Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Several Trojans?


  • This topic is locked This topic is locked
11 replies to this topic

#1 Kalvarnsen

Kalvarnsen

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 10 February 2007 - 03:16 PM

Hello. According to AVG 7.5 I have several trojans. It started last week when an icon started to appear in my application that stated that I had been infected and to download a program (i dont remember the name) to remove. I have had this before and used Smitrem to remove it. I ran smitrem and the icon disappeared. Then later I noticed that I had several svhost.exe running at once. I ususally ony have two or three running. I ran AVG and it came up with 12 Trojans and unwanted programs. It could not clean them so I moved them to the vault. I tried to access this website and my IE wouldnt let me connect to any website that has anything to do with legitimate spyware and virus removal and my homepage was changed. I could not change it back to my orig home page. I am having to use another computer to access bleeping computer to get this problem(s) solved. Here is the HJT log file. BTW, I have already ran smitfraud, smitrem, and Antipuper. I have also ran Spybot search and destroy, all of these were ran prior to the HTG. Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 1:24:54 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINNT\system32\syst63l.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 10 February 2007 - 03:42 PM

Welcome Kalvarnsen :thumbsup:

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINNT\system32\syst63l.dll
Then press the red button with the white cross.
It will then provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

========================

Please download/install AVG Anti-Spyware 7.5.
Welcome Trailrider
Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8} - (no file)
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINNT\system32\syst63l.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll (file missing)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.


Post the AVG Anti Spyware report and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#3 Kalvarnsen

Kalvarnsen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 11 February 2007 - 04:34 AM

Thanks for your help!
Ok I did what you had advised. Here are the reports.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:07:40 AM 2/11/2007
+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Richard\Cookies\richard@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.

::Report end


Logfile of HijackThis v1.99.1
Scan saved at 3:21:30 AM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\WINNT\system32\syst63l.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

#4 Kalvarnsen

Kalvarnsen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 11 February 2007 - 04:46 AM

By the way I also rec the following error from HJT when I clicked on fix checked.

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20-AppInit_DLLs: C:\WINNT\system32\syst63l.dll)
Error#5-Invalid procedure call or argument


I dont know what this error means, But I am still having the issues and whatever the trojan or virus is it still has highjacked my ie homepage and I cannot access sites like bleepingcomputer. I am still having to use another computer to log on here so please bear with me. -Thanks

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 11 February 2007 - 07:42 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

==================

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

==================

Please download Combofix and save to the desktop:
http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a log.
Post the C:\ComboFix.txt in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


Reboot,post the SuperAntiSpyware report,the DrWeb.cvs report,the C:\ComboFix.txt,and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#6 Kalvarnsen

Kalvarnsen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 11 February 2007 - 11:06 PM

Ok, I ran the programs. The results are below.

