Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I Have A Keylogger Or Trojan ?


  • Please log in to reply
9 replies to this topic

#1 zimmer46

zimmer46

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 01 January 2007 - 09:11 AM

Hi,
I've spent a bit of time trying to sort this out myself. However, I fear I'm going round in circles and perhaps becoming paranoid. Hence, I thought it was time to ask the experts.

Background
I run Spybot S&D and AdAware regulalry. Usually they find nothing more that low risk tracking cookies. Yesterday I ran Spybot and it found "Smitfraud.C". I tried to follow the instructions given in the S&D info panel, but could not find any of the dll files it mentioned. I eventually just allowed S&D fix the problems automatically, whick it appears to have done. Further scans did not find Smitfraud again. However, I downloaded Spyware Doctor and ran a scan. It found "Winlogonhook" and identified it as a keylogger which frankly scared the s*** out of me. So paranoia has set in.

So far I've followed the instructions on here as best I can.

Ran ATF cleaner and deleted files.
Ran Ad Aware again - clean
S & D - clean
AVG anti virus - clean
AVG Anti spam - clean

Hijackthis log follows. I can see a couple of lines mentioning "winlogon notify". There were three such lines before I started working through these stages. I can also see a few lines with "file not found".

Would really appreaciat someone having a look at the file and advising me if I do in fact have any malware, or where I have managed to remove it. Thanks in advance, and thanks for an excellent site.

Logfile of HijackThis v1.99.1
Scan saved at 13:48:53, on 01/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Documents and Settings\A. McCabe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on STUDY] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" /P37 "Auto EPSON Stylus C86 Series on STUDY" /O16 "\\STUDY\EPSONSty" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

BC AdBot (Login to Remove)

 


m

#2 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 AM

Posted 02 January 2007 - 04:50 PM

Hello and welcome at BleepingComputer,

I cannot see any evidence of malware in the log, but not everything shows in a HJT-log.

Your Java is out of date. Especially when surfing with other browsers then IE (which have the Java built-in) it is very important to update your Java software. Sun's Java is updated in order to eliminate the exploitation of vulnerabilities. For this reason, it's extremely important that you remove the older more vulnerable versions from your system.

Go here and click on the Download button to the right of Java Runtime Environment (JRE) 6.0
  • Accept the license agreement by clicking the radio button.
  • Under Windows Platform - J2SE™ Runtime Enviroment (JRE) 6.0 click the Windows Offline Installation, Multi-language link.
  • Go to Add/Remove Programs and remove any entries that refer to Java 2 Runtime Enviroment
    It should have next icon next to it: Posted Image
    and then reboot your PC.
  • Navigate to and delete the following folder, if it exists: C:\Program Files\Java.
  • Finally double click the installation file, jre-6-windows-i586.exe, that you downloaded earlier.
Please download Combofix to your desktop.
  • Doubleclick combo.exe and follow the prompts.
  • Type Y and click “enter”.
Don't click on the window while the fix is running, because that will cause your system to hang!
  • Reboot the computer after the fix is done
  • Automaticle a log should open named combofix.txt. (location: C:\combofix.txt)
  • Post this log in your next reply together with a new HijackThis log

Edited by Toscane, 02 January 2007 - 04:55 PM.


#3 zimmer46

zimmer46
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 02 January 2007 - 05:56 PM

Thanks for the reply and assistance.

I've carried out the steps requested and the ComboFix log and the new HiJackthis log are posted below.

