Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Smitfraud-c.toolbar888, Universa, Update.exe And More


  • This topic is locked This topic is locked
21 replies to this topic

#1 jmduranr

jmduranr

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 19 January 2007 - 03:05 PM

Hello,
My computer has been overun :thumbsup: - Any and all help would be most welcome, as i'm about to just reinstall everything :s.

Here is what i see:
1) The following files are created:
C:\Program Files\Common Files\{48B55426-0256-1033-1025-040404200001}\Update.exe
C:\Program Files\Common Files\{48B55426-0256-1033-1025-040404200001}\system.dll
2) That Update.exe is added to the startup programs
3) Every time i start internet explorer or a new tab, i get a notification from MS Defender to remove "ClickSpring.PuritySCAN". Defender reports it was removed correctly, but it will re-appear very soon.
4) From time to time, and application will pop up and minimize to tray (it seems in italian?).Unless i manually exit it, it will keep generating more and more process every so often (if i leave the PC on over night, in the morning i'll have over 20 of those try icons) - this exe will generate each time with a diferent name, similar to winxxx.tmp.exe.
File Name: win119C.tmp.exe
Display Name: Universa Application
Description: Universa Application
Publisher: Publisher Not Available
Digitally Signed By: NOT SIGNED
File Type: Application
Auto Start: No
File Path: C:\WINDOWS\TEMP\win119C.tmp.exe
File Size: 35840
File Version: 1, 0, 0, 1
Date Installed: 1/16/2007 9:40:23 AM
Process ID: 4300
Classification: Not yet classified
Ships with Operating System: No
SpyNet Voting: In Progress
*****

To resolve the problem i have tried:
1) Restart on safe mode
2) remove update.exe from the startup programs
3) delete all files described above
4) For every user account listed under C:\Documents and Settings, delete the entire contents of the following folders (but not the folders themselves):
1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files
5) Delete the entire content of your C:\Windows\Temp folder.
6) Delete the entire content of your C:\Windows\Prefetch folder.
7) Ran AdAware scan as describe on the post in this forum. It finds a bunch of stuff and removes it
8) Ran Spyboot as describeon the post in this forum. It finds a bunch of stuff and removes it
9) Run Symantec Antivirus
10) Restart in normal mode....

And then things break down again, and i have the same problems (plus now i think all those scanning programs are fighting to fix the run time issues). After i do all this clean up, i think the thing that triggers the cahin of events again is opening internet explorer (i was in version 7, i moved back to version 6 to see if that helped but it didn't - probably i'll upgrade again)
*****

Here is the HijackThis log. ANy and all help will be most welcome!

Logfile of HijackThis v1.99.1
Scan saved at 1:45:05 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WinPwdHelper.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\WINDOWS\System32\JobTrigger.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Sametime Client\Connect.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\windows\system32\tuneup\TuneUp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.pg.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.pg.com
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [esd3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [Timezone] "C:\Program Files\Microsoft Time Zone\TimeZone.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Inetd.lnk = C:\WINDOWS\system32\Hummbird\inetd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.LNK = C:\Program Files\ISS\issSensors\DesktopProtection\PDDonIce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167791946971
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase30/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{892768C9-2B3E-4792-948E-F6FE6DC2E102}: Domain = la.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JobTrigger - Hewlett Packard - C:\WINDOWS\System32\JobTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TIBCO Administrator 5.3 (JUAN) (TIBCOAdmin-JUAN) - Unknown owner - C:/tibco/administrator/domain/JUAN/bin/tibcoadmin_JUAN.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (JUAN) (TIBHawkAgent-JUAN-CNU447F7J4) - Unknown owner - C:/tibco/tra/domain/JUAN/hawkagent_JUAN.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: WinPwdReset - Unknown owner - C:\WINDOWS\System32\WinPwdHelper.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 19 January 2007 - 03:53 PM

You did a very good job in describing your problems. Unfortunately, I have to advise you that your computer is seriously infected which, no doubt, you had already surmised. I cannot guarantee that we can repair all the damage it caused. Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be like searching for a needle in a haystack to find the right cause and solution.

Let me know if you want to proceed, or if you are going to format and reinstall. While your computer is infected as it is, do NOT do any online banking, purchases, etc. because you have backdoor malware present. If possible, change your passwords from another computer you know is not infected.

.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 21 January 2007 - 12:00 PM

Hello - yep, i know :thumbsup:. Well, i'd like to give it a go if you guys want to jump in.

Let me know if you want me to post more info (e.g. updated hijackthis.log or something)

Thanks!

#4 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 21 January 2007 - 03:33 PM

First thing to do is just one step:

• Re-name HijackThis.exe to kitty.com by doing the following:
- Navigate to C:\Program Files\HijackThis\HijackThis.exe
- Right-click onto HijackThis.exe and select "Rename"
- Type kitty.com and hit Enter.

• Now, double-click onto kitty.com (which is still hijackthis) and post back with the new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 January 2007 - 09:51 AM

Hello,
i ran kitty.exe as soon as a reboot my pc. If i have run ad aware and spiboot before, maybe some of the entries here would be gone, but then again, they al reappear later, so i figured it was better to give you a complete picture.

Some comment:
-- C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}\Update.exe => :thumbsup: - adaware detects and removes this one, but on next reboot it will be there (funny enough, i tried disabling all startup items from msconfig, and when i reboot, nwtray (my novell thing i think) and update.exe where added :S)
-- C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE => I was scared with this one, but i think it's my Nokia PC Suite SW
-- O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present => i think i did this. I set spybot to prevent changing the Internet settings from internet explorer (didn't help) - i can remove it if you want me to.

Thanks a lot!

Logfile of HijackThis v1.99.1
Scan saved at 8:39:29 AM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchosts.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WinPwdHelper.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\WINDOWS\System32\JobTrigger.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}\Update.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\HijackThis\kitty.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: APHelper Class - {08C63920-DC18-11D2-9E1E-00A0247061AB} - C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\APHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77D1470A-6ACB-4B11-88E7-5A2CACEDEC3F} - C:\WINDOWS\system32\rqopn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - C:\WINDOWS\system32\vtutsqp.dll
O4 - HKLM\..\Run: [{48B55426-069E-1033-1025-040404200001}] "C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [esd3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [Timezone] "C:\Program Files\Microsoft Time Zone\TimeZone.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - Startup: Inetd.lnk = C:\WINDOWS\system32\Hummbird\inetd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.LNK = C:\Program Files\ISS\issSensors\DesktopProtection\PDDonIce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167791946971
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase30/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{892768C9-2B3E-4792-948E-F6FE6DC2E102}: Domain = la.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: rqopn - C:\WINDOWS\system32\rqopn.dll
O20 - Winlogon Notify: vtutsqp - C:\WINDOWS\SYSTEM32\vtutsqp.dll
O20 - Winlogon Notify: winwem32 - C:\WINDOWS\SYSTEM32\winwem32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JobTrigger - Hewlett Packard - C:\WINDOWS\System32\JobTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TIBCO Administrator 5.3 (JUAN) (TIBCOAdmin-JUAN) - Unknown owner - C:/tibco/administrator/domain/JUAN/bin/tibcoadmin_JUAN.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (JUAN) (TIBHawkAgent-JUAN-CNU447F7J4) - Unknown owner - C:/tibco/tra/domain/JUAN/hawkagent_JUAN.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: WinPwdReset - Unknown owner - C:\WINDOWS\System32\WinPwdHelper.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe

#6 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 January 2007 - 10:24 AM

Hi -

Instead of continuing to repeat this, please note that I want you to follow the instructions in the order given. This is very important. Also, be sure to read the directions carefully. Notice that in my previous post, I had requested that you rename hijackthis.exe to kitty.com - you renamed it to kitty.exe - which is okay in this instance because it did what I wanted it to. Just be sure to read carefully.

