features include:
  • Cleaning of all user temp folders, administrator only can use this feature.
  • Cleaning of the Java cache, which seems to be harboring more and more malware.
  • Cleaning the cache, cookies, history, download history, visited links and saved passwords. (You have the option of checking no if you want to save your passwords)
  • For Firefox or Opera
    • Click Firefox or Opera at the top and choose: Select All.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  • If needed, Tutorial on ATF Cleaner with pictures
Do not run it yet.

Step 7

We need to disable the AVG Anti-Spyware Guard Realtime Monitor as it may interfere with the fixes that we need to make.
  • Open AVG Anti-Spyware by double-clicking the AVG Anti-Spyware icon in the system tray.
  • In the Your security status section, toggle the AVG Anti-Spyware Guard realtime protection off by clicking active which will then change the protection status to inactive .
  • When you reboot, AVG Anti-Spyware will prompt you to Restart the guard?.
  • Reply no and set it to inactive for the duration of your cleanup.
Step 8

Please disable Spybot-Search and Destroy TeaTimer, as it will prevent HijackThis from fixing the infection. You can enable it after you're clean. To disable Spybot- S & D TeaTimer:
  • Open Spybot Ė S & D
  • Click on Mode and check Advanced Mode
  • Check yes to next window.
  • Click on Tools in bottom left hand corner.
  • Click on System Startup icon.
  • Uncheck Teatimer box.
  • Click Allow Change box.
  • If needed, How To Disable Spybot S&D TeaTimer.
Step 9

We need to disable Windows Defender's realtime protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender
  • Click on Tools
  • Click on General Settings
  • Scroll down to Real-time protection options
  • Uncheck Turn on Real-time protection (recommended)
  • Click Save
  • Exit the program.
Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again.

Step 10

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/b...90d11e55ab221c8


These are optional fixes. These programs are not required to start automatically as you can start them manually if you need them. It is advised that you disable these programs so that they do not take up necessary resources. Many users have reported these processes slow their boot time. Please run HijackThis and click Scan. Place checks next to the following entries.

hpsysdrv or hpsysdrv.exe process can be removed to free up resources without compromising system performance. hpsysdrv.exe is a utility from HP which monitors how many recoveries have been made in Microsoft Office suite. This is a non-essential process. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

sgtray or sgtray.exe process can be removed to free up resources without compromising system performance. sgtray.exe is a utility from VERITAS Software Corporation which installs itself on the system tray bar, and serves to remind you to backup your files. This is a non-essential process. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

motivesb.exe process can be removed to free up resources without compromising system performance. motivesb.exe is a process by AT&T which allows a user to submit files to the Internet for support. This is a non-essential process. Disabling or enabling it is down to user preference. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

ISUSPM Startup ISUSPM.exe ( InstallShield Update Service Scheduler) process can be removed to free up resources without compromising system performance. It automatically searches for and performs any updates to the software so youíre always working with the most current version. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

issch.exe ISUSScheduler ( InstallShield Update Service Scheduler) process can be removed to free up resources without compromising system performance. It automatically searches for and performs any updates to the software so youíre always working with the most current version. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

WkUFind.exe (MS Works Update Detection) process can be removed to free up resources without compromising system performance. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

FirstStart.exe (om_monitor - Olympus_Imaging America Inc.) process can be removed to free up resources without compromising system performance. FirstStart.exe (om_monitor - Olympus_Imaging America Inc.) is related to OLYMPUS Master combines an easy-to-use interface with the latest digital imaging tools. Whether or not you need to run this program on startup must be decided by you. If you feel that you want this program starting automatically so that you have it available as needed, then do not disable it. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

You have RealPlayer running at Startup. This is RealPlayer's autoupdate program and is not necessary for the program to function properly. It is considered to be a resource hog. You will still be able to start it manually if you need it. You can fix this with HijackThis, but you will need to change the setting in RealPlayer itself to keep it from resetting itself.. This is the item to fix in HijackThis:

O4 ‑ HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" ‑osboot

yop.exe (Dashboard Module for SBC Yahoo! Online_Protection) process can be removed to free up resources without compromising system performance. yop.exe is a process belonging to SBC Yahoo! Online Protection. It is a security suite that helps you make sure your system is completely protected. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