SUPERAntiSpyware Scan Log
Generated 02/11/2007 at 05:39 PM
Application Version : 3.5.1016
Core Rules Database Version : 3182
Trace Rules Database Version: 1192
Scan type : Complete Scan
Total Scan Time : 01:36:30
Memory items scanned : 302
Memory threats detected : 0
Registry items scanned : 6049
Registry threats detected : 53
File items scanned : 38972
File threats detected : 8
Adware.Tracking Cookie
C:\Documents and Settings\Richard\Cookies\richard@msnservices.112.2o7[1].txt
C:\Documents and Settings\Richard\Cookies\richard@adbrite[2].txt
C:\Documents and Settings\Richard\Cookies\richard@tacoda[1].txt
C:\Documents and Settings\Richard\Cookies\richard@msnportal.112.2o7[1].txt
C:\Documents and Settings\Richard\Cookies\richard@adserving.autotrader[1].txt
C:\Documents and Settings\Richard\Cookies\richard@atwola[1].txt
C:\Documents and Settings\Richard\Cookies\richard@tribalfusion[2].txt
C:\Documents and Settings\Richard\Cookies\richard@3.adbrite[1].txt
Trojan.Media-Codec
HKCR\650ef38e.axb8
HKCR\650ef38e.axb8\CLSID
HKCR\650ef38f.ds45
HKCR\650ef38f.ds45\CLSID
HKCR\6fa10094.vcsd
HKCR\6fa10094.vcsd\CLSID
HKCR\767960fa.ccas
HKCR\767960fa.ccas\CLSID
HKCR\767960fb.2345
HKCR\767960fb.2345\CLSID
HKCR\7fe62cc2.bctp
HKCR\7fe62cc2.bctp\CLSID
HKCR\877faba2.2dfh
HKCR\877faba2.2dfh\CLSID
HKCR\8dcb614a.afbs
HKCR\8dcb614a.afbs\CLSID
HKCR\94ad4b18.3hpo
HKCR\94ad4b18.3hpo\CLSID
HKCR\BprintingHost.Serv
HKCR\BprintingHost.Serv\CLSID
HKCR\BprintingHost.Serv\CLSID\{38ca2fcd-7d7e-11db-96a0-00e08161165f}
HKCR\c5621605.dhcp
HKCR\c5621605.dhcp\CLSID
HKCR\Svshost1.dhcp
HKCR\Svshost1.dhcp\CLSID
HKCR\Svshost10.3hpo
HKCR\Svshost10.3hpo\CLSID
HKCR\Svshost11.cs35
HKCR\Svshost11.cs35\CLSID
HKCR\Svshost12.varh
HKCR\Svshost12.varh\CLSID
HKCR\Svshost13.fpol
HKCR\Svshost13.fpol\CLSID
HKCR\Svshost14.knbs
HKCR\Svshost14.knbs\CLSID
HKCR\Svshost15.kbns
HKCR\Svshost15.kbns\CLSID
HKCR\Svshost2.axb8
HKCR\Svshost2.axb8\CLSID
HKCR\Svshost3.ds45
HKCR\Svshost3.ds45\CLSID
HKCR\Svshost4.vcsd
HKCR\Svshost4.vcsd\CLSID
HKCR\Svshost5.ccas
HKCR\Svshost5.ccas\CLSID
HKCR\Svshost6.2345
HKCR\Svshost6.2345\CLSID
HKCR\Svshost7.bctp
HKCR\Svshost7.bctp\CLSID
HKCR\Svshost8.2dfh
HKCR\Svshost8.2dfh\CLSID
HKCR\Svshost9.afbs
HKCR\Svshost9.afbs\CLSID



Doctor Web report
Process.exe;C:\Desktop\downloads\smitRem;Tool.Prockill;Incurable.Deleted.;
Process.exe;C:\Documents and Settings\Richard\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;
restart.exe;C:\Documents and Settings\Richard\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Deleted.;
Process.exe;C:\Documents and Settings\Richard\Desktop\smitRem;Tool.Prockill;Incurable.Deleted.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Deleted.;



ComboFix re"Richard" - 07-02-11 21:19:27 Service Pack 2
ComboFix 07-02-11 - Running from: "C:\Documents and Settings\Richard\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))