Also, don't stop anything else via msconfig. It doesn't help now that we're working together. I'll be able to see what you've disabled shortly, but it's easier if nothing else is disabled.

• Open Notepad and copy and paste the text inside the codebox into Notepad:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{48B55426-0256-1033-1025-040404200001}"=-

- Save this as fix.reg > choose to save as *all files > and place it on your desktop.
- It should look like this: Posted Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
• Open HijackThis, click Open the Misc Toos section, then click Delete a file on bootup
- a window will open
- Where it says "File Name" - copy and paste: C:\Windows\System32\winwem32.dll
- Click Open
- A prompt will appear advising you that the file will be deleted and asking if you want to reboot now
- Click Yes
- Your computer will now reboot.

• Please download VundoFix.exe and save it to your Desktop.
- Double-click VundoFix.exe to run it
- Click the Scan for Vundo button
- Once it is done scanning, click the Remove Vundo button
- You will receive a prompt asking if you want to remove the files
- Click YES
- Once you click YES, your Desktop will go blank as it starts removing Vundo
- When completed, it will prompt that it will reboot your computer
- Click OK

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time.

• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Edited by waterfalls, 22 January 2007 - 11:15 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 January 2007 - 12:55 PM

Hello,
I did *almost* what you asked me to:
"Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, so simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Once VundoFix has completed scanning, please do not run it again.
If you run it more than one time, you will overwrite the original log generated when it was run the first time."

Based on that, i think after the reboot you wanted me to click the "delete vundo" instead of "scan for vundo" again. Sure enough, the first time i ran it, it said i had to reboot. After the pc restarted, i clicked "fix vudo" not scan... let me know if i messed it up and i can start from zero again.

Here are the logs- thanks!

****

VundoFix V6.3.2

Checking Java version...

Java version is 1.4.2.3

Scan started at 11:31:43 AM 1/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\fccdcbx.dll
C:\WINDOWS\system32\npoqr.bak1
C:\WINDOWS\system32\npoqr.bak2
C:\WINDOWS\system32\npoqr.ini
C:\WINDOWS\system32\rqopn.dll
C:\WINDOWS\system32\vtutsqp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fccdcbx.dll
C:\WINDOWS\system32\fccdcbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\npoqr.bak1
C:\WINDOWS\system32\npoqr.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\npoqr.bak2
C:\WINDOWS\system32\npoqr.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\npoqr.ini
C:\WINDOWS\system32\npoqr.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqopn.dll
C:\WINDOWS\system32\rqopn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutsqp.dll
C:\WINDOWS\system32\vtutsqp.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtutsqp.dll
C:\WINDOWS\system32\vtutsqp.dll Has been deleted!

Performing Repairs to the registry.
Done!


****
Logfile of HijackThis v1.99.1
Scan saved at 11:49:51 AM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchosts.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WinPwdHelper.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\WINDOWS\System32\JobTrigger.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}\Update.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Common Files\svchost.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\HijackThis\kitty.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: APHelper Class - {08C63920-DC18-11D2-9E1E-00A0247061AB} - C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\APHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - C:\WINDOWS\system32\vtutsqp.dll (file missing)
O2 - BHO: (no name) - {FE7BF4F2-F5DC-44B4-ADA6-6DF0E52DA841} - C:\WINDOWS\system32\rqopn.dll (file missing)
O4 - HKLM\..\Run: [{48B55426-069E-1033-1025-040404200001}] "C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [esd3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [Timezone] "C:\Program Files\Microsoft Time Zone\TimeZone.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - Startup: Inetd.lnk = C:\WINDOWS\system32\Hummbird\inetd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.LNK = C:\Program Files\ISS\issSensors\DesktopProtection\PDDonIce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167791946971
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase30/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{892768C9-2B3E-4792-948E-F6FE6DC2E102}: Domain = la.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: winwem32 - winwem32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JobTrigger - Hewlett Packard - C:\WINDOWS\System32\JobTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TIBCO Administrator 5.3 (JUAN) (TIBCOAdmin-JUAN) - Unknown owner - C:/tibco/administrator/domain/JUAN/bin/tibcoadmin_JUAN.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (JUAN) (TIBHawkAgent-JUAN-CNU447F7J4) - Unknown owner - C:/tibco/tra/domain/JUAN/hawkagent_JUAN.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: WinPwdReset - Unknown owner - C:\WINDOWS\System32\WinPwdHelper.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe

#8 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 January 2007 - 03:04 PM

Hi -

You did fine. The fix.reg didn't work, though, so you can delete it.
You will need to print these directions because you will be working in Safe Mode without an Internet connection.

• Reboot into SAFE MODE.
To get into the Windows XP Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times. Choose Safe Mode from the menu that will appear and press Enter.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: APHelper Class - {08C63920-DC18-11D2-9E1E-00A0247061AB} - C:\PROGRAM FILES\INTERNET EXPLORER\AUTOPASS\APHELPER.DLL
O2 - BHO: (no name) - {B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E} - C:\WINDOWS\system32\vtutsqp.dll (file missing)
O2 - BHO: (no name) - {FE7BF4F2-F5DC-44B4-ADA6-6DF0E52DA841} - C:\WINDOWS\system32\rqopn.dll (file missing)
O4 - HKLM\..\Run: [{48B55426-069E-1033-1025-040404200001}] "C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}\Update.exe" mc-110-12-0000272
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O20 - Winlogon Notify: winwem32 - winwem32.dll (file missing)


Close ALL browsers and open windows/folders except HijackThis and click 'Fix Checked'.

• Navigate to and delete the following folders if present:
C:\Program Files\Common Files\{48B55426-069E-1033-1025-040404200001}
C:\Program Files\Internet Explorer\AutoPass - be careful here and do NOT delete the Internet Explorer folder!

• Reboot into Normal Mode.

• Download SDFix and save it to your Desktop.

