Another Zlob.FC infection

Looks like I wasnt carefuel enough! :sad2:

Computer is running about 50% slower, AVG keeps popping up with random *.dll files being infected with Downloader.Zlob.FC.

AVG systems scans yield no result, nor does Ad-Aware.

HJT Log was obtained by following the Sticky in this section of the forum.
Panda ActiveScan Log

Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected
C:\Documents and Settings\EricRobertson\Desktop\backups\backup-20070225-014757-457.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\ProgramFiles\MyWaySA\SrchAsDe\deSrcAs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32opnkkhf.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32tuvvttu.dll
Logfile of HijackThis v1.99.1
Scan saved at 10:18:09 AM, on 25/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric Robertson\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

I notice Panda ActiveScan found soem more infected *.dll.

I'm a total n00b to this stuff, but am fantastic at following instructions. Gentleman, any help is greatly appreciated!

Comments

  • zamizami Finland
    edited February 2007
    Hi There!
    I am currently working on your log.
    I will get back to you as soon as possible.
    ~zami~
  • edited February 2007
    Greatly appreciated! :cheer:
  • zamizami Finland
    edited February 2007
    Hi there and welcome to the forums.

    Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
    You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.

    Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.

    The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.

    **************************************

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    **************************************

    In your next reply, please include the following logs: a Fresh HijackThis and VundoFix report. Thanks.
  • edited February 2007
    Thanks for the help.

    I should have mentioned I already ran VundoFix. No Vundo found;

    VundoFix V6.3.9
    Checking Java version...
    Java version is 1.4.2.3
    Java version is 1.5.0.3
    Java version is 1.5.0.6
    Java version is 1.5.0.9
    Scan started at 2:38:58 AM 26/02/2007
    Listing files found while scanning....
    No infected files were found.

    Beginning removal...




    Fresh HJT log, after using ATF-Cleaner. HJT is now on its own in C:\HJT as suggested.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:44:35 AM, on 26/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\PROGRA~1\DELLSU~1\DSAgnt.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\HJT\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
  • edited February 2007
    Update... Problem progressively worsening, AVG pop-ups with infected *.dll files becoming more frequent. Pop-ups have become frequent.

    AVG indicates I have also contracted a chronic case of Trojan Horses Collected.11.B and Generic3.AWS


    Re-ran VundoFix

    VundoFix V6.3.9

    Checking Java version...

    Java version is 1.4.2.3

    Java version is 1.5.0.3

    Java version is 1.5.0.6

    Java version is 1.5.0.9

    Scan started at 11:30:18 AM 28/02/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\cwgrxfbr.ini
    C:\WINDOWS\system32\geebx.dll
    C:\WINDOWS\system32\hjqjtcbu.exe
    C:\WINDOWS\system32\rbfxrgwc.dll
    C:\WINDOWS\system32\vtstr.dll
    C:\WINDOWS\system32\xbeeg.bak1
    C:\WINDOWS\system32\xbeeg.ini

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\cwgrxfbr.ini
    C:\WINDOWS\system32\cwgrxfbr.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\geebx.dll
    C:\WINDOWS\system32\geebx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\hjqjtcbu.exe
    C:\WINDOWS\system32\hjqjtcbu.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\rbfxrgwc.dll
    C:\WINDOWS\system32\rbfxrgwc.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xbeeg.bak1
    C:\WINDOWS\system32\xbeeg.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xbeeg.ini
    C:\WINDOWS\system32\xbeeg.ini Has been deleted!

    Performing Repairs to the registry.
    Done!


    And grabbed a fresh HJT log;

    Logfile of HijackThis v1.99.1
    Scan saved at 11:40:57 AM, on 28/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\PROGRA~1\DELLSU~1\DSAgnt.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} - C:\WINDOWS\system32\geebx.dll (file missing)
    O2 - BHO: (no name) - {A1DC79C1-EA16-45A7-960F-972706899B2A} - C:\WINDOWS\system32\vtstr.dll (file missing)
    O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
    O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe


    Thanks in advance for any assistance.
  • zamizami Finland
    edited February 2007
    Hi.

    You probably have a new variant of Vundo-infection, so lets upload it to the programmers, that they can add it to the database.

    1. Go to http://www.uploadmalware.com/

    2. Write the wanted information ( username etc. )

    3. To Topic Where File Was Requested-part, put this: http://www.short-media.com/forum/showthread.php?t=54743

    4. Upload the file by clicking the Browse and finding C:\WINDOWS\SYSTEM32\tuvvttu.dll and clicking it.

    5. The file should appear to the box

    6. To Comments Or Further Info-part type: New variant of Vundo?

    7. Click Send File(s)

    ****************************

    Get VirtumundoBegone
    from here
    and save it to your desktop.

