View Full Version : Need help removing the Bin Laden captured malware
scot184
7 Sep 2006, 8:14pm
Hi,
I stupidly clicked on a link saying Bin Laden had been captured. Now I have malware on my system. I ran a few different spyware programs, but they either charge me, or simply try to remove programs, but fail to do so. If anyone can help me remove it manually I'd greatly appreciate it.
Here is my log file:
Logfile of HijackThis v1.99.1
Scan saved at 12:00:43 AM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Hi Scott, Welcome to Short-Media! :)
A few things to do, so please do the following...
First
I see HijackThis on the desktop. Please create a new folder, and move HijackThis to it. This is so backups can be created. This step is important!
Second
I don't see any indication of a Firewall in your HijackThis log. This may be because:
(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.
In the case you don't have a Firewall, please download one from the list below - They are Free!
Zone Alarm (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp) << I recommend this
Sunbelt Kerio PF (http://www.sunbelt-software.com/Kerio-Download.cfm)
Outpost Firewall (http://www.agnitum.com/products/outpostfree/download.php)
Third
I do not see an Anti-Virus program. Again, please download one from the list below - They are Free!
AVG Free Edition (http://free.grisoft.com/doc/1) << I recommend this
AntiVir (http://www.free-av.com/)
avast! 4 Home Edition (http://www.avast.com/eng/download-avast-home.html)
Once you have choosen your Anti-Virus, update it and make a note of any files that could not be deleted.
Fourth
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
A text file called VundoFix will be created in your C: drive. Please keep it safe, as I'll need to see it soon.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Fifth
I would like to see another log from HijackThis. Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button. It will open a Notepad file.
Copy & Paste the entire contents of that file in your in your next post.
Sixth
Please post the following:
1) Info of any files that could not be cleaned by your Anti-Virus
2) Contents of C:\vundofix.txt
3) Uninstall list
4) New HijackThis log
scot184
8 Sep 2006, 11:43pm
I ran Vundo and no infected files were found...
Here is the log:
VundoFix V6.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.5
Java version is 1.5.0.5
Java version is 1.5.0.6
Scan started at 3:15:27 PM 9/8/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Here is the program list:
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AdsGone Popup Killer by A1Tech.com
Antares Tube VST v1.02
AOL Instant Messenger
Arturia Moog Modular V v1.2
Business Contact Manager for Outlook 2003
Canon Digital Camera USB WIA Driver
Click 'N Burn CD & DVD
Conexant SmartHSFi V92 56K DF PCI Modem
CutterMusic Revitar VSTi v1.1.3
Dell P1500 factory-installed files
Dell Printer Software Uninstall
Digital Line Detect
DivX
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
FastStone Photo Resizer 1.4
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel (R) Pro Alerting Agent
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Korg Legacy Collection v1.0.0.2
Learn2 Player (Uninstall Only)
Lexicon PSP 42 VST DX v1.0
Logitech Gaming Software
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
M-Audio USB Quattro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Excel Viewer 97
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Modem Helper
Mozilla Firefox (1.0.6)
Mp3 Cutter and Joiner 1.0
MSN Music Assistant
Native Instruments Absynth 2
Native Instruments FM7 Sounds Vol.1
Native Instruments Kontakt
NetWaiting
Novation Bass-Station VSTi v1.10
OhmForce OhmBoyz 1.3
Ohmforce Quad Frohmage Pro VST v1.10
Online Manuals for WinTV (English)
PowerDVD
PQ DVD to iPod Video Converter (remove only)
PSP VintageWarmer v1.5d
PSP84 1.3
QuickTime
RealPlayer Basic
Rob Papen Albino 2
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Skype 2.0
SoulSeek Client 156c
SpinAudio RoomVerb M2 1.3
SpinAudio SpinDelay 2.0
SpyHunter
Spyware Doctor 4.0
Steinberg Cubase SX v2.0.2.31
STOIK Smart Resizer
Synapse Hydra VSTi V1.1
U.S. Robotics Wireless MAXg Adapter
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual IP InSight(SBC)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Here is the new log file (probably the same):
Logfile of HijackThis v1.99.1
Scan saved at 3:41:13 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Trogan
9 Sep 2006, 12:07am
Scot, until you get an Anti-Virus and Firewall as posted in my previous post, I will be unable to help you.
scot184
9 Sep 2006, 3:45am
Ok, I've got AVG free, ran a scan...and it came up with a bunch of trojans, but only removed 3 out of 37 infections.