Reboot into SAFE MODE again.
  • Choose your usual account.
  • In Safe Mode, right-click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 January 2007 - 04:13 PM

Hello
(wow - with each post, i'm more and more amazed with you, exorcist :D)

*********

SDFix: Version 1.61

Mon 01/22/2007 - 14:53:53.43

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
COM+ Messages

Path:
"C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272

COM+ Messages Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Files will be copied to Backups folder and removed:

C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system32\svchosts.exe - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\Temp\win1.tmp - Deleted
C:\WINDOWS\Temp\win14.tmp - Deleted
C:\WINDOWS\Temp\win15.tmp - Deleted
C:\WINDOWS\Temp\win16.tmp - Deleted
C:\WINDOWS\Temp\win2.tmp - Deleted
C:\WINDOWS\Temp\win20.tmp - Deleted
C:\WINDOWS\Temp\win21.tmp - Deleted
C:\WINDOWS\Temp\win22.tmp - Deleted
C:\WINDOWS\Temp\win24.tmp - Deleted
C:\WINDOWS\Temp\win25.tmp - Deleted
C:\WINDOWS\Temp\win26.tmp - Deleted
C:\WINDOWS\Temp\win29.tmp - Deleted
C:\WINDOWS\Temp\win2A.tmp - Deleted
C:\WINDOWS\Temp\win2B.tmp - Deleted
C:\WINDOWS\Temp\win2C.tmp - Deleted
C:\WINDOWS\Temp\win2D.tmp - Deleted
C:\WINDOWS\Temp\win2E.tmp - Deleted
C:\WINDOWS\Temp\win2F.tmp - Deleted
C:\WINDOWS\Temp\win3.tmp - Deleted
C:\WINDOWS\Temp\win30.tmp - Deleted
C:\WINDOWS\Temp\win31.tmp - Deleted
C:\WINDOWS\Temp\win32.tmp - Deleted
C:\WINDOWS\Temp\win33.tmp - Deleted
C:\WINDOWS\Temp\win34.tmp - Deleted
C:\WINDOWS\Temp\win35.tmp - Deleted
C:\WINDOWS\Temp\win36.tmp - Deleted
C:\WINDOWS\Temp\win37.tmp - Deleted
C:\WINDOWS\Temp\win38.tmp - Deleted
C:\WINDOWS\Temp\win39.tmp - Deleted
C:\WINDOWS\Temp\win3A.tmp - Deleted
C:\WINDOWS\Temp\win3C.tmp - Deleted
C:\WINDOWS\Temp\win3D.tmp - Deleted
C:\WINDOWS\Temp\win3E.tmp - Deleted
C:\WINDOWS\Temp\win5F.tmp - Deleted
C:\WINDOWS\Temp\win60.tmp - Deleted
C:\WINDOWS\Temp\win61.tmp - Deleted
C:\WINDOWS\Temp\win62.tmp - Deleted
C:\WINDOWS\Temp\win63.tmp - Deleted
C:\WINDOWS\Temp\win64.tmp - Deleted
C:\WINDOWS\Temp\win65.tmp - Deleted
C:\WINDOWS\Temp\win66.tmp - Deleted
C:\WINDOWS\Temp\win67.tmp - Deleted
C:\WINDOWS\Temp\win68.tmp - Deleted
C:\WINDOWS\Temp\win69.tmp - Deleted
C:\WINDOWS\Temp\win6A.tmp - Deleted
C:\WINDOWS\Temp\win6B.tmp - Deleted
C:\WINDOWS\Temp\win6C.tmp - Deleted
C:\WINDOWS\Temp\win6D.tmp - Deleted
C:\WINDOWS\Temp\win6E.tmp - Deleted
C:\WINDOWS\Temp\win6F.tmp - Deleted
C:\WINDOWS\Temp\win70.tmp - Deleted
C:\WINDOWS\Temp\win72.tmp - Deleted
C:\WINDOWS\Temp\win73.tmp - Deleted
C:\WINDOWS\Temp\win74.tmp - Deleted
C:\WINDOWS\Temp\win75.tmp - Deleted
C:\WINDOWS\Temp\win76.tmp - Deleted
C:\WINDOWS\Temp\win77.tmp - Deleted
C:\WINDOWS\Temp\win78.tmp - Deleted
C:\WINDOWS\Temp\win79.tmp - Deleted
C:\WINDOWS\Temp\win7A.tmp - Deleted
C:\WINDOWS\Temp\win7B.tmp - Deleted
C:\WINDOWS\Temp\win7C.tmp - Deleted
C:\WINDOWS\Temp\win7D.tmp - Deleted
C:\WINDOWS\Temp\win7E.tmp - Deleted
C:\WINDOWS\Temp\win7F.tmp - Deleted
C:\WINDOWS\Temp\win80.tmp - Deleted
C:\WINDOWS\Temp\win81.tmp - Deleted
C:\WINDOWS\Temp\win82.tmp - Deleted
C:\WINDOWS\Temp\win83.tmp - Deleted
C:\WINDOWS\Temp\win84.tmp - Deleted
C:\WINDOWS\Temp\win85.tmp - Deleted
C:\WINDOWS\Temp\win86.tmp - Deleted
C:\WINDOWS\Temp\win87.tmp - Deleted
C:\WINDOWS\Temp\win88.tmp - Deleted
C:\WINDOWS\Temp\win89.tmp - Deleted
C:\WINDOWS\Temp\win8A.tmp - Deleted
C:\WINDOWS\Temp\win8B.tmp - Deleted
C:\WINDOWS\Temp\win8C.tmp - Deleted
C:\WINDOWS\Temp\win8D.tmp - Deleted
C:\WINDOWS\Temp\win8E.tmp - Deleted
C:\WINDOWS\Temp\win8F.tmp - Deleted
C:\WINDOWS\Temp\win9.tmp - Deleted
C:\WINDOWS\Temp\win91.tmp - Deleted
C:\WINDOWS\Temp\win92.tmp - Deleted
C:\WINDOWS\Temp\win93.tmp - Deleted
C:\WINDOWS\Temp\win94.tmp - Deleted
C:\WINDOWS\Temp\win95.tmp - Deleted
C:\WINDOWS\Temp\win96.tmp - Deleted
C:\WINDOWS\Temp\win97.tmp - Deleted
C:\WINDOWS\Temp\win98.tmp - Deleted
C:\WINDOWS\Temp\win99.tmp - Deleted
C:\WINDOWS\Temp\win9A.tmp - Deleted
C:\WINDOWS\Temp\win9B.tmp - Deleted
C:\WINDOWS\Temp\win9C.tmp - Deleted
C:\WINDOWS\Temp\win9D.tmp - Deleted
C:\WINDOWS\Temp\win9E.tmp - Deleted
C:\WINDOWS\Temp\win9F.tmp - Deleted
C:\WINDOWS\Temp\winA.tmp - Deleted
C:\WINDOWS\Temp\winA1.tmp - Deleted
C:\WINDOWS\Temp\winA2.tmp - Deleted
C:\WINDOWS\Temp\winA3.tmp - Deleted
C:\WINDOWS\Temp\winA4.tmp - Deleted
C:\WINDOWS\Temp\winA5.tmp - Deleted
C:\WINDOWS\Temp\winA6.tmp - Deleted
C:\WINDOWS\Temp\winA7.tmp - Deleted
C:\WINDOWS\Temp\winA8.tmp - Deleted
C:\WINDOWS\Temp\winA9.tmp - Deleted
C:\WINDOWS\Temp\winAA.tmp - Deleted
C:\WINDOWS\Temp\winAB.tmp - Deleted
C:\WINDOWS\Temp\winAC.tmp - Deleted
C:\WINDOWS\Temp\winAD.tmp - Deleted
C:\WINDOWS\Temp\winAE.tmp - Deleted
C:\WINDOWS\Temp\winAF.tmp - Deleted
C:\WINDOWS\Temp\winB.tmp - Deleted
C:\WINDOWS\Temp\winB1.tmp - Deleted
C:\WINDOWS\Temp\winB2.tmp - Deleted
C:\WINDOWS\Temp\winB3.tmp - Deleted
C:\WINDOWS\Temp\winB4.tmp - Deleted
C:\WINDOWS\Temp\winB5.tmp - Deleted
C:\WINDOWS\Temp\winB6.tmp - Deleted
C:\WINDOWS\Temp\winB7.tmp - Deleted
C:\WINDOWS\Temp\winB9.tmp - Deleted
C:\WINDOWS\Temp\winBA.tmp - Deleted
C:\WINDOWS\Temp\winBB.tmp - Deleted
C:\WINDOWS\Temp\winBD.tmp - Deleted
C:\WINDOWS\Temp\winBE.tmp - Deleted
C:\WINDOWS\Temp\winBF.tmp - Deleted
C:\WINDOWS\Temp\winC1.tmp - Deleted
C:\WINDOWS\Temp\winC2.tmp - Deleted
C:\WINDOWS\Temp\winC4.tmp - Deleted
C:\WINDOWS\Temp\winFCF.tmp - Deleted
C:\WINDOWS\Temp\winFD1.tmp - Deleted
C:\WINDOWS\Temp\winFD2.tmp - Deleted
C:\WINDOWS\Temp\winFD3.tmp - Deleted
C:\WINDOWS\Temp\winFD4.tmp - Deleted
C:\WINDOWS\Temp\winFD5.tmp - Deleted
C:\WINDOWS\Temp\winFD6.tmp - Deleted
C:\WINDOWS\Temp\winFD7.tmp - Deleted
C:\WINDOWS\Temp\winFD8.tmp - Deleted
C:\WINDOWS\Temp\winFD9.tmp - Deleted
C:\WINDOWS\Temp\winFDA.tmp - Deleted
C:\WINDOWS\Temp\winFDB.tmp - Deleted
C:\WINDOWS\Temp\winFDD.tmp - Deleted
C:\WINDOWS\Temp\winFDE.tmp - Deleted
C:\WINDOWS\Temp\winFDF.tmp - Deleted
C:\WINDOWS\Temp\winFE0.tmp - Deleted
C:\WINDOWS\Temp\winFE1.tmp - Deleted
C:\WINDOWS\Temp\winFE2.tmp - Deleted