    Then:

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.

    In safe mode run VirtumundoBeGone.exe by following the instructions.

    ****************************

    In your next reply, please include the following logs: a Fresh HijackThis and VirtumundoBeGone report. Thanks.
  • edited February 2007
    tuvvttu.dll uploaded to http://www.uploadmalware.com/ as requested.

    d/l'd VirtumundoBeGone.exe

    Shutdown for 30sec, Rebooted in safe mode, ran VirumundoBeGone.exe

    Shutdown for 30sec, rebooted normal, ran HJT


    VirtumundoBeGone Report

    [02/28/2007, 12:50:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Eric Robertson\Desktop\Security\VirtumundoBeGone.exe" )
    [02/28/2007, 12:50:49] - Detected System Information:
    [02/28/2007, 12:50:49] - Windows Version: 5.1.2600, Service Pack 2
    [02/28/2007, 12:50:49] - Current Username: Eric Robertson (Admin)
    [02/28/2007, 12:50:49] - Windows is in SAFE mode with Networking.
    [02/28/2007, 12:50:49] - Searching for Browser Helper Objects:
    [02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} ()
    [02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\mllmj
    [02/28/2007, 12:50:49] - Found: HKLM\...\Winlogon\Notify\mllmj - This is probably Virtumundo.
    [02/28/2007, 12:50:49] - Assigning {79565386-3161-498B-B54D-C963B1E65172} MSEvents Object
    [02/28/2007, 12:50:49] - BHO list has been changed! Starting over...
    [02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} (MSEvents Object)
    [02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:49] - BHO 4: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
    [02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\geebx
    [02/28/2007, 12:50:49] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
    [02/28/2007, 12:50:49] - BHO 5: {A1DC79C1-EA16-45A7-960F-972706899B2A} ()
    [02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\vtstr
    [02/28/2007, 12:50:49] - Found: HKLM\...\Winlogon\Notify\vtstr - This is probably Virtumundo.
    [02/28/2007, 12:50:49] - Assigning {A1DC79C1-EA16-45A7-960F-972706899B2A} MSEvents Object
    [02/28/2007, 12:50:49] - BHO list has been changed! Starting over...
    [02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} (MSEvents Object)
    [02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:49] - BHO 4: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
    [02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\geebx
    [02/28/2007, 12:50:49] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
    [02/28/2007, 12:50:49] - BHO 5: {A1DC79C1-EA16-45A7-960F-972706899B2A} (MSEvents Object)
    [02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:49] - BHO 6: {C47A9554-195A-4769-9B13-04F15B450A39} ()
    [02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\tuvvttu
    [02/28/2007, 12:50:49] - Found: HKLM\...\Winlogon\Notify\tuvvttu - This is probably Virtumundo.
    [02/28/2007, 12:50:49] - Assigning {C47A9554-195A-4769-9B13-04F15B450A39} MSEvents Object
    [02/28/2007, 12:50:49] - BHO list has been changed! Starting over...
    [02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} (MSEvents Object)
    [02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:49] - BHO 4: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
    [02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\geebx
    [02/28/2007, 12:50:49] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
    [02/28/2007, 12:50:49] - BHO 5: {A1DC79C1-EA16-45A7-960F-972706899B2A} (MSEvents Object)
    [02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:49] - BHO 6: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
    [02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:49] - Finished Searching Browser Helper Objects
    [02/28/2007, 12:50:49] - *** Detected MSEvents Object
    [02/28/2007, 12:50:49] - Trying to remove MSEvents Object...
    [02/28/2007, 12:50:50] - Terminating Process: IEXPLORE.EXE
    [02/28/2007, 12:50:50] - Terminating Process: RUNDLL32.EXE
    [02/28/2007, 12:50:50] - Disabling Automatic Shell Restart
    [02/28/2007, 12:50:50] - Terminating Process: EXPLORER.EXE
    [02/28/2007, 12:50:51] - Suspending the NT Session Manager System Service
    [02/28/2007, 12:50:51] - Terminating Windows NT Logon/Logoff Manager
    [02/28/2007, 12:50:51] - Re-enabling Automatic Shell Restart
    [02/28/2007, 12:50:51] - File to disable: C:\WINDOWS\system32\mllmj.dll
    [02/28/2007, 12:50:51] - Renaming C:\WINDOWS\system32\mllmj.dll -> C:\WINDOWS\system32\mllmj.dll.vir
    [02/28/2007, 12:50:51] - File successfully renamed!
    [02/28/2007, 12:50:51] - Removing HKLM\...\Browser Helper Objects\{79565386-3161-498B-B54D-C963B1E65172}
    [02/28/2007, 12:50:51] - Removing HKCR\CLSID\{79565386-3161-498B-B54D-C963B1E65172}
    [02/28/2007, 12:50:51] - Adding Kill Bit for ActiveX for GUID: {79565386-3161-498B-B54D-C963B1E65172}