2007-02-11 18:58 <DIR> d-------- C:\DOCUME~1\Richard\DoctorWeb
2007-02-11 16:15 0 --a------ C:\WINNT\ORUN32.EXE
2007-02-11 16:14 0 --a------ C:\WINNT\system32\CMMGR32.EXE
2007-02-11 15:58 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-02-11 15:58 <DIR> d-------- C:\DOCUME~1\Richard\Application Data\SUPERAntiSpyware.com
2007-02-11 15:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\SUPERAntiSpyware.com
2007-02-11 15:52 5,743,392 --a------ C:\SUPERAntiSpyware.exe
2007-02-10 17:26 3,968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-02-10 17:06 <DIR> d-------- C:\!KillBox
2007-02-10 17:05 <DIR> d-------- C:\Program Files\killbox
2007-02-10 10:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-02-10 10:45 <DIR> d-------- C:\Program Files\HJT
2007-02-10 01:06 <DIR> d-------- C:\DOCUME~1\test\Application Data\Real
2007-02-10 01:01 786,432 --ah----- C:\DOCUME~1\test\NTUSER.DAT
2007-02-10 01:01 <DIR> d-------- C:\DOCUME~1\test\Application Data\Symantec
2007-02-09 23:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-02-09 21:59 <DIR> d--h----- C:\WINNT\PIF
2007-02-09 21:55 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AVG7
2007-02-09 21:40 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\AVG7
2007-02-08 20:32 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-08 20:31 <DIR> d-------- C:\DOCUME~1\Richard\Application Data\AVG7
2007-02-08 20:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-08 20:27 839,936 --a------ C:\WINNT\system32\drivers\avg7core.sys
2007-02-08 20:27 4,960 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2007-02-08 20:27 4,224 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2007-02-08 20:27 3,968 --a------ C:\WINNT\system32\drivers\avgclean.sys
2007-02-08 20:27 27,776 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2007-02-08 20:27 18,432 --a------ C:\WINNT\system32\drivers\avgmfx86.sys
2007-02-08 20:26 <DIR> d-------- C:\Program Files\Grisoft
2007-02-08 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-02-08 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-02-03 16:07 4,210 --a------ C:\WINNT\system32\tmp.reg
2007-02-03 10:24 0 --a------ C:\taxyhui.exe
2007-02-03 10:24 0 --a------ C:\swglxr.exe
2007-02-03 10:24 0 --a------ C:\srnv.exe
2007-02-03 10:24 0 --a------ C:\hiyrnvle.exe
2007-02-03 10:24 0 --a------ C:\gdntgen.exe
2007-02-03 10:24 0 --a------ C:\fpwsvgd.exe
2007-02-03 10:24 0 --a------ C:\dnvbkvi.exe
2007-02-03 10:19 <DIR> d-------- C:\Program Files\WinAce
2007-01-27 15:38 552 --a------ C:\WINNT\system32\d3d8caps.dat
2007-01-18 22:58 <DIR> d-------- C:\Program Files\Paint.NET
2007-01-18 22:46 <DIR> dr--s---- C:\WINNT\assembly
2007-01-18 22:43 <DIR> d-------- C:\WINNT\Microsoft.NET

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-11 16:56 664 --a------ C:\WINNT\system32\d3d9caps.dat
2007-02-11 15:58 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-10 13:23 -------- d-------- C:\Program Files\mycleanerpc
2007-02-10 13:22 -------- d-------- C:\Program Files\icqlite
2007-02-08 20:25 -------- d---s---- C:\DOCUME~1\Richard\Application Data\microsoft
2007-02-08 19:30 -------- d-------- C:\Program Files\mozilla firefox
2007-01-31 22:09 -------- d-------- C:\Program Files\full tilt poker
2007-01-09 14:35 -------- d-------- C:\Program Files\msxml 4.0
2007-01-08 22:21 -------- d-------- C:\DOCUME~1\Richard\Application Data\gtk-2.0
2007-01-08 20:01 -------- d--h----- C:\Program Files\installshield installation information
2007-01-08 20:00 -------- d-------- C:\Program Files\absolute poker basic
2007-01-08 16:58 -------- d-------- C:\Program Files\gimp-2.0
2007-01-08 16:06 -------- d-------- C:\Program Files\Common Files\gtk
2007-01-07 19:04 -------- d-------- C:\Program Files\java
2007-01-05 00:54 -------- d-------- C:\Program Files\itunes
2007-01-05 00:53 -------- d-------- C:\Program Files\ipod
2007-01-05 00:48 -------- d-------- C:\Program Files\quicktime
2006-12-27 20:10 -------- d-------- C:\Program Files\badgehelp
2006-12-06 23:29 2374472 --a------ C:\WINNT\system32\wmvcore.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"
"Uniblue Registry Booster"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"Multi-function Keyboard"="GWHotKey.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"MSConfig"="C:\\WINNT\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINNT\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -hx"
"item"="Kodak EasyShare software"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^palstart.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\palstart.exe"
"backup"="C:\\WINNT\\pss\\palstart.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\palstart.exe"
"item"="palstart"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SnagIt 8.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SnagIt 8.lnk"
"backup"="C:\\WINNT\\pss\\SnagIt 8.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TECHSM~1\\SNAGIT~1\\SnagIt32.exe "
"item"="SnagIt 8"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Richard^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Richard\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINNT\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Richard\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1129961817\\ee\\AOLSoftware.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ICQLite\\ICQLite.exe\" -minimize"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Kazaa"
"hkey"="HKLM"
"command"="C:\\Program Files\\KaZaA\\Kazaa.exe /SYSTRAY"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Activation"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\Activation.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myCleanerPC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="myCleanerPC"
"hkey"="HKCU"
"command"="C:\\Program Files\\myCleanerPC\\myCleanerPC.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="napster"
"hkey"="HKLM"
"command"="C:\\Program Files\\Napster\\napster.exe /systray"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Navapw32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\NORTON~1\\Navapw32.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCPitStopEraser]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCPitStopErase"
"hkey"="HKLM"
"command"="C:\\Program Files\\PCPitstop\\Erase\\PCPitStopErase.exe /remindme"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PortAOL"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