Alternate Streams Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\Support.com\\bin\\tgcmd.exe"="C:\\Program Files\\Support.com\\bin\\tgcmd.exe:*:Disabled:Support.com Scheduler and Command Dispatcher"
"C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe"="C:\\Program Files\\Red Storm Entertainment\\Ghost Recon\\GhostRecon.exe:*:Enabled:GhostRecon"
"C:\\DOCUME~1\\ae1567\\LOCALS~1\\Temp\\win84.tmp.exe"="C:\\DOCUME~1\\ae1567\\LOCALS~1\\Temp\\win84.tmp.exe:*:Enabled:win84.tmp"
"C:\\Program Files\\Nortel Networks\\Extranet.exe"="C:\\Program Files\\Nortel Networks\\Extranet.exe:*:Enabled:Contivity VPN Client"
"C:\\WINDOWS\\system32\\jview.exe"="C:\\WINDOWS\\system32\\jview.exe:*:Enabled:Microsoft® VM Command Line Interpreter"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\tibco\\designer\\5.4\\bin\\designer.exe"="C:\\tibco\\designer\\5.4\\bin\\designer.exe:*:Enabled:designer"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"C:\\Program Files\\WS_FTP Pro\\ftp95pro.exe"="C:\\Program Files\\WS_FTP Pro\\ftp95pro.exe:*:Enabled:WS_FTP 95"
"C:\\Program Files\\Hewlett-Packard\\HP Virtual Rooms\\HPVirtualRooms.exe"="C:\\Program Files\\Hewlett-Packard\\HP Virtual Rooms\\HPVirtualRooms.exe:*:Enabled:HP Collaboration Tool -- 6.3"
"C:\\tibco\\tibrv\\bin\\rvd.exe"="C:\\tibco\\tibrv\\bin\\rvd.exe:*:Enabled:rvd"
"C:\\Program Files\\Carbon Copy AE\\SHELLKER.EXE"="C:\\Program Files\\Carbon Copy AE\\SHELLKER.EXE:*:Enabled:Carbon Copy 32 Kernel Application"
"C:\\WINDOWS\\TEMP\\win381.tmp.exe"="C:\\WINDOWS\\TEMP\\win381.tmp.exe:*:Enabled:win381.tmp"
"C:\\WINDOWS\\TEMP\\winDC.tmp.exe"="C:\\WINDOWS\\TEMP\\winDC.tmp.exe:*:Enabled:winDC.tmp"
"C:\\WINDOWS\\TEMP\\win685.tmp.exe"="C:\\WINDOWS\\TEMP\\win685.tmp.exe:*:Enabled:win685.tmp"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\NTDETECT.COM
C:\Documents and Settings\ae1567\Local Settings\Application Data\Microsoft\Messenger\jmduranr@gmail.com\Sharing Folders\glorivank@hotmail.com\Thumbs.db
C:\Documents and Settings\ae1567\NetHood\1- Product-Version Plan Review on na.know.extranet.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\NetHood\2- Design Review on na.know.extranet.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\NetHood\28 on na.know.extranet.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\NetHood\ARCHITECTURE on na.know.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\NetHood\External FTP (BW) on na.know.extranet.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\NetHood\meeting minutes on na.know.extranet.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\NetHood\SNS - NA on na.know.hp.com\Desktop.ini
C:\Documents and Settings\ae1567\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\Documents and Settings\ae1567\Application Data\?icrosoft.NET\msconfig.exe
C:\Documents and Settings\ae1567\My Documents\àdobe\mshta.exe
C:\Program Files\Common Files\svchost.exe
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099911.exe
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100011.exe
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100030.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\ae1567\Application Data\Microsoft\Word\~WRL0004.tmp
C:\Documents and Settings\ae1567\Application Data\Microsoft\Word\~WRL2263.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Program Files\Altiris\eXpress\NS Client\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp
C:\Program Files\InterActual\InterActual Player\iti14C.tmp

Finished

********
Logfile of HijackThis v1.99.1
Scan saved at 3:09:01 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WinPwdHelper.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\WINDOWS\System32\JobTrigger.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\HijackThis\kitty.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.pg.com:8080/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [esd3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [Timezone] "C:\Program Files\Microsoft Time Zone\TimeZone.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - Startup: Inetd.lnk = C:\WINDOWS\system32\Hummbird\inetd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.LNK = C:\Program Files\ISS\issSensors\DesktopProtection\PDDonIce.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167791946971
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase30/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{892768C9-2B3E-4792-948E-F6FE6DC2E102}: Domain = la.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JobTrigger - Hewlett Packard - C:\WINDOWS\System32\JobTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TIBCO Administrator 5.3 (JUAN) (TIBCOAdmin-JUAN) - Unknown owner - C:/tibco/administrator/domain/JUAN/bin/tibcoadmin_JUAN.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (JUAN) (TIBHawkAgent-JUAN-CNU447F7J4) - Unknown owner - C:/tibco/tra/domain/JUAN/hawkagent_JUAN.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: WinPwdReset - Unknown owner - C:\WINDOWS\System32\WinPwdHelper.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe

#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 22 January 2007 - 05:20 PM

Well, we're getting there.

