not really sure how to this but i am trying to send you an attachment of a hijack this log. also really don't know how you will let me know email, or posted on this site or what. but i'll try again cause this pop up is insane. PLEASE HELP
Logfile of HijackThis v1.99.1
Scan saved at 8:16:30 AM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Here you are ribofdust. I posted it for you. I'll take a look at it and get back with you. I've also merged your threads so that you only have one active thread now. Be sure to post in this thread and not start another one.
Are you going to get back to me by email? I see where 2 people have replied to my post but can't find their replies. Am I just ignorant or what?
0
LeonardoWake up and smell the glaciersEagle River, AlaskaIcrontian
edited February 2006
We provide assistance on the pages where users are requesting help. That way, others can learn from it. None of the "replies" are missing. They are right here in the thread. Be patient, and Skywalker will be with you. Sorry, but we've got a world of people to help, and only so many volunteers to do the helping.
OK ribofdust. You might want to print these instructions since you won't have access to the internet for part of the fix. You've got quite a lot going on. First thing I want you to do is to download Ewido Anti-Malware from my signature below. Install the program and update it but don't run it yet.
Next I would like you to perform 2 online virus scans. You can do the Panda Active Scan and the Kaspersky online scan. Both have links on my signature below. In both these cases allow the scans to delete whatever they find. I'm not certain about the Kaspersky scan but the Panda Scan will generate a log. Please save it. If the Kaspersky scan allows you to save a log please save it too.
Next please restart your PC in safe mode--explained here.
Run a full scan using Ewido in safe mode. Allow the program to delete whatever it finds. Save the Ewido scan log.
Reboot the PC in normal mode. Post another Hijack This log along with the logs from Ewido, Panda, and Kaspersky (if there is one.)
:headbange Well heres what i got for ya hope it helps case i still got popups, just not as many
Panda Scan:
Incident Status Location
Adware:Adware/PurityScan Not disinfected C:\PROGRAM FILES\RRHC\HSEH.EXE
Adware:Adware/PurityScan Not disinfected C:\Program Files\rrhc\hseh.exe
Adware:adware/purityscan Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Local Settings\Temp\!update.exe
Adware:adware/cashdeluxe Not disinfected C:\WINDOWS\SYSTEM32\shell386.exe
Adware:adware/cws.loadadv Not disinfected C:\WINDOWS\loadadv728.exe
Adware:adware/secure32 Not disinfected C:\WINDOWS\secure32.html
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@2o7[2].txt[/email]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@888[1].txt[/email]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@ad.yieldmanager[1].txt[/email]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@adopt.hbmediapro[2].txt[/email]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@advertising[1].txt[/email]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@as1.falkag[1].txt[/email]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@atdmt[1].txt[/email]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@bfast[2].txt[/email]
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@cassava[1].txt[/email]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@centrport[1].txt[/email]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@clickbank[2].txt[/email]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@doubleclick[2].txt[/email]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@hitbox[2].txt[/email]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@maxserving[1].txt[/email]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@mediaplex[2].txt[/email]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@realmedia[1].txt[/email]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@revenue[1].txt[/email]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@targetnet[2].txt[/email]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@trafficmp[1].txt[/email]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@valueclick[2].txt[/email]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@z1.adserver[1].txt[/email]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@zedo[1].txt[/email]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Reynold Vanlerberghe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv451.jar-1e1ecc95-7d4607c9.zip[Matrix.class]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@2o7[2].txt[/email]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@888[1].txt[/email]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@ad.yieldmanager[1].txt[/email]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@adopt.hbmediapro[2].txt[/email]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@advertising[1].txt[/email]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@as1.falkag[1].txt[/email]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@atdmt[1].txt[/email]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@bfast[2].txt[/email]
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@cassava[1].txt[/email]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@centrport[1].txt[/email]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@clickbank[2].txt[/email]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@doubleclick[2].txt[/email]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@hitbox[2].txt[/email]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@maxserving[1].txt[/email]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@mediaplex[2].txt[/email]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@realmedia[1].txt[/email]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@revenue[1].txt[/email]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@targetnet[2].txt[/email]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@trafficmp[1].txt[/email]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@valueclick[2].txt[/email]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@z1.adserver[1].txt[/email]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@zedo[1].txt[/email]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\rrhc\hseh.exe
Virus:Trj/Downloader.HKM Disinfected C:\WINDOWS\loadadv728.exe
Kaspersky log:
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 08, 2006 11:27:05 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/02/2006
Kaspersky Anti-Virus database records: 164907
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Statistics:
Total number of scanned objects: 151516
Number of viruses found: 14
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 03:43:17
Hey ribofdust. You need to post another Hijack This log. This time could you please just copy and paste the entire contents of the log into your reply instead of attaching the file? It's OK if you can't but it's much easier for us if we don't have to unzip your logs.