    [02/28/2007, 12:50:51] - Deleting ATLEvents/MSEvents Registry entries
    [02/28/2007, 12:50:51] - Removing HKLM\...\Winlogon\Notify\mllmj
    [02/28/2007, 12:50:51] - Searching for Browser Helper Objects:
    [02/28/2007, 12:50:51] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:51] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:51] - BHO 3: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
    [02/28/2007, 12:50:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:51] - Checking for HKLM\...\Winlogon\Notify\geebx
    [02/28/2007, 12:50:51] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
    [02/28/2007, 12:50:51] - BHO 4: {A1DC79C1-EA16-45A7-960F-972706899B2A} (MSEvents Object)
    [02/28/2007, 12:50:51] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:51] - BHO 5: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
    [02/28/2007, 12:50:51] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:51] - Finished Searching Browser Helper Objects
    [02/28/2007, 12:50:51] - *** Detected MSEvents Object
    [02/28/2007, 12:50:51] - Trying to remove MSEvents Object...
    [02/28/2007, 12:50:52] - Terminating Process: IEXPLORE.EXE
    [02/28/2007, 12:50:52] - Terminating Process: RUNDLL32.EXE
    [02/28/2007, 12:50:52] - Disabling Automatic Shell Restart
    [02/28/2007, 12:50:52] - Terminating Process: EXPLORER.EXE
    [02/28/2007, 12:50:53] - Suspending the NT Session Manager System Service
    [02/28/2007, 12:50:53] - Terminating Windows NT Logon/Logoff Manager
    [02/28/2007, 12:50:53] - Re-enabling Automatic Shell Restart
    [02/28/2007, 12:50:53] - File to disable: C:\WINDOWS\system32\vtstr.dll
    [02/28/2007, 12:50:53] - Removing HKLM\...\Browser Helper Objects\{A1DC79C1-EA16-45A7-960F-972706899B2A}
    [02/28/2007, 12:50:53] - Removing HKCR\CLSID\{A1DC79C1-EA16-45A7-960F-972706899B2A}
    [02/28/2007, 12:50:53] - Adding Kill Bit for ActiveX for GUID: {A1DC79C1-EA16-45A7-960F-972706899B2A}
    [02/28/2007, 12:50:53] - Deleting ATLEvents/MSEvents Registry entries
    [02/28/2007, 12:50:53] - Removing HKLM\...\Winlogon\Notify\vtstr
    [02/28/2007, 12:50:53] - Searching for Browser Helper Objects:
    [02/28/2007, 12:50:53] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:53] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:53] - BHO 3: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
    [02/28/2007, 12:50:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:53] - Checking for HKLM\...\Winlogon\Notify\geebx
    [02/28/2007, 12:50:53] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
    [02/28/2007, 12:50:53] - BHO 4: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
    [02/28/2007, 12:50:53] - ALERT: Found MSEvents Object!
    [02/28/2007, 12:50:53] - Finished Searching Browser Helper Objects
    [02/28/2007, 12:50:53] - *** Detected MSEvents Object
    [02/28/2007, 12:50:53] - Trying to remove MSEvents Object...
    [02/28/2007, 12:50:54] - Terminating Process: IEXPLORE.EXE
    [02/28/2007, 12:50:54] - Terminating Process: RUNDLL32.EXE
    [02/28/2007, 12:50:54] - Disabling Automatic Shell Restart
    [02/28/2007, 12:50:54] - Terminating Process: EXPLORER.EXE
    [02/28/2007, 12:50:54] - Suspending the NT Session Manager System Service
    [02/28/2007, 12:50:54] - Terminating Windows NT Logon/Logoff Manager
    [02/28/2007, 12:50:54] - Re-enabling Automatic Shell Restart
    [02/28/2007, 12:50:54] - File to disable: C:\WINDOWS\system32\tuvvttu.dll
    [02/28/2007, 12:50:54] - Renaming C:\WINDOWS\system32\tuvvttu.dll -> C:\WINDOWS\system32\tuvvttu.dll.vir
    [02/28/2007, 12:50:54] - File successfully renamed!
    [02/28/2007, 12:50:54] - Removing HKLM\...\Browser Helper Objects\{C47A9554-195A-4769-9B13-04F15B450A39}
    [02/28/2007, 12:50:54] - Removing HKCR\CLSID\{C47A9554-195A-4769-9B13-04F15B450A39}
    [02/28/2007, 12:50:54] - Adding Kill Bit for ActiveX for GUID: {C47A9554-195A-4769-9B13-04F15B450A39}
    [02/28/2007, 12:50:54] - Deleting ATLEvents/MSEvents Registry entries
    [02/28/2007, 12:50:54] - Removing HKLM\...\Winlogon\Notify\tuvvttu
    [02/28/2007, 12:50:54] - Searching for Browser Helper Objects:
    [02/28/2007, 12:50:54] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
    [02/28/2007, 12:50:54] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [02/28/2007, 12:50:54] - BHO 3: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
    [02/28/2007, 12:50:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/28/2007, 12:50:54] - Checking for HKLM\...\Winlogon\Notify\geebx
    [02/28/2007, 12:50:54] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
    [02/28/2007, 12:50:54] - Finished Searching Browser Helper Objects
    [02/28/2007, 12:50:54] - Finishing up...
    [02/28/2007, 12:50:54] - A restart is needed.
    [02/28/2007, 12:50:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
    [02/28/2007, 12:51:15] - Attempting to Restart via STOP error (Blue Screen!)