• Go to Start > Run and copy/paste: sc delete WinPwdReset

• We need to disable Microsoft Windows Defender Real-time Protection and Spybot's Tea-Timer as they may interfere with the fixes that we need to make.
To disable Windows Defender:
* Open Microsoft Windows Defender. Click Start, Programs, Windows Defender
* Click on Tools, General Settings
* Under Real-time protection options, unselect the Turn on real-time protection check box
* Click Save
To disable Tea-Timer:
* Open Spybot-S&D
* Go to the Mode menu, and make sure "Advanced Mode" is selected
* On the left hand side, choose Tools -> Resident
* Uncheck "Resident TeaTimer" and OK any prompts
* Restart your computer.

After all of the fixes are complete it is very important that you enable both Real-time Protections again.

• Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O23 - Service: WinPwdReset - Unknown owner - C:\WINDOWS\System32\WinPwdHelper.exe


Close ALL browsers and open windows/programs except HijackThis and click 'Fix Checked'.

• Navigate to and delete the following file if present:
C:\Windows\System32\WinPwdHelper.exe

If you have problems finding this file, show hidden files by following these instructions:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

You may have to go into Safe Mode if you cannot delete it in Normal Mode.

• Download and scan with AVG Anti-Spyware v7.5
(This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the
AVG Anti-Spyware Full database installer from here.

Once the updates are installed do the following:
1. Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions?" button.

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware when done and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.
Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.
2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

• Finally, download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100

• Post back with the log from AVG Anti-Spyware, the combofix.txt log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 22 January 2007 - 07:23 PM

Yes, it seems we are getting there!

Here are the info you requested
****
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:12:53 PM 1/22/2007

+ Scan result:



C:\Program Files\Ipwindows\ipwins.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\Program Files\HijackThis\backups\backup-20070118-070900-602.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP625\A0096377.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc10\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc10\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc11\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc11\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc12\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc12\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc8\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc8\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-249414903-3151693266-2418403240-1007\Dc1\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-249414903-3151693266-2418403240-1007\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP634\A0097972.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP634\A0097976.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099934.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099942.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099944.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099987.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099990.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099991.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100001.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100002.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\ae1567\My Documents\idd2A.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099946.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099947.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099948.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099949.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099950.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099951.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099952.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099953.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099954.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099955.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099956.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099957.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099958.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099959.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099960.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099961.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099962.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099963.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099964.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099965.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099966.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099967.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099973.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099974.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099975.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099976.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099977.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099978.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099979.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099980.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099981.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099982.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099983.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099984.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd11.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd18.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd2F.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd31.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd40.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd48.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd5E.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd71.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\idd90.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\iddB0.tmp.exe -> Dialer.IDialer.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099935.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099938.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099939.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099940.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099941.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099968.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099969.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099970.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099972.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win10.tmp.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win17.tmp.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win3F.tmp.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win47.tmp.exe -> Dialer.Small : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP625\A0096155.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP634\A0097975.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100069.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099936.exe -> Dropper.Agent.bbp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099971.exe -> Dropper.Agent.bbp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099985.exe -> Dropper.Agent.bbp : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wnsapitr.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

*****
"ae1567" - 07-01-22 18:15:04 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\ae1567\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Ipwindows
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\ae1567
C:\qoobox\purity\DOCUME~1\ae1567\Application Data
C:\qoobox\purity\DOCUME~1\ae1567\My Documents
C:\qoobox\purity\DOCUME~1\ae1567\Application Data\CROSOF~1
C:\qoobox\purity\DOCUME~1\ae1567\Application Data\from.txt
C:\qoobox\purity\DOCUME~1\ae1567\Application Data\ICROSO~1.NET
C:\qoobox\purity\DOCUME~1\ae1567\Application Data\ICROSO~1.NET\msconfig.exe
C:\qoobox\purity\DOCUME~1\ae1567\Application Data\ICROSO~1.NET\?icrosoft.NET
C:\qoobox\purity\DOCUME~1\ae1567\My Documents\CROSOF~1
C:\qoobox\purity\DOCUME~1\ae1567\My Documents\from.txt
C:\qoobox\purity\DOCUME~1\ae1567\My Documents\YMBOLS~1
C:\qoobox\purity\WINDOWS\ICROSO~1
C:\qoobox\purity\WINDOWS\system32\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-22 to 2007-01-22 ))))))))))))))))))))))))))))))))))


2007-01-22 16:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-22 16:42 <DIR> d-------- C:\Program Files\Grisoft
2007-01-22 14:52 <DIR> d-------- C:\SDFix
2007-01-22 11:31 <DIR> d-------- C:\VundoFix Backups
2007-01-22 11:07 155,648 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-19 14:29 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-19 14:27 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-01-18 16:08 76,412 --a------ C:\WINDOWS\system32\vfdmhknn.dll
2007-01-18 06:54 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-18 06:45 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2007-01-17 08:15 <DIR> d-------- C:\Program Files\HijackThis
2007-01-16 13:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy
2007-01-16 11:13 <DIR> d-------- C:\WINDOWS\àdobe
2007-01-16 11:13 <DIR> d-------- C:\DOCUME~1\ae1567\Application Data\Lavasoft
2007-01-10 12:51 <DIR> d-------- C:\Program Files\Common Files\L&H
2007-01-10 12:48 <DIR> d-------- C:\Program Files\Microsoft Works
2007-01-10 12:47 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-01-10 07:45 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-01-10 07:42 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-01-10 07:35 36,352 --------- C:\WINDOWS\system32\tsgqec.dll
2007-01-10 07:35 288,768 --------- C:\WINDOWS\system32\rhttpaa.dll
2007-01-10 07:35 116,736 --------- C:\WINDOWS\system32\aaclient.dll
2007-01-10 07:24 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-08 11:17 <DIR> d--hs---- C:\WINDOWS\U0VXUCA1IFVzZXI
2007-01-04 08:50 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-01-04 08:50 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2007-01-04 08:50 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-01-04 08:50 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-01-04 08:50 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-01-04 08:50 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-01-04 08:50 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-01-04 08:50 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-01-04 08:50 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2007-01-03 06:20 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-01-03 06:20 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-02 18:08 <DIR> d-------- C:\Program Files\Windows Defender
2007-01-02 17:15 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-02 17:15 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-02 17:11 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-02 09:06 <DIR> d-------- C:\WINDOWS\owwf
2007-01-02 06:35 <DIR> d-------- C:\WINDOWS\system32\appmgmt