NMBgMonitor.exe (Nero_Home) process can be removed to free up resources without compromising system performance. NMBgMonitor.exe (Nero_Home) is rRelated to Nero_Home. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

mssysmgr.exe (PhotoShow Deluxe Media Manager) is a process associated with PhotoShow Deluxe. The process is the executable for the media manager within PhotoShow Deluxe. This is a non-essential process. Disabling or enabling it is down to user preference. This process can be removed to free up resources without compromising system performance. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe

You have reader_sl.exe running at Startup. This is a process associated with the Adobe Reader. It is used to decrease the load time for the reader when a PDF document is selected. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. This is the item to fix in HijackThis:

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

osa.exe or Osa9.exe launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it (Osa9.exe is the Office 2000 variant). This program is not required to start automatically as you can run it when you need to. It is advised that you disable this program so that it does not take up necessary resources. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 ‑ Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 11

Letís run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 12

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the logs from AVG Anti-Spyware, a-squared Free, and the list of filenames and locations of any files that canít be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 dumafach

dumafach
  • Topic Starter

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oklahoma
  • Local time:03:30 PM

Posted 22 November 2006 - 07:24 PM

Thank you so much Suebaby41 for looking at my log. I have been wanting to do what you list for a long time but was afraid that I might mess things up. I do have another topic going about the YOP program. It came free with my DSL. It froze on me one day and the only way I could get it off was to uninstall it. I did it through add/remove programs and then tried to redownload it. It would not download and said it was already on my computer. I could not figure out how to get it off. I even searched for it and could not find it. That is when I went to Computer Associates and downloaded just the antivirus. I would like to have the dashboard back but, I will try the other programs that you gave me.

I will print out all of your instructions and start on them right away. I didn't know I had 2 firewalls running at the same time. This is why I sent the log to you. I appreciate all your help and will probably come back with more questions. I will start and take it one step at a time. I have a lot of pics and music on here and would hate to loose any of it. Hopefully I will be able to do all this the right way and get this system running right. As you can probably tell I am new to computers and I have no one to talk to around here for help. They all think I am a freak for even being on the computer. THANK YOU AGAIN Please check in on me as I will probably need help. :thumbsup:

#7 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 22 November 2006 - 07:51 PM

Important:

It is possible that the entries were left over from uninstalling one of the programs and you do not have two antivirus programs or two firewalls. Check your Start > Control Panel > Add/Remove Programs to see what you do have installed.

Before you uninstall a firewall, make sure that the CA Internet Security Suite does or does not contain a firewall. Also check to see if the Trend Micro Internet Security Suite does or does not contain a firewall. If the programs do NOT contain a firewall, then you are OK because ZoneAlarm is a good firewall. If either program does have a firewall, then you need to uninstall one of them. You only need one firewall.


Before you uninstall an antivirus program, make sure that you have the Trend Micro Internet Security Suite with an antivirus program AND the CA Internet Security Suite with an antivirus program. If both have antivirus protection then you need to uninstall one of them.


The CA Internet Security Suite WITH an antivirus program AND a firewall should be sufficient. Then you would need to uninstall ZoneAlarm.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#8 dumafach

dumafach
  • Topic Starter

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oklahoma
  • Local time:03:30 PM

Posted 22 November 2006 - 09:17 PM

I went back and checked on the firewall and anti-virus programs. Right now I only have CA Anti-virus and Zone Alarm firewall. The others are leftover from programs I tried to uninstall. I do however, have several spyware programs running at the same time. The one thing is Spybot keeps asking me to allow or not programs I have no idea about. As soon as the computer came back on those files I removed were trying to download themselves again. I denied the downloads. I hope.

YOP dashboard is still on this computer somewhere though. I tried to download the dashboard module again and it stated I already have it. It is not in the add/remove list. How do I completely remove all componants of that program and the others?

I am getting ready to download the new Java Runtime, I hope, and then start on all that other stuff. It is really intimidating, I hope I don't mess it up.

THANKS AGAIN :thumbsup:

#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 23 November 2006 - 05:31 PM

I went back and checked on the firewall and anti-virus programs. Right now I only have CA Anti-virus and Zone Alarm firewall.


Great!

The others are leftover from programs I tried to uninstall. I do however, have several spyware programs running at the same time.

As far as I know, the spyware programs, Trend Micro Anti-Spyware, ewido anti-spyware 4.0 which has been replaced by AVG Anti-Spyware, and Windows Defender that you have on your computer have no conflict problems.

The one thing is Spybot keeps asking me to allow or not programs I have no idea about. As soon as the computer came back on those files I removed were trying to download themselves again. I denied the downloads. I hope.