I also have the Windows firewall running.
Here is the new program list:
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AdsGone Popup Killer by A1Tech.com
Antares Tube VST v1.02
AOL Instant Messenger
Arturia Moog Modular V v1.2
AVG Free Edition
Business Contact Manager for Outlook 2003
Canon Digital Camera USB WIA Driver
Click 'N Burn CD & DVD
Conexant SmartHSFi V92 56K DF PCI Modem
CutterMusic Revitar VSTi v1.1.3
Dell P1500 factory-installed files
Dell Printer Software Uninstall
Digital Line Detect
DivX
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
FastStone Photo Resizer 1.4
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel (R) Pro Alerting Agent
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Korg Legacy Collection v1.0.0.2
Learn2 Player (Uninstall Only)
Lexicon PSP 42 VST DX v1.0
Logitech Gaming Software
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
M-Audio USB Quattro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Excel Viewer 97
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Modem Helper
Mozilla Firefox (1.0.6)
Mp3 Cutter and Joiner 1.0
MSN Music Assistant
Native Instruments Absynth 2
Native Instruments FM7 Sounds Vol.1
Native Instruments Kontakt
NetWaiting
Novation Bass-Station VSTi v1.10
OhmForce OhmBoyz 1.3
Ohmforce Quad Frohmage Pro VST v1.10
Online Manuals for WinTV (English)
PowerDVD
PQ DVD to iPod Video Converter (remove only)
PSP VintageWarmer v1.5d
PSP84 1.3
QuickTime
RealPlayer Basic
Rob Papen Albino 2
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Skype 2.0
SoulSeek Client 156c
SpinAudio RoomVerb M2 1.3
SpinAudio SpinDelay 2.0
SpyHunter
Spyware Doctor 4.0
Steinberg Cubase SX v2.0.2.31
STOIK Smart Resizer
Synapse Hydra VSTi V1.1
U.S. Robotics Wireless MAXg Adapter
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual IP InSight(SBC)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
And the new hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 7:44:39 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Thanks scot! Can you do the following please...
Download Hoster from the link below, and extract the files to your desktop.
http://www.funkytoad.com/download/hoster.zip
A folder called Hoster should be created. Open it, and open the Hoster file inside.
Click on Restore Microsoft's Original Hosts File, and click OK at the prompt
Close Hoster
=====
We need to run VundoFix again, but slighty different then the first time.
Double-click VundoFix.exe to run it.
Right Click inside the listbox (white box) and click Add more file?
Copy & Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\system32\tuvsq.dll
C:\WINDOWS\system32\qsvut.*
Click Add Files and click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
scot184
11 Sep 2006, 7:51am
I keep getting an error when trying to open Hoster...and it simply closes on me. Error getting host files to be specific. Should I still run Vundo again?
Please advise.
And thanks again for your time and patience!
Trogan
11 Sep 2006, 2:15pm
Do this...
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
Now run VundoFix as instructed in my last post. :)
scot184
11 Sep 2006, 5:40pm
Ok, I checked all and tried to fix them, but got an error message. It said either I don't have write capabilities or that some program is preventing me from deleting these files.
I figure this is either the malware being tricky or I need to change the settings on what files I can remove in Windows.
Please advise.
Thanks again!
Trogan
11 Sep 2006, 6:03pm
Do you have Admin rights? You need to have Admin rights, in order to complete the instruction I provide.
Leave it for now, and carry on with the VundoFix.
scot184
11 Sep 2006, 6:20pm
It's my computer, so I'm assuming I have admin rights. Should I change users?
I will run Vundo.
scot184
12 Sep 2006, 2:14am
I tried to do the Vundofix, but upon hitting add files, nothing happened. Then I clicked close window and the files weren't pasted. I tried multiple times to no avail. Not sure why they won't take.
How can I get admin rights to do the other bit?
Thanks again.
Trogan
12 Sep 2006, 10:58am
You won't see the files once they have been added, and it may appear nothing is happening but it is. The instructions say "click Add Files and click Close Window. Then, click the Remove Vundo button." Follow the instructions and everything will happen automatically. :)
To check if you have Admin rights, do this:
Go Start > Control Panel
Open User Accounts
Under "or pick an account to change", you should see a list of accounts on the computer.
Look below your account, and see if it says Computer Administrator
If so, then your account has Admins rights.
scot184
12 Sep 2006, 4:08pm
I followed your directions to a T, and when I restarted my pc it seemed to update some registry stuff. I looked at the Vundofix file on my C drive and it's the same one from a few days ago that found nothing in the scan.