********************************************************************
catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-02-11 21:26:05
port

#7 Kalvarnsen

Kalvarnsen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 11 February 2007 - 11:08 PM

And here is the HJT log. By the way, I still cannot access bleepingcomputer from the infected computer.

HJT Log


Logfile of HijackThis v1.99.1
Scan saved at 9:58:04 PM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 12 February 2007 - 04:23 AM

Please double-click Killbox.exe to run it.
Select: 'Delete on Reboot'.
Then Click on the 'All Files' button.
Please copy ALL the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\taxyhui.exe
C:\swglxr.exe
C:\srnv.exe
C:\hiyrnvle.exe
C:\gdntgen.exe
C:\fpwsvgd.exe
C:\dnvbkvi.exe


Return to Killbox,go to the File menu,and choose 'Paste from Clipboard'.
Click the red-and-white Delete File button.
Click 'Yes' at the 'Delete on Reboot' prompt.
Click OK at any 'PendingFileRenameOperations' prompt.
If your computer does not restart automatically,please restart it manually.

==================

Go to Control Panel>Add\Remove Programs and remove Paltalk Messenger if present,then reboot.
Once uninstalled find and delete if present:
C:\Program Files\Paltalk Messenger

==================

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

Reboot,post the Counterspy report and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#9 Kalvarnsen

Kalvarnsen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 12 February 2007 - 06:02 PM

Ok, here are the logs.

Scan History Details
Start Date: 2/12/2007 2:25:04 PM
End Date: 2/12/2007 3:45:49 PM
Total Time: 80 Min 45 Sec
Detected security risks

KaZaA P2P Program more information...
Details: KaZaA is a peer-to-peer (P2P) application that allows its users to join together in a network via the Internet and share files from each other's hard drives.
Status: Deleted

Files detected
C:\PROGRAM FILES\KaZaA\My Shared Folder\Thumbs.db:encryptable
C:\PROGRAM FILES\KaZaA\Db\data1024.dbb
C:\PROGRAM FILES\KaZaA\Db\data256.dbb
C:\PROGRAM FILES\KaZaA\Db\gr_Richard.current
C:\PROGRAM FILES\KaZaA\Db\gr_Richard.previous
C:\PROGRAM FILES\KaZaA\Db\tsi.db
C:\PROGRAM FILES\KaZaA\My Shared Folder\Aha - Crying in the rain.mp3
C:\PROGRAM FILES\KaZaA\My Shared Folder\Collective Soul - Shine.mp3
C:\PROGRAM FILES\KaZaA\My Shared Folder\John Cougar Melencamp - I Was Born in a Small Town.mp3
C:\PROGRAM FILES\KaZaA\My Shared Folder\Johnny Cash - The Man Comes Around - 02 - Hurt.mp3
C:\PROGRAM FILES\KaZaA\My Shared Folder\Thumbs.db
C:\PROGRAM FILES\KAZAA
C:\PROGRAM FILES\KAZAA\DB
C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER