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-22 07:35 -------- d-------- C:\Program Files\jpj
2007-01-19 08:34 -------- d-------- C:\Program Files\connected
2007-01-17 08:32 -------- d-------- C:\Program Files\google
2007-01-16 08:04 -------- d-------- C:\Program Files\nortel networks
2007-01-11 10:40 8192 --a------ C:\WINDOWS\iconc6e2cbce.exe
2007-01-10 12:50 -------- d-------- C:\Program Files\microsoft activesync
2007-01-10 11:08 -------- d-------- C:\Program Files\notes5
2007-01-10 10:36 -------- d--h----- C:\Program Files\installshield installation information
2007-01-03 06:20 -------- d--h----- C:\Program Files\windowsupdate
2007-01-02 18:07 -------- d-------- C:\Program Files\microsoft antispyware
2007-01-01 12:18 -------- d-------- C:\DOCUME~1\ae1567\Application Data\microsoft
2006-12-30 06:25 28624 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-12-18 12:09 -------- d-------- C:\Program Files\Common Files\pccamera
2006-12-18 12:08 -------- d-------- C:\Program Files\videocam gf112
2006-12-05 14:56 -------- d-------- C:\Program Files\msn messenger
2006-12-05 14:18 -------- d-------- C:\Program Files\movie maker
2006-12-05 14:13 -------- d-------- C:\Program Files\windows nt
2006-12-01 11:37 -------- d-------- C:\Program Files\igrafx
2006-12-01 11:37 -------- d-------- C:\Program Files\Common Files\igrafx
2006-11-29 14:52 -------- d-------- C:\Program Files\carbon copy ae
2006-11-27 02:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-26 12:04 -------- d-------- C:\Program Files\widcomm
2006-11-23 13:56 20480 --a------ C:\WINDOWS\system32\corpset.exe
2006-11-22 10:52 -------- d-------- C:\Program Files\itunes
2006-11-22 10:52 -------- d-------- C:\Program Files\ipod
2006-11-22 10:49 -------- d-------- C:\Program Files\quicktime
2006-11-22 10:45 -------- d-------- C:\Program Files\apple software update
2006-11-13 00:02 1866240 --a------ C:\WINDOWS\system32\mstscax.dll
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-07 02:06 600576 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-04 20:25 1321744 --a------ C:\WINDOWS\system32\msxml6.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-23 08:48 52561 --a------ C:\WINDOWS\system32\hwdetect.vbs


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WBPCache"="WBPCache.exe"
"Timezone"="\"C:\\Program Files\\Microsoft Time Zone\\TimeZone.exe\""
"NBJ"="\"C:\\PROGRA~1\\Ahead\\NEROBA~1\\NBJ.exe\""
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TuneUp"="C:\\windows\\system32\\TuneUp\\TuneUp.exe /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NWTRAY"="NWTRAY.EXE"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"vptray"="C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe"
"TuneUp"="C:\\windows\\system32\\TuneUp\\TuneUp.exe /startup"
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -onlytray"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IntelliType"="\"C:\\Program Files\\Microsoft Hardware\\Keyboard\\type32.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"esd3Agent"="C:\\Program Files\\Marimba\\Addons\\EsdAgent.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"DataLayer"="C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"AeXSWDUsr"="\"C:\\Program Files\\Altiris\\eXpress\\NS Client\\AeXSWDUsr.exe\""
"ACU"="C:\\Program Files\\Atheros\\ACU\\Utility\\ACU.exe -nogui"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CyberArmorRunService"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WBPCache"="WBPCache.exe"
"TuneUp"="C:\\windows\\system32\\TuneUp\\TuneUp.exe /startup"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"WBPCache"="WBPCache.exe"
"TuneUp"="C:\\windows\\system32\\TuneUp\\TuneUp.exe /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=dword:00000000
"CompatibleRUPSecurity"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"=dword:00000001
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_DRIVER
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVG_ANTI-SPYWARE_GUARD


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\TuneUp1.job
C:\WINDOWS\tasks\TuneUp2.job
C:\WINDOWS\tasks\TuneUp3.job

Completion time: 07-01-22 18:18:23
****

Logfile of HijackThis v1.99.1
Scan saved at 6:19:18 PM, on 1/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\WINDOWS\System32\JobTrigger.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\kitty.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.pg.com:8080/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [esd3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [Timezone] "C:\Program Files\Microsoft Time Zone\TimeZone.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - Startup: Inetd.lnk = C:\WINDOWS\system32\Hummbird\inetd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.LNK = C:\Program Files\ISS\issSensors\DesktopProtection\PDDonIce.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167791946971
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase30/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{892768C9-2B3E-4792-948E-F6FE6DC2E102}: Domain = la.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JobTrigger - Hewlett Packard - C:\WINDOWS\System32\JobTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TIBCO Administrator 5.3 (JUAN) (TIBCOAdmin-JUAN) - Unknown owner - C:/tibco/administrator/domain/JUAN/bin/tibcoadmin_JUAN.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (JUAN) (TIBHawkAgent-JUAN-CNU447F7J4) - Unknown owner - C:/tibco/tra/domain/JUAN/hawkagent_JUAN.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe

#12 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 23 January 2007 - 11:43 AM

Hi -

• Open Notepad and copy and paste the text inside the codebox into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B7BC5CCE-E6CE-43DB-B3E3-DA47DDDD4A5E}"=-

- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- It should look like this: Posted Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

• Download and scan with CCleaner Basic.
1. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
2. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

• Reboot your computer.

• Please go to the following site: http://virusscan.jotti.org/
and scan the following files:

C:\WINDOWS\system32\vfdmhknn.dll
C:\WINDOWS\system32\WBPCache.exe
C:\WINDOWS\iconc6e2cbce.exe


- When you go to the site, you will see "File to upload & scan" at the top of the page.
- Click "Browse" and a "File Upload" window will open.
- Navigate to the first file:
C:\WINDOWS\system32\vfdmhknn.dll
- Click onto the file, click "Open" and then click "Submit"
- Wait for the scan to finish. Copy the results because you will paste them in your next reply.
- Repeat the steps for the next two files.
- Post back with the results from Jotti's on the files.

There are two folders that I do not recognize:
C:\WINDOWS\owwf
C:\WINDOWS\U0VXUCA1IFVzZXI

Let me know if you recognize one or both. I'd like to know the contents of the folders as well.