Spybot's TeaTimer is asking you to allow or not allow programs. This is what TeaTimer does:
The Resident TeaTimer perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options, how to deal with this process in the future: You can set TeaTimer to:
  • be informed, when the process tries to start again
  • automatically kill the process
  • generally allow the process to run
  • There is also an option to delete the file associated with this process.
In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either Allow or Deny the change.

If you are unsure about what you want to Allow or Deny or if what TeaTimer tells you does not make sense to you, there are other programs that will do the work for you. If you want to disable TeaTimer, see this tutorial: How To Disable Spybot S&D TeaTimer

I use WinPatrol and Prevx1.
  • Please download WinPatrol.
  • Save the wpsetup.exe program to your hard drive and run it locally instead of opening it from the web page.
  • Follow the prompts to install WinPatrol.
  • Note: Some fire walls including the newest Zone Alarm are blocking the execution of WinPatrolEx.exe. When you click on the Scotty icon, we actually launch WinPatrolEx.exe but Zone Alarm's protection prevents one program from launching another but doesn't necessarily let you know. You'll need to tell Zone Alarm that WinPatrol.exe and WinPatrolEx.exe are your friends.
Please download Prevx1. Follow the prompts to install Prevx1.
Prevx1 has been designed to work in the background with minimal user intervention. It will work alongside existing security software such as anti-virus, anti-spyware and so on. However, Prevx1 will work equally well as a powerful standalone security tool in its own right. You can use Prevx1 completely free of charge to monitor your PC for infection. Prevx1 will even defend and clean up your PC for free for up to 28 days following your first infection. Thereafter, you can choose to pay as you go or to buy a year's full protection and clean up for $24.95.

YOP dashboard is still on this computer somewhere though. I tried to download the dashboard module again and it stated I already have it. It is not in the add/remove list. How do I completely remove all componants of that program and the others?

When you scan with HijackThis and place check marks by the Optional Fixes entries, the programs will no longer load at StartUp. The YOP program is located in C:\Program Files\Yahoo\YOP. It appears to be an antivirus program which you do not need if you keep the CA Antivirus program.
For more information about YOP, see SBC Yahoo! Online Protection Software

I am getting ready to download the new Java Runtime, I hope, and then start on all that other stuff. It is really intimidating, I hope I don't mess it up.

You are doing a great job. Just take your time and follow the instructions carefully.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 dumafach

dumafach
  • Topic Starter

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oklahoma
  • Local time:03:30 PM

Posted 23 November 2006 - 06:49 PM

Hello suebaby41. I am starting step 7. Everything I have run so far has tried to delete my homepage. I have att, sbc, dsl home page and yahoo search and google search with add ons. I like having the google for looking up model numbers. I work on electronics and it helps. I hope these are not causing a problem together. Everytime I have to restart, spybot will come up with 20 changes and I allow them, but then I try to open IE and it states that my homepage has been changed and do I want it fixed. I have to click yes to get my page to load.

I am saving all the reports for you. Hopefully it will help you so you can help me. On the spyware, I have spybot, spysubract, trendmicro antispyware and xoftspy. Trentmicro and Spysubtract look exactly the same. I bought spysubtract. I don't know where I got trendmicro from. I might have too many running at once and they are stumbling over each other. The Panda activescan took 4 hours to do. I will keep working on it though. Thanks for checking in.

#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 23 November 2006 - 09:46 PM

Don't worry about your homepage changing warning. After you complete the steps, then you can reset it. The Optional Fixes are just things that might speed up your startup time; you do not have to do them. You decide what is best for you.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 dumafach

dumafach
  • Topic Starter

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oklahoma
  • Local time:03:30 PM

Posted 24 November 2006 - 12:59 AM

Logfile of HijackThis v1.99.1
Scan saved at 11:07:14 PM, on 11/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\windows\system32\cidaemon.exe
C:\windows\explorer.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\Roger\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141962591593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142570135828
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

AVG Report Log---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:16:17 PM 11/23/2006

+ Scan result:



C:\Documents and Settings\Roger\Cookies\roger@cnetaustralia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@libertymutual.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@e-2dj6wjkyeldjgdp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@e-2dj6wjliemd5wcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Roger\Cookies\roger@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

A-SQUARED
a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\windows\, C:\Program Files
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 11/23/2006 6:08:06 AM