I couldn't find any of those you wanted me to check and heres the most recent hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:56:14 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Hey ribodust. You had the post above in someone else's thread. Good thing I was poking around cause another one of our moderators had deleted it. I got it back and posted it here. Please make sure to post in the correct thread. Your log shows some signs of the Vundo infection but we need to deal with something else first.
Please go here and run the purity scan uninstaller. Post another Hijack This log when finished and please try to remember to copy and paste the log from notepad. It takes much longer to get back with you when we have to unzip the attachment. If you are having a problem doing this let me know and I can help you.
Help me please can't kid rid of popups from z1adserver. they should be hung.
Comments
Logfile of HijackThis v1.99.1
Scan saved at 8:16:30 AM, on 2/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\AOL\1127669093\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
c:\program files\common files\aol\1127669093\ee\services\antiSpywareApp\ve r2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1127669093\ee\aolsoftware.exe
C:\Program Files\rrhc\hseh.exe
C:\WINDOWS\system32\??mbols\taskmgr.exe
C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {887F6544-AF8F-A750-D5EB-A50FA99D41E1} - C:\WINDOWS\system32\vajkrd.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127669093\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [0sis0ijw.dll] RUNDLL32.EXE 0sis0ijw.dll,b 76604902
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Ltpe] "C:\Program Files\rrhc\hseh.exe" -vt mt
O4 - HKCU\..\Run: [Yzyadn] C:\WINDOWS\system32\??mbols\taskmgr.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\Common Files\AolCoach\en_en\player\plugin\ToolBar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\Common Files\AolCoach\en_en\player\plugin\ToolBar.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/en...ach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/124cae9e...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120322869089
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/Visi.../TLIEFlash.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/be...ploader_v7.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E72D673D-B1BE-4DF4-BE5B-BE81552C2D2E}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winziv32 - C:\WINDOWS\SYSTEM32\winziv32.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
__________________
Next I would like you to perform 2 online virus scans. You can do the Panda Active Scan and the Kaspersky online scan. Both have links on my signature below. In both these cases allow the scans to delete whatever they find. I'm not certain about the Kaspersky scan but the Panda Scan will generate a log. Please save it. If the Kaspersky scan allows you to save a log please save it too.
Next please restart your PC in safe mode--explained here.
Run a full scan using Ewido in safe mode. Allow the program to delete whatever it finds. Save the Ewido scan log.
Reboot the PC in normal mode. Post another Hijack This log along with the logs from Ewido, Panda, and Kaspersky (if there is one.)
Panda Scan:
Incident Status Location
Adware:Adware/PurityScan Not disinfected C:\PROGRAM FILES\RRHC\HSEH.EXE
Adware:Adware/PurityScan Not disinfected C:\Program Files\rrhc\hseh.exe
Adware:adware/purityscan Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Local Settings\Temp\!update.exe
Adware:adware/cashdeluxe Not disinfected C:\WINDOWS\SYSTEM32\shell386.exe
Adware:adware/cws.loadadv Not disinfected C:\WINDOWS\loadadv728.exe
Adware:adware/secure32 Not disinfected C:\WINDOWS\secure32.html
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\uniq
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@2o7[2].txt[/email]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@888[1].txt[/email]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@ad.yieldmanager[1].txt[/email]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@adopt.hbmediapro[2].txt[/email]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@advertising[1].txt[/email]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@as1.falkag[1].txt[/email]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@atdmt[1].txt[/email]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@bfast[2].txt[/email]
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@cassava[1].txt[/email]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@centrport[1].txt[/email]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@clickbank[2].txt[/email]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@doubleclick[2].txt[/email]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@hitbox[2].txt[/email]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@maxserving[1].txt[/email]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@mediaplex[2].txt[/email]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@realmedia[1].txt[/email]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@revenue[1].txt[/email]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@targetnet[2].txt[/email]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@trafficmp[1].txt[/email]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@valueclick[2].txt[/email]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@z1.adserver[1].txt[/email]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@zedo[1].txt[/email]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Reynold Vanlerberghe\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv451.jar-1e1ecc95-7d4607c9.zip[Matrix.class]
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@2o7[2].txt[/email]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@888[1].txt[/email]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@ad.yieldmanager[1].txt[/email]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@adopt.hbmediapro[2].txt[/email]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@advertising[1].txt[/email]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@as1.falkag[1].txt[/email]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@atdmt[1].txt[/email]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@bfast[2].txt[/email]