    Fresh HJT log

    Logfile of HijackThis v1.99.1
    Scan saved at 12:59:27 PM, on 28/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
    C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\PROGRA~1\DELLSU~1\DSAgnt.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: MSEvents Object - {79565386-3161-498B-B54D-C963B1E65172} - C:\WINDOWS\system32\mllmj.dll (file missing)
    O2 - BHO: (no name) - {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} - C:\WINDOWS\system32\geebx.dll (file missing)
    O2 - BHO: MSEvents Object - {A1DC79C1-EA16-45A7-960F-972706899B2A} - C:\WINDOWS\system32\vtstr.dll (file missing)
    O2 - BHO: MSEvents Object - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll (file missing)
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ojioumun.dll",setvm
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
    O20 - Winlogon Notify: tuvvttu - tuvvttu.dll (file missing)
    O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe




  • edited February 2007
    I just took a few minutes to re-read all this. I'm not the sharpest knife in the drawer when it comes to computers, but it looks to me like the Virtumundobegone.exe did some good work, judging by the missing bad files in the HJT log?
    I'm learning...i think...:coffee:
  • zamizami Finland
    edited March 2007
    Hi. Yes, you are right, Virtumundobegone did the job and removed tuvvttu.dll :thumbup

    ****************************

    With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
    Click in the check-box to the left of each of the following entries, if found:
    Select Fix Checked

    O2 - BHO: MSEvents Object - {79565386-3161-498B-B54D-C963B1E65172} - C:\WINDOWS\system32\mllmj.dll (file missing)
    O2 - BHO: (no name) - {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} - C:\WINDOWS\system32\geebx.dll (file missing)
    O2 - BHO: MSEvents Object - {A1DC79C1-EA16-45A7-960F-972706899B2A} - C:\WINDOWS\system32\vtstr.dll (file missing)
    O2 - BHO: MSEvents Object - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll (file missing)
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
    O20 - Winlogon Notify: tuvvttu - tuvvttu.dll (file missing)
    O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)

    ****************************

    Lets run AVG:AS to make sure your computer is clean:

    Please follow the instructions provided, you may want to print out these instructions and use them as a reference:
    AVG Anti-Spyware only works on Windows 2000 and Windows XP (32-Bit)

    First download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
    This is a 30 day trial of the program
    • Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
    • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
    • On the main screen select the icon "Update" then select the "Update now" link.
      * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      * Select "Automatically generate report after every scan"
      * Un-Select "Only if threats were found"
    Close AVG Anti-Spyware, Do Not run a scan yet!
    • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
      Use your up arrow key to highlight SafeMode then hit enter.
      IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
    • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
    • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
      Once the scan is complete do the following:
    • If you have any infections you will prompted, then select "Apply all actions"
    • Next select the "Reports" icon at the top.
    • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system
      (make sure to remember where you saved that file, this is important).
    • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
    ****************************

    And lets remove temp-files etc.

    Please download ATF Cleaner
      Double-click
    ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
    If you use Firefox browser
      Click
    Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
      Click
    Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.


    In your next reply, please include the following logs: AVG A-S log and a Fresh HijackThis. Thanks.
  • edited March 2007
    I really appreciate your help Zami! :thumbsup:

    Used HJT to remove 8 above mentioned entries.