C:\Program Files\adwarealert detected: Trace.Directory.AdwareAlert
C:\Program Files\mail passview detected: Trace.Directory.Mail PassView
C:\Documents and Settings\Roger\Start Menu\Programs\mail passview detected: Trace.Directory.Mail PassView
C:\Documents and Settings\All Users\Start Menu\Programs\spysubtract detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract\help detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract\sounds detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract\themes detected: Trace.Directory.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default detected: Trace.Directory.SpySubtract
C:\Program Files\aws\weatherbug detected: Trace.Directory.WeatherBug
C:\Program Files\adwarealert\databasenew.ref detected: Trace.File.AdwareAlert
C:\Program Files\mail passview\mailpv.chm detected: Trace.File.Mail PassView
C:\Program Files\mail passview\readme.txt detected: Trace.File.Mail PassView
C:\Documents and Settings\Roger\Start Menu\Programs\mail passview\mail passview help.lnk detected: Trace.File.Mail PassView
C:\Documents and Settings\Roger\Start Menu\Programs\mail passview\mail passview.lnk detected: Trace.File.Mail PassView
C:\Documents and Settings\Roger\Start Menu\Programs\mail passview\readme.lnk detected: Trace.File.Mail PassView
C:\Documents and Settings\All Users\Desktop\spysubtract.lnk detected: Trace.File.SpySubtract
C:\Documents and Settings\All Users\Start Menu\Programs\spysubtract\cwshredder.lnk detected: Trace.File.SpySubtract
C:\Documents and Settings\All Users\Start Menu\Programs\spysubtract\readme.lnk detected: Trace.File.SpySubtract
C:\Documents and Settings\All Users\Start Menu\Programs\spysubtract\spysubtract help.lnk detected: Trace.File.SpySubtract
C:\Documents and Settings\All Users\Start Menu\Programs\spysubtract\spysubtract.lnk detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\en-us.dll detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\help\en-us.chm detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\install.log detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\readme.txt detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\cl2.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\cl3.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\cl4.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\cld.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc1.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc11.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc2.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc3.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc4.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc5.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\sc6.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\pinball\scd.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\cl2.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\cl3.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\cl4.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\cld.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc1.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc10.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc11.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc12.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc3.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc4.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc6.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc7.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\sc8.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sounds\tomcat\scd.wav detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\spuninst.exe detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\spysub.exe detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\spysubtract.log detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\spyware.dat detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\ssengine.dll detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\sshook.dll detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\bg_common.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\bg_main.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\bg_messagedlg.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_activate.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_add.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_allow.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_bigdelete.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_bighelp.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_bigupdates.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_buy.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_cancel.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_clean.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_cleanprivacy.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_clear.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_config.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_cws.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_dbupdate.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_deny.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_details.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_feedback.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_help.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_home.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_ok.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_options.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_remove.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_restore.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_save.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_scan.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_selecttoggle.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_start.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_stop.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_updates.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\btn_viewlog.ico detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\copyright.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\detailstemplate.htm detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_check_blank.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_check_finished.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_check_off.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_check_on.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_check_working.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_adv_scanners.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_cleaning.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_general.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_scanner.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_scanners.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_scheduling.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_config_sounds.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_bad.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_error.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_good.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_info.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_question.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_uncertain.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_verybad.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_msg_warning.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_cookie.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_folder.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_none.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_process.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_regykey.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_regyval.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_shortcutlink.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_suspect.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_scanner_winfile.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\icon_threat_3.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\productlogo.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\splash.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\splashbasic.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\splashpro.bmp detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\themes\default\theme.ini detected: Trace.File.SpySubtract