I tried to remove the files in HIjack this, but the program grays out and locks up, not responding. I do have admin rights, but that doesn't come up anymore. It simply doesn't respond.
Here is my latest log file:
Logfile of HijackThis v1.99.1
Scan saved at 8:06:38 AM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: ficserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: srvdns - C:\WINDOWS\inf\srvdns.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Trogan
12 Sep 2006, 5:20pm
Scot, I gave you the wrong files to input. I don't know how I did that and I sincerely apologies. Here are the right files to input.
Double-click VundoFix.exe to run it.
Right Click inside the listbox (white box) and click Add more file?
Copy & Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\system32\sndvrs.*
Click Add Files and click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
scot184
12 Sep 2006, 9:52pm
So the files you gave me before wouldn't have impacted my pc correct? Just want to make sure I didn't create any new problems, and what exactly happened with my registry.
Thanks again. I will try the vundofix again after work.
Trogan
12 Sep 2006, 10:18pm
Nothing would have by inputting the wrong files. VundoFix would not have found them, and would have told you so. I'm not sure what happened with your registry.
scot184
13 Sep 2006, 3:02am
I did as instructed but it wasn't able to delete the vundo. Then it asked to restart and boot Vundo at restart. I did that and it came up with zero infected files.
I tried to remove the 01 files from Hijack again, but the program became non-responsive once again. I even tried removing just one single 01 file at a time, and still no luck.
What do I do from here?!!?!?!
Thanks!
scot184
13 Sep 2006, 3:03am
VundoFix V6.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.5
Java version is 1.5.0.5
Java version is 1.5.0.6
Scan started at 3:15:27 PM 9/8/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Beginning removal...
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\srvdns.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.5
Java version is 1.5.0.5
Java version is 1.5.0.6
Scan started at 6:24:15 PM 9/12/2006
Listing files found while scanning....
No infected files were found.
scot184
13 Sep 2006, 5:42am
Sorry this is segmented...the computer seems a lot better now, though it's not perfect. Here is the latest hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 9:42:18 PM, on 9/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Trogan
13 Sep 2006, 5:22pm
The computer may be better now, because it looks like half of Vundo has been defeated. :)
Lets try this now:
You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Once in Safe Mode:
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
All O1 entries
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
Reboot back into Normal mode, and post a new Hijackthis log :)
scot184
13 Sep 2006, 5:27pm
I got your instructions on safe mode...but I remember trying safe mode on this pc a week and half ago and it wouldnt display any of my icons, nor the taskbar, so I couldn't get into any programs or do anything except press ctrl+alt+del.
If I experience this again, what should I do to circumvent the problem?
Thanks.
scot184
13 Sep 2006, 5:28pm
Big game tonight...best of luck.
Trogan
13 Sep 2006, 10:46pm
Thanks! Good game, although we didn't play too well, but got the job done. :D
About Safe Mode...let me know how it goes and I'll see what I can do. It may be a Windows problem, something that may be beyond my knowledge.
scot184
13 Sep 2006, 11:03pm
Is there anyway to do it in normal mode? Like showing files in my registry and manually deleting them that way without Hijack this? I'm pretty sure my safemode won't work.
THanks again.
Trogan
14 Sep 2006, 12:21am
Leave Safe Mode for now. Can we try VundoFix one more time please.
Double-click VundoFix.exe to run it.
Right Click inside the listbox (white box) and click Add more file?
Copy & Paste the 2 entries below into the top 2 boxes
C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\sndvrs.*
Click Add Files and click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
scot184
14 Sep 2006, 2:49am
My latest Vundo log:
VundoFix V6.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.5
Java version is 1.5.0.5
Java version is 1.5.0.6
Scan started at 3:15:27 PM 9/8/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Beginning removal...
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\srvdns.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.1.4
Checking Java version...
Java version is 1.4.2.3
Java version is 1.4.2.5
Java version is 1.5.0.5
Java version is 1.5.0.6
Scan started at 6:24:15 PM 9/12/2006
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\inf\srvdns.dll
C:\WINDOWS\inf\srvdns.dll Has been deleted!
Performing Repairs to the registry.
Done!