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@cassava[1].txt[/email]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@centrport[1].txt[/email]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@clickbank[2].txt[/email]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@doubleclick[2].txt[/email]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@hitbox[2].txt[/email]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@maxserving[1].txt[/email]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@mediaplex[2].txt[/email]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@realmedia[1].txt[/email]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@revenue[1].txt[/email]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@targetnet[2].txt[/email]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@trafficmp[1].txt[/email]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@valueclick[2].txt[/email]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@z1.adserver[1].txt[/email]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@zedo[1].txt[/email]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Reynold Vanlerberghe\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\rrhc\hseh.exe
Virus:Trj/Downloader.HKM Disinfected C:\WINDOWS\loadadv728.exe
Kaspersky log:
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 08, 2006 11:27:05 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/02/2006
Kaspersky Anti-Virus database records: 164907
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 151516
Number of viruses found: 14
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 03:43:17
Infected Object Name / Virus Name / Last Action
C:\Program Files\rrhc\hseh.exe Infected: Trojan-Downloader.Win32.PurityScan.br skipped
C:\RECYCLER\NPROTECT\00195357.EXE Infected: Trojan-Downloader.Win32.Harnig.bb skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP351\A0076070.EXE Infected: Trojan-Clicker.Win32.Delf.dm skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP373\A0082419.EXE Infected: Trojan-Clicker.Win32.Delf.dm skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP376\A0082846.exe/stream/data0001 Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP376\A0082846.exe/stream Infected: Trojan.Win32.Pakes skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP376\A0082846.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP425\A0098917.exe Infected: not-virus:Hoax.Win32.Renos.az skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098923.exe Infected: not-virus:Hoax.Win32.Renos.az skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098928.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098929.exe Infected: Trojan-Downloader.Win32.Small.cam skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098930.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098937.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098937.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098937.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098938.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098939.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098940.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098941.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP426\A0098942.exe Infected: Trojan-Spy.Win32.Small.dg skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP472\A0107344.dll Infected: Trojan.Win32.Agent.og skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP473\A0107723.exe Infected: Trojan-Downloader.Win32.Adload.j skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP473\A0107731.dll Infected: Trojan.Win32.Agent.og skipped
C:\System Volume Information\_restore{91A40427-3929-4495-BA6C-C5F75EE42629}\RP473\A0107732.exe Infected: Trojan.Win32.StartPage.adi skipped
C:\WINDOWS\loader138.exe Infected: Trojan-Downloader.Win32.VB.vs skipped
C:\WINDOWS\system32\shell386.exe Infected: Trojan-Downloader.Win32.VB.ur skipped
C:\WINDOWS\system32\__delete_on_reboot__winziv32.dll Infected: Trojan.Win32.Agent.og skipped
Scan process completed.
Ewido log:
ewido anti-malware - Scan report
+ Created on: 6:25:07 PM, 2/8/2006
+ Report-Checksum: C5C754DD
+ Scan result:
C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@ad.yieldmanager[2].txt[/email] -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@atdmt[2].txt[/email] -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@mediaplex[1].txt[/email] -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Reynold Vanlerberghe\Cookies\reynold [email]vanlerberghe@z1.adserver[1].txt[/email] -> TrackingCookie.Adserver : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\820FB02A-9146-4366-BA3A-0CC9F8\76B4E738-7B7E-48DF-A768-308E09 -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\loader138.exe -> Downloader.VB.vs : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\shell386.exe -> Downloader.VB.ur : Cleaned with backup
C:\WINDOWS\system32\vajkrd.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\temp.000.exe -> Adware.CashDeluxe : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 12:56:14 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Common Files\AOL\1127669093\ee\AOLSoftware.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Movielink\MovielinkManager\Movielink User.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\TPPALDR.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
C:\Program Files\rrhc\hseh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
c:\program files\common files\aol\1127669093\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1127669093\ee\aolsoftware.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\HyCam2\HyCam2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hijack this\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127669093\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [LoadMSvcmm] "C:\Program Files\Movielink\MovielinkManager\Movielink User.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Yzyadn] C:\WINDOWS\system32\??mbols\taskmgr.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [p2pnetwork] p2pnetwork.exe
O4 - HKCU\..\Run: [Ltpe] "C:\Program Files\rrhc\hseh.exe" -vt mt
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\Common Files\AolCoach\en_en\player\plugin\ToolBar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\Common Files\AolCoach\en_en\player\plugin\ToolBar.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra 'Tools' menuitem: PC Confidential - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: PC Confidential - {925DAB62-F9AC-4221-806A-057BFB1014AA} - "C:\Program Files\Winferno\PC Confidential\PCConfidential.exe" (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/124cae9e2a799bc53b02/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120322869089
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E72D673D-B1BE-4DF4-BE5B-BE81552C2D2E}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winziv32 - winziv32.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Movielink Core Service - Movielink LLC - C:\PROGRA~1\MOVIEL~1\MOVIEL~1\MOVIEL~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Please go here and run the purity scan uninstaller. Post another Hijack This log when finished and please try to remember to copy and paste the log from notepad. It takes much longer to get back with you when we have to unzip the attachment. If you are having a problem doing this let me know and I can help you.