C:\Program Files\intermute\spysubtract\webregister.exe detected: Trace.File.SpySubtract
C:\Program Files\aws\weatherbug\remove.exe detected: Trace.File.WeatherBug
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail PassView --> Description detected: Trace.Registry.Mail PassView
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail PassView --> DisplayName detected: Trace.Registry.Mail PassView
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail PassView --> DisplayVersion detected: Trace.Registry.Mail PassView
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail PassView --> InstallLocation detected: Trace.Registry.Mail PassView
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail PassView --> Publisher detected: Trace.Registry.Mail PassView
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mail PassView --> UninstallString detected: Trace.Registry.Mail PassView
Value: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\SpyOnThis --> Order detected: Trace.Registry.SpyOnThis
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> app-access-scan detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> auto-backup detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> check-network-integrity detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> clean-privacy-on-startup detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> ConfigDir detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> ConnectionType detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> current-theme detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Days-remaining detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> db-message-on-startup detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> debug-messages detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Email detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Evaluation detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> first-run detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> language detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Message detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> monitor-ms detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Oem detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> periodic-browser-settings-scan detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> periodic-process-scan detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> ProductTag detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> ProductVersion detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Pushcount detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> scan-quick-on-win-startup detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> show-splash detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> sound-scheme detected: Trace.Registry.SpySubtract
Value: HKEY_CURRENT_USER\Software\interMute\SpySubtract --> Trial-days detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> app-access-scan detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> auto-backup detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> check-network-integrity detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> clean-privacy-on-startup detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> ConfigDir detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> ConnectionType detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> current-theme detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> db-message-on-startup detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> debug-messages detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> Email detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> Evaluation detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> first-run detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> language detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> monitor-ms detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> Oem detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> periodic-browser-settings-scan detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> periodic-process-scan detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> ProductTag detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> ProductVersion detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> scan-quick-on-win-startup detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> show-splash detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> sound-scheme detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\interMute\SpySubtract --> Trial-days detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> DisplayIcon detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> DisplayName detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> HelpLink detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> InstallLocation detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> Publisher detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> UninstallString detected: Trace.Registry.SpySubtract
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySubtract --> URLInfoAbout detected: Trace.Registry.SpySubtract
Key: HKEY_CLASSES_ROOT\.vnc detected: Trace.Registry.VNC.CommonComponents
Key: HKEY_CLASSES_ROOT\vncviewer.config detected: Trace.Registry.VNC.CommonComponents
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run --> winvnc detected: Trace.Registry.VNC.CommonComponents
Key: HKEY_LOCAL_MACHINE\software\orl\winvnc3 detected: Trace.Registry.VNC.CommonComponents
Key: HKEY_CLASSES_ROOT\.vnc detected: Trace.Registry.VNC
Value: HKEY_CLASSES_ROOT\CLSID\{62289CBE-3BE2-4ba9-AC20-A911C900039A}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{66A21AEA-5A05-46b5-B7CD-C1AAAF4770CD}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{795514CB-A81C-48f6-87AB-5B22D433D5D8}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{B195FE25-16D9-4d1b-AD10-0701F9A5E277}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{E28DD8A6-E9BC-4d3e-A7F7-BC9644138CE2}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{EC2EC911-E047-4810-9535-6CAFE1ADC3AD}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_CLASSES_ROOT\CLSID\{EDBA2AAC-8A00-4eed-A2E4-74BFB760BE10}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00F442C2-5C9E-4ae5-AF7D-FB4E0350C2E3}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13AFA3A3-5687-487c-93F2-63D5DA468F4E}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32239586-29DE-4268-8AF3-CE7658D3D672}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5AAECB3B-3D56-47c7-8706-77899E73802A}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62289CBE-3BE2-4ba9-AC20-A911C900039A}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{66A21AEA-5A05-46b5-B7CD-C1AAAF4770CD}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{795514CB-A81C-48f6-87AB-5B22D433D5D8}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B195FE25-16D9-4d1b-AD10-0701F9A5E277}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BA8C584B-209C-4d54-8BB1-8AB5F1DCA18E}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D1698320-77BD-4776-96FD-C3C8D71E57E2}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E28DD8A6-E9BC-4d3e-A7F7-BC9644138CE2}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC2EC911-E047-4810-9535-6CAFE1ADC3AD}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDBA2AAC-8A00-4eed-A2E4-74BFB760BE10}\InprocServer32 --> ThreadingModel detected: Trace.Registry.YourKeyloggerProgramName
C:\Documents and Settings\Roger\Cookies\roger@com[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Roger\Cookies\roger@com[2].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Roger\Cookies\roger@media.adrevolver[1].txt detected: Trace.TrackingCookie
C:\Documents and Settings\Roger\Cookies\roger@zedo[2].txt detected: Trace.TrackingCookie
C:\Program Files\BackWeb\BackWeb Client\6.2.3.66L\Program\runner.exe detected: Adware.BackWeb.a
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe detected: Adware.BackWeb.a
C:\Program Files\Online Services\PeoplePC\Utilities\PPCODIAG.exe detected: Heuristic.Dialer
C:\Program Files\Online Services\PeoplePC\Utilities\PPCODUN.exe detected: Heuristic.Dialer