Registry entries detected
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Advanced
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Advanced
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Advanced
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\InstantMessaging
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\InstantMessaging
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\InstantMessaging
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Application
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ApplicationWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Audio
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\AudioWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnOrder
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates1
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnSortStates2
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ColumnWidths
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\CombinedSortedColumns
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Order
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Download Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Everything
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\EverythingWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Picture
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\PictureWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Settings
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Settings
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\ShowWarningDialog
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Order
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Upload Width
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\Video
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\KaZaA Media Desktop\VideoWidth
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\LocalContent
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\LocalContent
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\LocalContent
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\ResultsFilter
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\ResultsFilter
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\ResultsFilter
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\ResultsFilter
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\ResultsFilter
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\ResultsFilter
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Settings
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Settings
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Settings
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Settings
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\SOCKS
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\SOCKS
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Transfer
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Transfer
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Transfer
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Transfer
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Transfer
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\Transfer
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails
HKEY_USERS\S-1-5-21-1244572991-1907411925-173008773-1004\SOFTWARE\KAZAA\UserDetails


Paltalk Low Risk Adware more information...
Details: Paltalk is an advertising-supported instant messaging client.
Status: Deleted

Files detected
C:\DOCUMENTS AND SETTINGS\RICHARD\START MENU\PROGRAMS\PALTALK MESSENGER

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\.PALTALK
HKEY_LOCAL_MACHINE\Software\Classes\.PALTALK
HKEY_LOCAL_MACHINE\Software\Classes\.PALTALK
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\DefaultIcon
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell\Open
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell\Open\Command
HKEY_LOCAL_MACHINE\Software\Classes\PALTALKFILE\Shell\Open\Command


Cookie: TribalFusion.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\richard\cookies\richard@tribalfusion[1].txt


HotWebFinder.Winbrume Browser Plug-in more information...
Details: HotWebFinder.Winbrume (Winbrume) is a Browser Helper Object that is used for search hijacking.
Status: Deleted

Files detected
C:\Program Files\Internet Explorer\winbrume.dat


PartyPoker Potentially Unwanted Program more information...
Details: PartyPoker is an online gambling application that requires the user to download its software in order to play.
Status: Deleted

Files detected
C:\Program Files\PartyGaming.Net\PartyPokerNet\Images\pp_browser.ico
C:\Program Files\PartyGaming.Net\PartyPokerNet\Images\ppicon.ico


Logfile of HijackThis v1.99.1
Scan saved at 4:51:04 PM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
C:\Program Files\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.refdesk.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 12 February 2007 - 07:09 PM

Fix these two entries if you're not aware of them,or Absolute Poker Basic is'nt used anymore:
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker Basic - {5E72AD5A-20DF-4ca4-9B7B-D9717FFDE0C5} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker Basic\Absolute Poker Basic.lnk

Exit Hijackthis.

***************************

Download\install CleanUp.
Launch CleanUp,then click on 'Options'.
Now move the slider on the left up to 'Standard Cleanup!'.
Click 'Ok',now run the program by clicking on the 'Cleanup' button.
Reboot,or log off/log on when it's finished.

***************************

Download and run Winsock XP Fix:
[ur]http://www.snapfiles.com/get/winsockxpfix.html[/url]

***************************

Download HostsXpert 3.8:
http://www.funkytoad.com/download/HostsXpert.zip
1. Extract the zip file to your desktop or a permanent folder on your hard drive.
2. Open the folder and double-click on the Hoster.exe
3. Press "Restore Microsofts Original Hosts File"
4. Press "OK" and exit the program.

Go to:
C:\WINDOWS\System32\drivers\etc\HOSTS.
1) Right-click on the HOSTS file
2) Click Properties
3) You will see a window open. Look at the bottom of the window. To the right of Attributes, check the box that says Read-only.
4) Click Apply/OK.

Your log is clean,hows your pc running now please.
Posted Image
Posted Image

#11 Kalvarnsen

Kalvarnsen
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:17 PM

Posted 12 February 2007 - 09:35 PM

Seems to be working good now. Thanks!

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:03:17 AM

Posted 13 February 2007 - 02:42 AM

You're most welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users