And HIjack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:49:08 PM, on 9/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Colin\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: uecommerce.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: trafficexplorer.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: 7.0.0.1 media.fastc
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O1 - Hosts: icserver.com
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Trogan
14 Sep 2006, 4:25pm
Lets try HijackThis again:
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
All O1 entries
O2 - BHO: MSEvents Object - {3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} - C:\WINDOWS\inf\srvdns.dll (file missing)
- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis
Reboot, and post a new HijackThis log please. :)
scot184
14 Sep 2006, 4:51pm
Hijack this froze up again. I was able to use safe mode, but Hijack this froze up just the same. I even left it for 30min or more to see if it was just freezing up, then restablilizing.
Can't I just go to my computer, tools, show hidden files, and allow deletion of those files, then manually go in and remove them without using Hijack this?
Thanks again.
scot184
15 Sep 2006, 1:46am
What's my next move? Is there any other program to remove these silly 01 files?
Thanks!
Trogan
15 Sep 2006, 3:20pm
Do this:
Go to Start > Run > copy and paste the following and press OK
notepad C:\WINDOWS\system32\drivers\etc\hosts
Copy and paste the entire contents of Notepad here please.
Rename HijackThis.exe to HJT.exe, and post a new log.
scot184
15 Sep 2006, 11:58pm
The log is too big for notepad...what other program can I use?
I changed it to HJT.exe, but now it won't even run the entire log file.
Trogan
16 Sep 2006, 12:55am
What happens with Notepad?
Rename HijackThis back to HijackThis.exe and see if that works.
scot184
16 Sep 2006, 1:19am
Notepad isn't big enough to take on the log file. Can I use word? If so, how would I enter that into "run"?
And Hijack this is a mess...freezes up every time. I even deleteed it and dled a new copy, but still no good. Gonna try to reboot.
scot184
16 Sep 2006, 1:41am
Notepad says the size of the log file is too large to use with notepad.
Trogan
16 Sep 2006, 10:00am
Thats strange.
You can try notepad. Copy and paste this into run:
wordpad C:\WINDOWS\system32\drivers\etc\hosts
scot184
17 Sep 2006, 3:08am
I let it run for about 3 hours and it didn't say "not responding", but it wasn't allowing me to save or cut and paste. I think it was still adding host files? I don't know, but there were a ton, hundreds, if not thousands to be sure.
How else can we attack those 01 files? I'm stumped.
Thanks!
Trogan
17 Sep 2006, 12:55pm
I'm stumped too. Try Hoster again if you still have, or redownload it.
First press Create Backup Hosts File
Then press Restore Microsoft's Original Hosts File
Hopefully, it will work.
scot184
17 Sep 2006, 2:45pm
I did Hoster...and here is the Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 6:44:30 AM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
scot184
17 Sep 2006, 2:45pm
Is this bad news: O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
?
Trogan
17 Sep 2006, 3:04pm
Excellent. Could you post an Uninstall List like you did previously and then I'll check everything over.
That entry is Legit >> http://www.castlecops.com/tk68-Hdbho_dll.html
Do you know anything about HiDownload?
scot184
17 Sep 2006, 6:07pm
Hidownload sounds familiar, but I can't place it 100%. Sorry about the loss today...thanks again.
Uninstall list:
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AdsGone Popup Killer by A1Tech.com
Antares Tube VST v1.02
AOL Instant Messenger
Arturia Moog Modular V v1.2
AVG Free Edition
Business Contact Manager for Outlook 2003
Canon Digital Camera USB WIA Driver
Conexant SmartHSFi V92 56K DF PCI Modem
CutterMusic Revitar VSTi v1.1.3
Dell P1500 factory-installed files
Dell Printer Software Uninstall
Digital Line Detect
DivX
DivX Player
DivX Web Player
DVDSentry
Easy CD Creator 5 Basic
FastStone Photo Resizer 1.4
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel (R) Pro Alerting Agent
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
Ipswitch WS_FTP LE
iTunes
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Korg Legacy Collection v1.0.0.2
Learn2 Player (Uninstall Only)
Lexicon PSP 42 VST DX v1.0
Logitech Gaming Software
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
M-Audio USB Quattro
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Excel Viewer 97
Microsoft Office Small Business Edition 2003
Microsoft Office XP Professional with FrontPage
Modem Helper
Mozilla Firefox (1.0.6)
Mp3 Cutter and Joiner 1.0
MSN Music Assistant
Native Instruments Absynth 2
Native Instruments FM7 Sounds Vol.1
Native Instruments Kontakt
NetWaiting
Novation Bass-Station VSTi v1.10
OhmForce OhmBoyz 1.3
Ohmforce Quad Frohmage Pro VST v1.10
PowerDVD
PQ DVD to iPod Video Converter (remove only)
PSP VintageWarmer v1.5d
PSP84 1.3
QuickTime
RealPlayer Basic
Rob Papen Albino 2
SBC Self Support Tool
SBC Yahoo! Applications
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Skype 2.0
SoulSeek Client 156c
SpinAudio RoomVerb M2 1.3
SpinAudio SpinDelay 2.0
Steinberg Cubase SX v2.0.2.31
STOIK Smart Resizer
Synapse Hydra VSTi V1.1
U.S. Robotics Wireless MAXg Adapter
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Visual IP InSight(SBC)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Trogan
17 Sep 2006, 7:19pm
Hi scot! Yeah, the loss to Arsenal wasn't nice. :(
Anyway, lets continue. Can you do the following please...