Regards
Andrew

A. McCabe - 07-01-02 22:50:52.62 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\A. McCabe\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-02 22:49 <DIR> d-------- C:\Program Files\Java
2007-01-02 22:49 <DIR> d-------- C:\Program Files\Common Files\Java
2007-01-02 22:34 13,170,312 --a------ C:\Documents and Settings\A. McCabe\jre-6-windows-i586.exe
2007-01-02 22:34 <DIR> d-------- C:\Documents and Settings\A. McCabe\.SunDownloadManager
2007-01-01 13:25 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-01-01 13:25 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-01-01 13:25 <DIR> d-------- C:\Documents and Settings\A. McCabe\Application Data\PC Tools
2007-01-01 12:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-01 11:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-01-01 11:33 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-01-01 10:19 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-01-01 10:19 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2006-12-31 19:38 <DIR> d-------- C:\Program Files\Safer Networking
2006-12-27 18:04 5,632 --a------ C:\WINDOWS\system32\drivers\Entech64.sys
2006-12-27 18:04 3,972 --a------ C:\WINDOWS\system32\drivers\PciBus.sys
2006-12-27 18:04 262,144 --a------ C:\WINDOWS\system32\wrap_oal.dll
2006-12-27 18:04 21,664 --a------ C:\WINDOWS\system32\drivers\Entech.sys
2006-12-27 18:04 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2006-12-27 18:02 <DIR> d-------- C:\Program Files\Futuremark
2006-12-27 17:24 323,584 --a------ C:\WINDOWS\system32\nvwrspt.dll
2006-12-27 17:24 323,584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2006-12-27 17:24 319,488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2006-12-27 17:24 319,488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2006-12-27 17:24 315,392 --a------ C:\WINDOWS\system32\nvwrsru.dll
2006-12-27 17:24 315,392 --a------ C:\WINDOWS\system32\nvwrshu.dll
2006-12-27 17:24 303,104 --a------ C:\WINDOWS\system32\nvwrstr.dll
2006-12-27 17:24 303,104 --a------ C:\WINDOWS\system32\nvwrssl.dll
2006-12-27 17:24 299,008 --a------ C:\WINDOWS\system32\nvwrssk.dll
2006-12-27 17:24 299,008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2006-12-27 17:24 294,912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2006-12-27 17:24 294,912 --a------ C:\WINDOWS\system32\nvwrspl.dll
2006-12-27 17:24 274,432 --a------ C:\WINDOWS\system32\nvrsit.dll
2006-12-27 17:24 266,240 --a------ C:\WINDOWS\system32\nvrspt.dll
2006-12-27 17:24 266,240 --a------ C:\WINDOWS\system32\nvrsnl.dll
2006-12-27 17:24 262,144 --a------ C:\WINDOWS\system32\nvrsru.dll
2006-12-27 17:24 262,144 --a------ C:\WINDOWS\system32\nvrsptb.dll
2006-12-27 17:24 262,144 --a------ C:\WINDOWS\system32\nvrsja.dll
2006-12-27 17:24 258,048 --a------ C:\WINDOWS\system32\nvrsko.dll
2006-12-27 17:24 253,952 --a------ C:\WINDOWS\system32\nvrshu.dll
2006-12-27 17:24 249,856 --a------ C:\WINDOWS\system32\nvrstr.dll
2006-12-27 17:24 249,856 --a------ C:\WINDOWS\system32\nvrssl.dll
2006-12-27 17:24 249,856 --a------ C:\WINDOWS\system32\nvrssk.dll
2006-12-27 17:24 249,856 --a------ C:\WINDOWS\system32\nvrspl.dll
2006-12-27 17:24 249,856 --a------ C:\WINDOWS\system32\nvrsno.dll
2006-12-27 17:24 245,760 --a------ C:\WINDOWS\system32\nvrssv.dll
2006-12-27 17:24 221,184 --a------ C:\WINDOWS\system32\nvrszhc.dll
2006-12-27 17:24 212,992 --a------ C:\WINDOWS\system32\nvwrsja.dll
2006-12-27 17:24 196,608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2006-12-27 17:24 167,936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2006-12-27 17:24 163,840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2006-12-27 17:24 118,784 --a------ C:\WINDOWS\system32\nvrszht.dll
2006-12-27 13:24 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-12-27 13:24 15,360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-12-27 13:24 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-12-27 13:23 85,376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-12-27 13:23 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-12-27 13:23 19,328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-12-27 13:23 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-12-27 13:23 11,136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-12-27 13:19 16,176 --------- C:\WINDOWS\system32\drivers\NVXBAR.SYS
2006-12-27 13:19 141,246 --------- C:\WINDOWS\system32\drivers\NVCAP.SYS
2006-12-27 13:04 5,306 --a------ C:\WINDOWS\system32\drivers\TBPanel.sys
2006-12-27 13:04 <DIR> d-------- C:\Program Files\XpertVision
2006-12-14 17:00 <DIR> d-------- C:\Program Files\Common Files\Xuisoft
2006-12-12 15:31 <DIR> d-------- C:\Program Files\VideoLAN