PANDA ACTIVESCAN
Scanned

Files: 92779
Traces: 84342
Cookies: 157
Processes: 53

Found

Files: 4
Traces: 221
Cookies: 4
Processes: 0
Registry keys: 0

Scan end: 11/23/2006 8:27:44 AM
Scan time: 2:19:38 AM


[size=4]BITDEFENDER


Quarantined

Files: 0
Traces: 0
Cookies: 0BitDefender Online Scanner

Scan report generated at: Thu, Nov 23, 2006 - 21:05:53
Scan path: A:\;C:\;D:\;E:\;H:\;I:\;J:\;K:\;
Statistics

Time
03:10:46

Files
1104427

Folders
10295

Boot Sectors
4

Archives
22230

Packed Files
87192




Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1

Engines Info

Virus Definitions
318462

Engine build
AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1
Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Program Files\mailpv_setup.exe=>(ZIP Sfx o)=>mailpv.exe
Infected with: Backdoor.Delf.Agf.28.E

C:\Program Files\mailpv_setup.exe=>(ZIP Sfx o)=>mailpv.exe
Disinfection failed

C:\Program Files\mailpv_setup.exe=>(ZIP Sfx o)=>mailpv.exe
Deleted

C:\Program Files\mailpv_setup.exe=>(ZIP Sfx o)
Updated

C:\Program Files\mailpv_setup.exe
Update failed

I am pretty sure I messed up on some of this. I don't know of any problems yet, I wanted to get this to you as soon as possible. It looks like a lot of reading. I know I put too much on here but I didn't want to leave anything out. I hope I at least took care of most of it. I had a couple of problems getting things to work just right but I tried. If there is something I need to redo please let me know. Thank you for taking your time to do all of this. You don't know how much I appreciate it.

#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 24 November 2006 - 06:47 PM

You are doing a good job. Your HijackThis log is looking good.

You may want to scan with HijackThis and place a check mark by this entry.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

AlcxMonitor Alcxmntr.exe
Description: Realtek AC97 Audio - Event Monitor. Sypware file used surreptitiously monitor one's actions. It is not a sinister one, like remote control programs, but is being used by Realtek to gather data about customers

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entry you checked.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 dumafach

dumafach
  • Topic Starter

  • Members
  • 205 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Oklahoma
  • Local time:03:30 PM

Posted 25 November 2006 - 09:36 AM

Here is my latest log after cleaning the alcxmonitor. I also removed yahoo music engine because it wouldn't work and I couldn't download it because it said I already had it. It seems like some of the stuff are already back on here. So far everything appears to be working normally.

Logfile of HijackThis v1.99.1
Scan saved at 8:26:22 AM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\windows\System32\tcpsvcs.exe
C:\windows\System32\snmp.exe
C:\windows\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell AIO 810\dlcgmon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\windows\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\AnalogX\NetStat Live\nsl.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\windows\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Documents and Settings\Roger\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\windows\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite...vex-2.0.5.0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1141962591593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1142570135828
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqcpc/downloads/msxml4.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} -
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

:thumbsup:

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:05:30 PM

Posted 25 November 2006 - 11:55 AM

Step 1

I think Spybot- S&D's TeaTimer may be stopping some fixes. I suggest you uninstall Spybot- S&D via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs). You can reinstall it after you are done.

Step 2

We need to disable the AVG Anti-Spyware Guard Realtime Monitor as it may interfere with the fixes that we need to make.
  • Open AVG Anti-Spyware by double-clicking the AVG Anti-Spyware icon in the system tray.
  • In the Your security status section, toggle the AVG Anti-Spyware Guard realtime protection to off by clicking active which will then change the protection status to inactive .
  • When you reboot, AVG Anti-Spyware will prompt you to Restart the guard?, reply no and set it to inactive for the duration of your cleanup.
Step 3

We need to disable Windows Defender's realtime protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender
  • Click on Tools
  • Click on General Settings
  • Scroll down to Real-time protection options
  • Uncheck Turn on Real-time protection (recommended)
  • Click Save
  • Exit the program.
Note: After all of the fixes are complete, it is very important that you enable Real-time Protection again.

Step 4

Please run HijackThis and click [b[Scan[/b] Place checks next to the following entries (make sure not to miss any):

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Since I see some of the Optional Fixes still in your HijackThis log, I assume you made the decision to keep them. I want to make sure that you understand that when you scan with HijackThis and place check marks by the Optional Fixes entries, the programs will no longer load at StartUp but are still available whenever you need them. Having a lot of StartUp programs may slow down your computer boot time.

Please post a new HijackThis log. Let me know if you still have any problems.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users