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Viewpoint Manager (Remove Only)
Viewpoint Media Player Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
=====
Your Firefox is old. Even if you do not use it, I suggest updating it. You can do this by going to Help > Check for Updates within Firefox.
=====
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
=====
You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!
Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install Ewido by double clicking the installer.
Follow the prompts. Make sure that Launch Ewido is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Note: If the Update now option is grayed out, follow the steps below.
Click on Update on the toolbar.
Under Manual update, click on the Start Update button.
Wait until you see the Update succesfull message.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.
Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.
Once in Safe Mode:
Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img86.imageshack.us/img86/4586/scan1nx.jpg
When done, click the Save Scan Report button.
Click the Save Report as button.
Save the report to your Desktop.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
=====Reboot back into Normal Mode=====
Please do an online scan with Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
=====
Please post the following:
1) Ewido log
2) Panda Report
3) New HijackThis log
You may need several posts, otherwise the logs will get cut off.
scot184
17 Sep 2006, 10:05pm
Ewido log:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:43:01 PM 9/17/2006
+ Scan result:
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
HKU\S-1-5-21-3598569149-350023035-1853644672-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} -> Adware.Virtumonde : Cleaned with backup (quarantined).
HKU\S-1-5-21-3598569149-350023035-1853644672-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3EBDDEDC-85D1-462F-B875-F013A8EA7B8D} -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-4b4e04ec-768fe660.class -> Downloader.OpenStream.y : Cleaned with backup (quarantined).
C:\WINDOWS\browser.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@e-2dj6wfkyagazsko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@e-2dj6wjk4kpd5gao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@e-2dj6wjlysndjwaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@e-2dj6wjnyegdjccq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@e-2dj6wjnyqjd5elp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@ads.euniverseads[2].txt -> TrackingCookie.Euniverseads : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Cookies\colin@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
::Report end
Panda Report:
Incident Status Location
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-e098ab1-3cd9497f.zip
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-e098ab1-3cd9497f.zip[VB.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-e098ab1-3cd9497f.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-e098ab1-3cd9497f.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7aff768e.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7aff768e.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7aff768e.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-11faa9ed-7aff768e.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-25f636d5.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-25f636d5.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-25f636d5.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1f5b6b54-25f636d5.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-56157853-68119777.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-56157853-68119777.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-56157853-68119777.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-56157853-68119777.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7766c3d7-55fc3576.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7766c3d7-55fc3576.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7766c3d7-55fc3576.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7766c3d7-55fc3576.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-6b6ab30c.zip[GetAccess.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-6b6ab30c.zip[InsecureClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-6b6ab30c.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-ab3806d-6b6ab30c.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-2d6b9ed7-7584a7b9.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-2d6b9ed7-7584a7b9.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-2d6b9ed7-7584a7b9.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-2d6b9ed7-7584a7b9.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-4d7c6d2a-42ee86b4.zip[BlackBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-4d7c6d2a-42ee86b4.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-4d7c6d2a-42ee86b4.zip[VerifierBug.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\demo.jar-4d7c6d2a-42ee86b4.zip[Dummy.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-4ceeb842-2ea8054a.zip[SandBoxEscape.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-4ceeb842-2ea8054a.zip[SuperMSClassLoader.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-4ceeb842-2ea8054a.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-4ceeb842-2ea8054a.zip[Installer.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-7bf208c8.zip[SandBoxEscape.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-7bf208c8.zip[SuperMSClassLoader.class]
Virus:Trj/ClassLoader.E Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-7bf208c8.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ie0601a.jar-523da84a-7bf208c8.zip[Installer.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-383ccec8-54de602a.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-383ccec8-54de602a.zip[Installer.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-383ccec8-54de602a.zip[NewSecurityClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jrl.jar-383ccec8-54de602a.zip[NewURLClassLoader.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-6b93d76f-4835a9f4.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-6b93d76f-4835a9f4.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-6b93d76f-4835a9f4.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv281.jar-6b93d76f-4835a9f4.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188d-5efa2396.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188d-5efa2396.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188d-5efa2396.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b188d-5efa2396.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b189c-7d64798d.zip[Counter.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b189c-7d64798d.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b189c-7d64798d.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv74.jar-170b189c-7d64798d.zip[Parser.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-31e1dafc.zip[Beyond.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-31e1dafc.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-31e1dafc.zip[NudeBox.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-31e1dafc.zip[Worker.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-31e1dafc.zip[VerifierBug.class]