• Please perform this online scan: Kaspersky Online Scanner
1. Click the Kaspersky Online Scanner button (NOT "Kaspersky File Scanner")
2. Read the Requirements and Privacy statement, then select Accept
3. A dialogue box will appearing asking "Do you want to install this software?"
4. Click Yes or select Install to download the ActiveX controls that allows ActiveScan to run.
5. When the download is complete it will say ready, click Next
6. Click Scan Settings and check the option to use the Extended Database if available. Otherwise, use Standard
7. Click Scan Options and select both Scan Archives and Scan Mail Bases
8. Click OK
9. Under Select a target to scan, click on My Computer
10. When the scan is complete, choose to save the results as Save as Text named kaspersky.txt to your Desktop and post it in your next reply.

• Post back with the results of the Jotti scans, the results of the Kaspersky scan and a new HijackThis log.

Edited by waterfalls, 23 January 2007 - 11:48 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#13 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 24 January 2007 - 04:48 PM

Hello,
Some interesting results:

Jotty:
I got the following errors for two files (vfdmhknn.dll and WBPCache.exe) :
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

Synmatec real time protection caught vfdmhknn.dll while i was loading it
"Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Infostealer
File: C:\WINDOWS\system32\vfdmhknn.dll
Location: Quarantine
Computer: CNU447F7J4
User: ae1567
Action taken: Quarantine succeeded : Access denied
Date found: Tuesday, January 23, 2007 4:16:35 PM"

The third file was found clean:
"Service load: 0% 100%

File: iconc6e2cbce.exe
Status: OK
MD5 cffc21e4ff116edf325f06dc4a1de8af
Packers detected: - "

****
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 24, 2007 3:41:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 24/01/2007
Kaspersky Anti-Virus database records: 261687
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 123455
Number of viruses found: 18
Number of infected objects: 43 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:35:04

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\ae1567\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Application Data\ApplicationHistory\TimeZone.exe.404e53b2.ini.inuse Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{99992943-D453-4C5C-BFE6-880F5468F2CF} Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\ae1567\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ae1567\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\ae1567\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01022007-180817.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\038C0000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03980000.VBN Infected: Trojan.Win32.Agent.vg skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0000.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05780000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05780001.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09080000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09B40000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AC00000.VBN Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB40000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB40000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB40000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB40000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CB40000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D140000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F380000.VBN Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F3C0000.VBN Infected: not-a-virus:AdWare.Win32.Agent.at skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F5C0000.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ft skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\12100000.VBN Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\12100001.VBN Infected: Trojan-Dropper.Win32.Agent.azn skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Altiris\eXpress\NS Client\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Common Files\svchost.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\Program Files\Marimba\.marimba\workspace\launch.log Object is locked skipped
C:\Program Files\Marimba\.marimba\workspace\stdout.log Object is locked skipped
C:\Program Files\Marimba\.marimba\workspace\ws.lock Object is locked skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\F78C9AED-7ECE-4758-B7B7-DB822B\1C128E7C-8AC2-4EDB-824D-ADF2F9 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\F78C9AED-7ECE-4758-B7B7-DB822B\C0FC323E-CD2C-49AF-B26E-7CDFCB Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Program Files\Microsoft AntiSpyware\Quarantine\F78C9AED-7ECE-4758-B7B7-DB822B\C69AD0C4-CCE2-459B-A71A-85BE41 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099911.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0099937.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100005.dll Infected: Packed.Win32.Klone.t skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100011.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100030.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100068.exe Infected: Trojan-Spy.Win32.Agent.or skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100113.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100115.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.ab skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100116.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100117.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100118.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100119.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100120.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100121.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100122.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100123.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100124.exe Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP636\A0100125.dll Infected: not-a-virus:AdWare.Win32.Softomate.ac skipped
C:\System Volume Information\_restore{E70BDB30-ABC3-4492-9328-1D880CB988C0}\RP639\change.log Object is locked skipped
C:\VundoFix Backups\fccdcbx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_16c.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5cc.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

*****

Logfile of HijackThis v1.99.1
Scan saved at 3:46:23 PM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe
C:\Program Files\Atheros\ACU\Utility\ACU.exe
C:\Program Files\Microsoft Time Zone\TimeZone.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Sametime Client\Connect.exe
C:\WINDOWS\System32\JobTrigger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\kitty.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.pg.com:8080/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [esd3Agent] C:\Program Files\Marimba\Addons\EsdAgent.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AeXSWDUsr] "C:\Program Files\Altiris\eXpress\NS Client\AeXSWDUsr.exe"
O4 - HKLM\..\Run: [ACU] C:\Program Files\Atheros\ACU\Utility\ACU.exe -nogui
O4 - HKCU\..\Run: [WBPCache] WBPCache.exe
O4 - HKCU\..\Run: [Timezone] "C:\Program Files\Microsoft Time Zone\TimeZone.exe"
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp] C:\windows\system32\TuneUp\TuneUp.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Inetd.lnk = C:\WINDOWS\system32\Hummbird\inetd32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealSecure® Desktop Protector.LNK = C:\Program Files\ISS\issSensors\DesktopProtection\PDDonIce.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms14 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167791946971
O16 - DPF: {C3CBFE35-9BE8-11D1-B31B-006008948294} (OrgPublisher PluginX) - http://www.timevision.com/codebase30/OrgPubX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{892768C9-2B3E-4792-948E-F6FE6DC2E102}: Domain = la.pg.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = la.pg.com,pg.com,na.pg.com,eu.pg.com,ap.pg.com,gillette.com,braunag.de
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Altiris eXpress NS Client (AeXNSClient) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClient.exe
O23 - Service: Altiris eXpress NS Client Transport (AeXNSClientTransport) - Altiris - C:\Program Files\Altiris\eXpress\NS Client\AeXNSClientTransport.exe
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Altiris - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JobTrigger - Hewlett Packard - C:\WINDOWS\System32\JobTrigger.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TIBCO Administrator 5.3 (JUAN) (TIBCOAdmin-JUAN) - Unknown owner - C:/tibco/administrator/domain/JUAN/bin/tibcoadmin_JUAN.exe
O23 - Service: TIBCO Hawk Agent (TIBHawkAgent) - Unknown owner - C:\tibco\hawk\bin\tibhawkagentnt.exe
O23 - Service: TIBCO Hawk Agent (JUAN) (TIBHawkAgent-JUAN-CNU447F7J4) - Unknown owner - C:/tibco/tra/domain/JUAN/hawkagent_JUAN.exe
O23 - Service: TIBCO Hawk HMA (TIBHawkHMA) - Unknown owner - C:\tibco\hawk\bin\tibhawkhma.exe
O23 - Service: workspace - Marimba, Inc. - C:\PROGRA~1\Marimba\CASTAN~1\Tuner.exe

*****
About the Yahoo toolbar - i don't use it, but i think it got installed with teh CCLeaner, so i have not removed it.

Thanks!