    AVG Antispyware found 77 items in safe mode....:sad2:
    Most of which tracking cookies...no biggie...but it also found "Trojan.Agent.Acl", and found tuvvttu.dll again.

    AVG Anti-Spyware - Scan Report

    + Created at: 1:01:57 PM 01/03/2007

    + Scan result:



    C:\Documents and Settings\Eric Robertson\Desktop\Security\backups\backup-20070225-014757-457.dll -> Adware.Virtumonde : Cleaned.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP278\A0022648.dll -> Adware.Virtumonde : Cleaned.
    C:\WINDOWS\system32\opnkkhf.dll -> Adware.Virtumonde : Cleaned.
    C:\WINDOWS\system32\tuvvttu.dll.vir -> Adware.Virtumonde : Cleaned.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP277\A0022295.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
    :mozilla.46:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.47:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.48:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.52:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.54:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@2o7%5B1%5D.txt"]robertson@2o7[1].txt[/EMAIL] -> TrackingCookie.2o7 : Cleaned.
    :mozilla.162:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@atdmt%5B2%5D.txt"]robertson@atdmt[2].txt[/EMAIL] -> TrackingCookie.Atdmt : Cleaned.
    :mozilla.253:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
    :mozilla.234:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
    :mozilla.228:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.229:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.230:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.231:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.232:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.235:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.41:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@cpvfeed%5B2%5D.txt"]robertson@cpvfeed[2].txt[/EMAIL] -> TrackingCookie.Cpvfeed : Cleaned.
    :mozilla.199:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
    :mozilla.25:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@doubleclick%5B1%5D.txt"]robertson@doubleclick[1].txt[/EMAIL] -> TrackingCookie.Doubleclick : Cleaned.
    :mozilla.74:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
    :mozilla.99:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
    :mozilla.85:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.86:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.87:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.88:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.89:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.206:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
    :mozilla.211:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
    :mozilla.271:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
    :mozilla.22:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.23:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.24:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.49:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@ehg-hollywoodmedia.hitbox%5B1%5D.txt"]robertson@ehg-hollywoodmedia.hitbox[1].txt[/EMAIL] -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@hitbox%5B2%5D.txt"]robertson@hitbox[2].txt[/EMAIL] -> TrackingCookie.Hitbox : Cleaned.
    :mozilla.171:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@mediaplex%5B1%5D.txt"]robertson@mediaplex[1].txt[/EMAIL] -> TrackingCookie.Mediaplex : Cleaned.
    :mozilla.149:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@perf.overture%5B1%5D.txt"]robertson@perf.overture[1].txt[/EMAIL] -> TrackingCookie.Overture : Cleaned.
    :mozilla.97:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Quarterserver : Cleaned.
    :mozilla.59:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
    :mozilla.114:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
    :mozilla.151:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.152:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.157:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.158:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.159:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@stats1.reliablestats%5B2%5D.txt"]robertson@stats1.reliablestats[2].txt[/EMAIL] -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.36:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
    :mozilla.40:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
    :mozilla.43:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
    :mozilla.44:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
    :mozilla.45:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
    :mozilla.174:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.175:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.176:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.177:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.178:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.179:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@bs.serving-sys%5B2%5D.txt"]robertson@bs.serving-sys[2].txt[/EMAIL] -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@serving-sys%5B2%5D.txt"]robertson@serving-sys[2].txt[/EMAIL] -> TrackingCookie.Serving-sys : Cleaned.
    :mozilla.222:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
    :mozilla.223:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
    :mozilla.164:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.62:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.64:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.68:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.69:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@ad.yieldmanager%5B2%5D.txt"]robertson@ad.yieldmanager[2].txt[/EMAIL] -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Program Files\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned.

    ::Report end


    Fresh HJT log;
    Logfile of HijackThis v1.99.1
    Scan saved at 1:07:08 PM, on 01/03/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\PROGRA~1\DELLSU~1\DSAgnt.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ojioumun.dll",setvm
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe (file missing)
    O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe (file missing)
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
    O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
  • zamizami Finland
    edited March 2007
    You can empty your AVG quarantine:
    Open AVG Anti Spyware
    -> Infections
    -> Select All
    -> Remove finally
    -> Yes
    -> Close AVG:AS



    Since this issue appears resolved, this Topic is closed, glad we could help .

    If you need this topic reopened, please request this by sending the moderating team
    a PM, with the address of the thread. This applies only to the original topic starter.

    Everyone else please begin a New Topic.
This discussion has been closed.