Virus:Trj/Multidropper.NE Disinfected C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-31e1dafc.zip[javautil.zip]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Colin\Cookies\colin@atwola[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Colin\Cookies\colin@ccbill[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Colin\Cookies\colin@entrepreneur[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@adultfriendfinder[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@c3.gostats[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@cgi-bin[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@cgi-bin[4].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@image.checkmystats.com[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@rightmedia[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@toplist[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@uol.com[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@winfixer[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@xiti[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\st.exe
[B]Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 2:05:20 PM, on 9/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdsGone\adsgone.exe
C:\Program Files\M-Audio USB Quattro\QuatTask.exe
C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.idoc.wellpoint.com/registration
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\SYSTEM32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program Files\M-Audio USB Quattro\QuatTask.exe
O4 - Global Startup: AdsGone 2004.lnk = C:\Program Files\AdsGone\adsgone.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156643306823
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program Files\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
Trogan
18 Sep 2006, 4:39am
Hi Scot! Can you do the following please...
Go to Start > Control Panel > double-click Java
Under the General tab, click Delete Files...
Check the THREE boxes, and press OK
Press OK again to exit the Java Control Panel.
Please scan again with Panda and post its report back here.
scot184
19 Sep 2006, 3:01am
Did Java bit...here is the scan:
Incident Status Location
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Colin\Application Data\Mozilla\Firefox\Profiles\legqmchw.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Colin\Cookies\colin@247realmedia[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Colin\Cookies\colin@atdmt[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Colin\Cookies\colin@atwola[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Colin\Cookies\colin@ccbill[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Colin\Cookies\colin@counter5.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Colin\Cookies\colin@cs.sexcounter[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Colin\Cookies\colin@doubleclick[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Colin\Cookies\colin@entrepreneur[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Colin\Cookies\colin@paycounter[1].txt
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Colin\Cookies\colin@sexlist[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Colin\Cookies\colin@sextracker[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Colin\Cookies\colin@zedo[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@adultfriendfinder[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@belnk[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@c3.gostats[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@cgi-bin[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@cgi-bin[4].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@go[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@image.checkmystats.com[2].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@rightmedia[2].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@target[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@toplist[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@uol.com[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@winfixer[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\Cookies\colin@xiti[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Colin\Local Settings\Temp\st.exe
Trogan
19 Sep 2006, 5:00am
That looks better. ATF Cleaner should remove those Temp Files, but they are harmless.
Everything seems clean now. How are things?
scot184
19 Sep 2006, 6:35pm
What do I remove in ATF? I just want to make sure I get the right stuff.
Is there a "temp files" removal option?
Also, what can I do to improve the CPU performance. Should I defrag?
And thank you so so so much for all your time and help. I really appreciate it. Do you have a donation link or anything. I feel I owe you something.
Thanks again,
Colin
Trogan
19 Sep 2006, 7:13pm
Hi,
What do I remove in ATF? I just want to make sure I get the right stuff.
Use ATF Cleaner like you did before. Look at post #43 for a reminder. :)
Also, what can I do to improve the CPU performance. Should I defrag?
A defrag should help. If it doesn't let me know.
And thank you so so so much for all your time and help. I really appreciate it. Do you have a donation link or anything. I feel I owe you something.
Thats very kind, although there is no need to donate. But it would be great if you would consider joining the Folding@Home project (http://www.joinfolding.com/). More info in the Forum here (http://short-media.com/forum/forumdisplay.php?f=14). ...consider this a donation. :) Have a look around the Forums too. I'm sire you'll like it, especially the Pub. :D
Let me know how things go. :)
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.