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 22:49 -------- d-------- C:\Program Files\Common Files
2007-01-02 22:47 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-02 22:46 -------- d-------- C:\Documents and Settings\A. McCabe\Application Data\MailWasherPro
2007-01-01 14:36 -------- d-------- C:\Documents and Settings\A. McCabe\Application Data\AVG7
2007-01-01 12:12 -------- d-------- C:\Program Files\Grisoft
2006-12-31 20:19 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-31 20:18 -------- d-------- C:\Program Files\Symantec
2006-12-31 20:18 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-12-30 23:50 -------- d-------- C:\Program Files\Servinfo
2006-12-27 18:04 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll
2006-12-27 18:04 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-12-26 21:58 -------- d-------- C:\Program Files\ATCA
2006-12-22 13:38 -------- d-------- C:\Program Files\MaxiVista Server
2006-12-20 12:39 1212416 --a------ C:\WINDOWS\system32\Incinerator.dll
2006-12-19 20:10 286720 --a------ C:\WINDOWS\iun506.exe
2006-12-16 09:17 -------- d-------- C:\Program Files\Common Files\System
2006-12-15 23:48 -------- d-------- C:\Program Files\Outlook Express
2006-12-07 05:29 2374472 --------- C:\WINDOWS\system32\wmvcore.dll
2006-11-28 17:30 -------- d-------- C:\Documents and Settings\A. McCabe\Application Data\Azureus
2006-11-26 09:37 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-26 09:37 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-26 09:37 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-26 09:37 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-26 09:37 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-26 09:37 18240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-26 09:36 -------- d---s---- C:\Documents and Settings\A. McCabe\Application Data\Microsoft
2006-11-25 13:06 -------- d-------- C:\Program Files\Synergy
2006-11-20 17:44 -------- d-------- C:\Program Files\VRC
2006-11-18 21:04 -------- d-------- C:\Program Files\ASUS
2006-11-18 20:08 -------- d-------- C:\Program Files\VisualFlight
2006-11-18 09:17 -------- d-------- C:\Program Files\BAVOSP
2006-11-12 17:14 -------- d-------- C:\Program Files\AMD
2006-11-12 11:34 -------- d-------- C:\Program Files\Aerosoft
2006-11-09 14:30 -------- d-------- C:\Program Files\BAVACARS
2006-11-08 05:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 23:12 -------- d-------- C:\Documents and Settings\A. McCabe\Application Data\AdobeUM
2006-11-05 18:12 796672 --a------ C:\WINDOWS\GPInstall.exe
2006-11-04 20:52 -------- d-------- C:\Program Files\The Lost Watch 3D Screensaver
2006-11-04 20:52 -------- d-------- C:\Program Files\3Planesoft Screensaver Manager
2006-10-24 19:02 73 --a------ C:\WINDOWS\system32\ssprs.dll
2006-10-24 19:02 205 --a------ C:\WINDOWS\system32\lsprst7.dll
2006-10-24 19:02 1025 --a------ C:\WINDOWS\system32\sysprs7.dll
2006-10-24 19:02 1025 --a------ C:\WINDOWS\system32\clauth2.dll
2006-10-24 19:02 1025 --a------ C:\WINDOWS\system32\clauth1.dll
2006-10-22 12:22 86016 --a------ C:\WINDOWS\system32\nvmctray.dll
2006-10-22 12:22 7700480 --a------ C:\WINDOWS\system32\nvcpl.dll
2006-10-22 12:22 4527488 --a------ C:\WINDOWS\system32\nv4_disp.dll
2006-10-22 12:22 35840 --a------ C:\WINDOWS\system32\nvcod.dll
2006-10-22 12:22 212992 --a------ C:\WINDOWS\system32\nvapi.dll
2006-10-22 12:22 159810 --a------ C:\WINDOWS\system32\nvsvc32.exe
2006-10-22 04:22 888832 --a------ C:\WINDOWS\system32\nvmobls.dll
2006-10-22 04:22 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2006-10-22 04:22 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2006-10-22 04:22 581632 --a------ C:\WINDOWS\system32\nvhwvid.dll
2006-10-22 04:22 5644288 --a------ C:\WINDOWS\system32\nvoglnt.dll
2006-10-22 04:22 5619712 --a------ C:\WINDOWS\system32\nvdisps.dll
2006-10-22 04:22 5255168 --a------ C:\WINDOWS\system32\nvdispsr.dll
2006-10-22 04:22 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2006-10-22 04:22 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2006-10-22 04:22 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2006-10-22 04:22 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2006-10-22 04:22 425984 --a------ C:\WINDOWS\system32\keystone.exe
2006-10-22 04:22 35840 --a------ C:\WINDOWS\system32\nvcodins.dll
2006-10-22 04:22 335872 --a------ C:\WINDOWS\system32\nvwrses.dll
2006-10-22 04:22 335872 --a------ C:\WINDOWS\system32\nvwrsel.dll
2006-10-22 04:22 327680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2006-10-22 04:22 327680 --a------ C:\WINDOWS\system32\nvwrsesm.dll
2006-10-22 04:22 323584 --a------ C:\WINDOWS\system32\nvrshe.dll
2006-10-22 04:22 323584 --a------ C:\WINDOWS\system32\nvrsar.dll
2006-10-22 04:22 3203072 --a------ C:\WINDOWS\system32\nvgamesr.dll