#14 jmduranr

jmduranr
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:40 AM

Posted 24 January 2007 - 04:51 PM

oh, i forgot about the 2 folders you mentioned. I do not recognize either of them

C:\WINDOWS\U0VXUCA1IFVzZXI is empty
C:\WINDOWS\owwf contains two files: "wu" and "owwf.dat". The second one is a text file, here is the content

"*** Installation Started 01/02/2007 9:06 ***
Title: TSA Installation
Source: C:\DOCUME~1\ae1567\LOCALS~1\Temp\tsinstall_4_0_4_0_b4.exe | 01-02-2007 | 09:06:46 | 1509364
Made Dir: C:\WINDOWS\owwf
File Copy: C:\WINDOWS\owwf\wu | 07-26-2002 | 17:02:06 | | 153088 | 5be5019b
File Copy: C:\WINDOWS\system32\tsuninst.exe | 11-02-2005 | 00:44:52 | 4.0.4.0 | 127574 | 18c1d951
RegDB Key: Software\owwf
RegDB Val: C:\PROGRA~1\COMMON~1\owwf
RegDB Name: Path
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: TSA
RegDB Name: DisplayName
RegDB Root: 2
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: C:\WINDOWS\system32\tsuninst.exe /u
RegDB Name: UninstallString
RegDB Root: 2
Made Dir: C:\Program Files\Common Files\owwf
File Copy: C:\Program Files\Common Files\owwf\owwfm.exe | 11-03-2005 | 21:20:04 | 4.0.4.0 | 9216 | 78df4366
File Copy: C:\Program Files\Common Files\owwf\owwfl.exe | 11-03-2005 | 21:19:22 | 4.0.4.0 | 16384 | d2fbf87e
File Copy: C:\Program Files\Common Files\owwf\owwfa.exe | 11-03-2005 | 21:21:30 | 4.0.4.0 | 16896 | c8b4a248
File Copy: C:\Program Files\Common Files\owwf\owwfp.exe | 11-03-2005 | 21:20:38 | 4.0.4.0 | 9216 | ecac4011
Made Dir: C:\Program Files\Common Files\owwf\owwfd
File Copy: C:\Program Files\Common Files\owwf\owwfd\class-barrel | 04-19-2004 | 21:26:12 | | 4933375 | fa512af9
File Copy: C:\Program Files\Common Files\owwf\owwfd\owwfc.dll | 02-18-2004 | 06:26:00 | | 46080 | 3c9bc69
File Copy: C:\Program Files\Common Files\owwf\owwfd\vocabulary | 04-19-2004 | 21:26:12 | | 1234193 | 4d5f7b92
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Run
RegDB Val: C:\Program Files\Common Files\owwf\owwfm.exe
RegDB Name: owwf
RegDB Root: 1
Delete in-use files: On
RegDB Key: SOFTWARE\owwf\update
RegDB Val: 4.0.4.0
RegDB Name: TSVersion
RegDB Root: 2
RegDB Key: SOFTWARE\owwf
RegDB Val: 1219843110
RegDB Name: UID
RegDB Root: 2
File Tree: C:\Program Files\Common Files\owwf\owwfd\*.*
File Tree: C:\Program Files\Common Files\owwf\*.*
File Tree: C:\WINDOWS\owwf\*.*
RegDB Tree: SOFTWARE\owwf
RegDB Root: 2
RegDB Tree: SOFTWARE\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\owwf
RegDB Root: 1
*** Installation Started 01/02/2007 9:10 ***
Title: TSA Installation
Source: C:\DOCUME~1\ae1567\LOCALS~1\Temp\tsupdate_4_0_4_1_b3.exe | 01-02-2007 | 09:09:18 | 358404
Preserve Existing: Following file not copied.
File Copy: C:\WINDOWS\owwf\wu
File Overwrite: C:\WINDOWS\system32\tsuninst.exe | 07-21-2006 | 18:55:38 | 4.0.4.1 | 127578 | 2a055bb1
RegDB Key: Software\owwf
RegDB Val: C:\PROGRA~1\COMMON~1\owwf
RegDB Name: Path
RegDB Root: 2
RegDB Old: C:\PROGRA~1\COMMON~1\owwf
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: TargetSaver
RegDB Name: DisplayName
RegDB Root: 2
RegDB Old: TSA
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Uninstall\TSA
RegDB Val: C:\WINDOWS\system32\tsuninst.exe /u
RegDB Name: UninstallString
RegDB Root: 2
RegDB Old: C:\WINDOWS\system32\tsuninst.exe /u
File Overwrite: C:\Program Files\Common Files\owwf\owwfm.exe | 07-19-2006 | 14:56:46 | 4.0.4.1 | 9216 | c325cc93
File Overwrite: C:\Program Files\Common Files\owwf\owwfl.exe | 07-19-2006 | 15:05:36 | 4.0.4.1 | 16384 | 8c42560c
File Overwrite: C:\Program Files\Common Files\owwf\owwfa.exe | 07-19-2006 | 15:01:24 | 4.0.4.1 | 17408 | 698c8964
File Overwrite: C:\Program Files\Common Files\owwf\owwfp.exe | 07-19-2006 | 15:16:36 | 4.0.4.1 | 9216 | 1d8dddf8
RegDB Key: Software\Microsoft\Windows\CurrentVersion\Run
RegDB Val: C:\Program Files\Common Files\owwf\owwfm.exe
RegDB Name: owwf
RegDB Root: 1
RegDB Old: C:\PROGRA~1\COMMON~1\owwf\owwfm.exe
Delete in-use files: On
RegDB Key: SOFTWARE\owwf\update
RegDB Val: 4.0.4.1
RegDB Name: TSVersion
RegDB Root: 2
RegDB Old: 4.0.4.0
RegDB Key: SOFTWARE\owwf
RegDB Val: 1219843110
RegDB Name: UID
RegDB Type: 3
RegDB Root: 2
RegDB Old: 1219843110
File Tree: C:\Program Files\Common Files\owwf\owwfd\*.*
File Tree: C:\Program Files\Common Files\owwf\*.*
File Tree: C:\WINDOWS\owwf\*.*
RegDB Tree: SOFTWARE\owwf
RegDB Root: 2
RegDB Tree: SOFTWARE\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSA
RegDB Root: 2
RegDB Tree: SOFTWARE\owwf
RegDB Root: 1
"

#15 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:40 AM

Posted 25 January 2007 - 07:58 PM

Hi -

Thanks for the info. We might as well as delete them because you don't recognize them, and I can't find any info on them.
Print these directions because you will be working in Safe Mode.

• Open Notepad and copy and paste the text inside the codebox into Notepad:

[REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"WBPCache"=-

- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- It should look like this: Posted Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

• Reboot into Safe Mode.

• Navigate to and delete the following folders:
C:\WINDOWS\U0VXUCA1IFVzZXI
C:\WINDOWS\owwf

• Navigate to and delete the following files:
C:\Program Files\Common Files\svchost.exe
C:\system32\WBPCache.exe

The Yahoo toolbar was installed by CCleaner. If you do not want it, just fix it:
• Start HijackThis, click System Scan Only and place a checkmark next to the following item:
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

Close ALL browsers including IE and ALL open windows/programs except HijackThis and click 'Fix Checked'.

• Reboot into Normal Mode.

• Post back with a new HijackThis log. Also, let me know how your computer is running now.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users