2006-10-22 04:22 311296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2006-10-22 04:22 311296 --a------ C:\WINDOWS\system32\nvexpbar.dll
2006-10-22 04:22 3047424 --a------ C:\WINDOWS\system32\nvgames.dll
2006-10-22 04:22 303104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2006-10-22 04:22 2973696 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2006-10-22 04:22 294912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2006-10-22 04:22 2924544 --a------ C:\WINDOWS\system32\nvvitvs.dll
2006-10-22 04:22 286720 --a------ C:\WINDOWS\system32\nvwrseng.dll
2006-10-22 04:22 286720 --a------ C:\WINDOWS\system32\nvwrscs.dll
2006-10-22 04:22 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2006-10-22 04:22 2859008 --a------ C:\WINDOWS\system32\nvmoblsr.dll
2006-10-22 04:22 282624 --a------ C:\WINDOWS\system32\nvwrsar.dll
2006-10-22 04:22 278528 --a------ C:\WINDOWS\system32\nvwrshe.dll
2006-10-22 04:22 278528 --a------ C:\WINDOWS\system32\nvrsfr.dll
2006-10-22 04:22 274432 --a------ C:\WINDOWS\system32\nvrses.dll
2006-10-22 04:22 274432 --a------ C:\WINDOWS\system32\nvrsel.dll
2006-10-22 04:22 270336 --a------ C:\WINDOWS\system32\nvrsde.dll
2006-10-22 04:22 266240 --a------ C:\WINDOWS\system32\nvrsesm.dll
2006-10-22 04:22 245760 --a------ C:\WINDOWS\system32\nvrsda.dll
2006-10-22 04:22 241664 --a------ C:\WINDOWS\system32\nvrsfi.dll
2006-10-22 04:22 241664 --a------ C:\WINDOWS\system32\nvrseng.dll
2006-10-22 04:22 241664 --a------ C:\WINDOWS\system32\nvrscs.dll
2006-10-22 04:22 229376 --a------ C:\WINDOWS\system32\nvmccs.dll
2006-10-22 04:22 188416 --a------ C:\WINDOWS\system32\nvmccss.dll
2006-10-22 04:22 1732608 --a------ C:\WINDOWS\system32\nvwssr.dll
2006-10-22 04:22 1662976 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2006-10-22 04:22 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2006-10-22 04:22 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2006-10-22 04:22 1470464 --a------ C:\WINDOWS\system32\nview.dll
2006-10-22 04:22 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2006-10-22 04:22 1236992 --a------ C:\WINDOWS\system32\nvwss.dll
2006-10-22 04:22 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2006-10-22 04:22 1011712 --a------ C:\WINDOWS\system32\nvcpluir.dll
2006-10-19 13:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:33 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 12:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-13 12:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MailWasher"="C:\\PROGRA~1\\MAILWA~1\\MAILWA~1.EXE"
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic 6\\SMSystemAnalyzer.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"C-Media Mixer"="Mixer.exe /startup"
"Auto EPSON Stylus C86 Series on STUDY"="\"C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2R1.EXE\" /P37 \"Auto EPSON Stylus C86 Series on STUDY\" /O16 \"\\\\STUDY\\EPSONSty\" /M \"Stylus C86\""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"Gainward"="\"C:\\Program Files\\XpertVision\\TBPanel.exe\" /A"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,32,02,00,00,d3,ff,ff,ff,dc,00,00,00,d2,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^A. McCabe^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
"path"="C:\\Documents and Settings\\A. McCabe\\Start Menu\\Programs\\Startup\\Microsoft Find Fast.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Find Fast.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\FINDFAST.EXE "
"item"="Microsoft Find Fast"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^A. McCabe^Start Menu^Programs^Startup^Office Startup.lnk]
"path"="C:\\Documents and Settings\\A. McCabe\\Start Menu\\Programs\\Startup\\Office Startup.lnk"
"backup"="C:\\WINDOWS\\pss\\Office Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA.EXE -b"
"item"="Office Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Acrobat Assistant.lnk"
"backup"="C:\\WINDOWS\\pss\\Acrobat Assistant.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Distillr\\acrotray.exe "
"item"="Acrobat Assistant"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WinZip Quick Pick.lnk"
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DataLayer"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C86 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I2R1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2R1.EXE /P23 \"EPSON Stylus C86 Series\" /O6 \"USB001\" /M \"Stylus C86\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LAUNCH~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PcSync2"
"hkey"="HKCU"
"command"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PWRISOVM"
"hkey"="HKLM"
"command"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_07\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxsnt40"
"hkey"="HKLM"
"command"="wfxsnt40.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-02 22:52:10.03
C:\ComboFix.txt ... 07-01-02 22:52



Logfile of HijackThis v1.99.1
Scan saved at 22:55:09, on 02/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\A. McCabe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on STUDY] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" /P37 "Auto EPSON Stylus C86 Series on STUDY" /O16 "\\STUDY\EPSONSty" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

#4 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 AM

Posted 04 January 2007 - 11:55 AM

Combolog loooks clear to me :thumbsup:


Download, install, and update AVG anti-spyware 7.5 (This is a 30 days trial)
  • Install AVG anti-spyware.
  • Start the program but don't scan for virus at this moment.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Close AVG anti-spyware, Do Not run a scan at this moment.

Reboot your pc into safe mode

Safe mode for Windows XP
  • Restart the computer.
  • As soon as BIOS is loaded and before Windows is loaded, begin tapping the F8 (or F5) key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
To clean temporary files:
Go > start > run and type cleanmgr and click OK
Scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
Click OK to remove those files.
Click Yes to confirm deletion.

Start AVG anti-spyware.
  • Click on Scanner
  • Click on Complete System Scan
  • Let the program scan your pc, be patient this may take a little time.
  • If you have any infections you will prompted, click “set all elements to: recommended action” and choose Quarantine
  • Click "Apply all actions"
  • Next select the button "Save Report".
  • Click the "Save report as" button and save the report to your desktop.
  • Close AVG and reboot your system back into Normal Mode.
Post the results of the AVG report scan along with a new HijackThis log.

#5 zimmer46

zimmer46
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 04 January 2007 - 06:03 PM

OK run AVG Anti Spyware and HijackThis. Logs pasted below. Some interesting finds !
I actually installed AVG AntiSpyware a couple of days ago on the 30 day trial. Would you recommend it ?

Andrew

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:49:07 04/01/2007

+ Scan result:



C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP377\A0112680.exe -> Not-A-Virus.Monitor.Win32.Ardamax.25 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP440\A0130999.exe -> Not-A-Virus.Monitor.Win32.Ardamax.25 : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP432\A0129309.exe -> Not-A-Virus.Monitor.Win32.Ardamax.k : Cleaned with backup (quarantined).
D:\My Documents\Application Downloads\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
D:\My Documents\Application Downloads\Soundforge\ls_sf50build117_fixed.zip/patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.22:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.23:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.77:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.42:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.43:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.44:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.57:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.58:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.83:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP389\A0119167.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
D:\My Documents\Flight Sim files\Aircraft\FS2004 - PMDG Boeing 747-400 v1.02 (FULL with update and crack).rar/PMDG744_Validation_Bypasser.zip/PMDG744_Validation_Bypasser.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Desktop\Scott's stuff\PSP\MPHDowngrader.zip/PSP/PHOTO/overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Desktop\Scott's stuff\PSP\temp\PSP\PHOTO\overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 22:59:14, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\A. McCabe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on STUDY] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" /P37 "Auto EPSON Stylus C86 Series on STUDY" /O16 "\\STUDY\EPSONSty" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE




OK run AVG Anti Spyware and HijackThis. Logs pasted below. Some interesting finds !
I actually installed AVG AntiSpyware a couple of days ago on the 30 day trial. Would you recommend it ?

Andrew

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:49:07 04/01/2007

+ Scan result:



C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP377\A0112680.exe -> Not-A-Virus.Monitor.Win32.Ardamax.25 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP440\A0130999.exe -> Not-A-Virus.Monitor.Win32.Ardamax.25 : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP432\A0129309.exe -> Not-A-Virus.Monitor.Win32.Ardamax.k : Cleaned with backup (quarantined).
D:\My Documents\Application Downloads\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
D:\My Documents\Application Downloads\Soundforge\ls_sf50build117_fixed.zip/patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.22:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.23:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.77:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.42:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.43:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.44:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.57:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.58:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.83:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP389\A0119167.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
D:\My Documents\Flight Sim files\Aircraft\FS2004 - PMDG Boeing 747-400 v1.02 (FULL with update and crack).rar/PMDG744_Validation_Bypasser.zip/PMDG744_Validation_Bypasser.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Desktop\Scott's stuff\PSP\MPHDowngrader.zip/PSP/PHOTO/overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Desktop\Scott's stuff\PSP\temp\PSP\PHOTO\overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 22:59:14, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\A. McCabe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on STUDY] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" /P37 "Auto EPSON Stylus C86 Series on STUDY" /O16 "\\STUDY\EPSONSty" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE




OK run AVG Anti Spyware and HijackThis. Logs pasted below. Some interesting finds !
I actually installed AVG AntiSpyware a couple of days ago on the 30 day trial. Would you recommend it ?

Andrew

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:49:07 04/01/2007

+ Scan result:



C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP377\A0112680.exe -> Not-A-Virus.Monitor.Win32.Ardamax.25 : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP440\A0130999.exe -> Not-A-Virus.Monitor.Win32.Ardamax.25 : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP432\A0129309.exe -> Not-A-Virus.Monitor.Win32.Ardamax.k : Cleaned with backup (quarantined).
D:\My Documents\Application Downloads\vnc-3.3.3r9_x86_win32.zip/vnc_x86_win32/vncviewer/vncviewer.exe -> Not-A-Virus.RemoteAdmin.Win32.WinVNC.333 : Cleaned with backup (quarantined).
D:\My Documents\Application Downloads\Soundforge\ls_sf50build117_fixed.zip/patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.91:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.22:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.23:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.77:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.42:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.43:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.44:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.45:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.57:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.58:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.83:C:\Documents and Settings\A. McCabe\Application Data\Mozilla\Firefox\Profiles\08ljnnve.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
C:\Documents and Settings\A. McCabe\Cookies\a._mccabe@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{493531C7-DE30-4D23-B898-49E20AC66D1F}\RP389\A0119167.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
D:\My Documents\Flight Sim files\Aircraft\FS2004 - PMDG Boeing 747-400 v1.02 (FULL with update and crack).rar/PMDG744_Validation_Bypasser.zip/PMDG744_Validation_Bypasser.exe -> Trojan.Legendmir.SY : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Desktop\Scott's stuff\PSP\MPHDowngrader.zip/PSP/PHOTO/overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).
C:\Documents and Settings\A. McCabe\Desktop\Scott's stuff\PSP\temp\PSP\PHOTO\overflow.tif -> Trojan.PSPBrick : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 22:59:14, on 04/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\A. McCabe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on STUDY] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" /P37 "Auto EPSON Stylus C86 Series on STUDY" /O16 "\\STUDY\EPSONSty" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

#6 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 AM

Posted 05 January 2007 - 05:22 AM

These are clean logs :thumbsup:

I actually installed AVG AntiSpyware a couple of days ago on the 30 day trial. Would you recommend it ?

Yes I would recommend this program! In fact; I should have left the “downloading part” out of my former advice.


Open HijackThis > click "Do a system scan only"
Place a checkmark next to the entries below.
After you have done that close all browsers and windows except HijackThis, and have HijackThis fix them by clicking Fix Checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =



Download ATF-Cleaner by Atribune to your desktop and please be ware that this program is for XP and Windows 2000 only.

Double-click ATF-Cleaner.exe to run the program.

*Under Main choose: Select All
*Click the Empty Selected button.

If you use Firefox browser:
*Click Firefox at the top and choose: Select All
*Click the Empty Selectedbutton.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser :
*Click Opera at the top and choose: Select All
*Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Reboot the computer and post a new HJT-log.

#7 zimmer46

zimmer46
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 05 January 2007 - 12:01 PM

Steps carried out and new HJT log pasted below. I see there is an entry "018" and "020" with a missing file. Is that of any significance ?

Thanks again.

Andrew




Logfile of HijackThis v1.99.1
Scan saved at 16:57:32, on 05/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Synergy\synergys.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\A. McCabe\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Auto EPSON Stylus C86 Series on STUDY] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2R1.EXE" /P37 "Auto EPSON Stylus C86 Series on STUDY" /O16 "\\STUDY\EPSONSty" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Gainward] "C:\Program Files\XpertVision\TBPanel.exe" /A
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~1\MAILWA~1.EXE
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Synergy Server - Unknown owner - C:\Program Files\Synergy\synergys.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

#8 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 AM

Posted 05 January 2007 - 03:55 PM

The "missing file" reports of a HijackThis log can be ignored. For those entries HJT has a little bug, so there usually are files present.

Seems to me everything is fine.

#9 zimmer46

zimmer46
  • Topic Starter

  • Members
  • 166 posts
  • OFFLINE
  •  
  • Local time:08:41 AM

Posted 06 January 2007 - 05:41 AM

May I just express my thanks for your help with this matter.

I have other PC's on my home network so unfortunately I should really go and work through the same process with them.


Andrew

#10 Toscane

Toscane

  • Security Colleague
  • 88 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:41 AM

Posted 06 January 2007 - 06:06 AM

Of course, you can alway start a new topic for another log from a different computer.
For now:
Please empty the quarantinefolder of AVG:
Empty the Quarantainefolder AVG:
Click “infections” on top of the screen
Click “select all”
Click “remove finally” and “yes”

AVG AS (Ewido Anti Malware) is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

I advise you to clear the system restore:
For XP:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Edited by Toscane, 06 January 2007 - 06:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users