Another Zlob.FC infection
Looks like I wasnt carefuel enough! :sad2:
Computer is running about 50% slower, AVG keeps popping up with random *.dll files being infected with Downloader.Zlob.FC.
AVG systems scans yield no result, nor does Ad-Aware.
HJT Log was obtained by following the Sticky in this section of the forum.
Panda ActiveScan Log
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected
C:\Documents and Settings\EricRobertson\Desktop\backups\backup-20070225-014757-457.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\ProgramFiles\MyWaySA\SrchAsDe\deSrcAs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32opnkkhf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32tuvvttu.dll
Logfile of HijackThis v1.99.1
Scan saved at 10:18:09 AM, on 25/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric Robertson\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
I notice Panda ActiveScan found soem more infected *.dll.
I'm a total n00b to this stuff, but am fantastic at following instructions. Gentleman, any help is greatly appreciated!
Computer is running about 50% slower, AVG keeps popping up with random *.dll files being infected with Downloader.Zlob.FC.
AVG systems scans yield no result, nor does Ad-Aware.
HJT Log was obtained by following the Sticky in this section of the forum.
Panda ActiveScan Log
Incident Status Location
Spyware:Spyware/Virtumonde Not disinfected
C:\Documents and Settings\EricRobertson\Desktop\backups\backup-20070225-014757-457.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\ProgramFiles\MyWaySA\SrchAsDe\deSrcAs.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32opnkkhf.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32tuvvttu.dll
Logfile of HijackThis v1.99.1
Scan saved at 10:18:09 AM, on 25/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eric Robertson\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
I notice Panda ActiveScan found soem more infected *.dll.
I'm a total n00b to this stuff, but am fantastic at following instructions. Gentleman, any help is greatly appreciated!
0
This discussion has been closed.
Comments
I am currently working on your log.
I will get back to you as soon as possible.
~zami~
Please put your HijackThis in it's own folder, (I create a new folder in C:\ named HJT).
You can do a Right Click on any open area on the desktop, New> Folder, then rename the folder HJT.
Go to where your HijackThis is and Right Click on HijackThis.exe, select Cut, then open the new folder you just created (HJT) Right Click in the folder and select paste.
The reason we do this is Hijackthis creates backup files just in case you'd need to restore one and we'll be cleaning out the temp files.
**************************************
Please download VundoFix.exe to your desktop.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
**************************************
In your next reply, please include the following logs: a Fresh HijackThis and VundoFix report. Thanks.
I should have mentioned I already ran VundoFix. No Vundo found;
VundoFix V6.3.9
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.3
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 2:38:58 AM 26/02/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Fresh HJT log, after using ATF-Cleaner. HJT is now on its own in C:\HJT as suggested.
Logfile of HijackThis v1.99.1
Scan saved at 2:44:35 AM, on 26/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.ca/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.ca/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
AVG indicates I have also contracted a chronic case of Trojan Horses Collected.11.B and Generic3.AWS
Re-ran VundoFix
VundoFix V6.3.9
Checking Java version...
Java version is 1.4.2.3
Java version is 1.5.0.3
Java version is 1.5.0.6
Java version is 1.5.0.9
Scan started at 11:30:18 AM 28/02/2007
Listing files found while scanning....
C:\WINDOWS\system32\cwgrxfbr.ini
C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\hjqjtcbu.exe
C:\WINDOWS\system32\rbfxrgwc.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cwgrxfbr.ini
C:\WINDOWS\system32\cwgrxfbr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\geebx.dll
C:\WINDOWS\system32\geebx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hjqjtcbu.exe
C:\WINDOWS\system32\hjqjtcbu.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\rbfxrgwc.dll
C:\WINDOWS\system32\rbfxrgwc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbeeg.bak1
C:\WINDOWS\system32\xbeeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\xbeeg.ini
C:\WINDOWS\system32\xbeeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
And grabbed a fresh HJT log;
Logfile of HijackThis v1.99.1
Scan saved at 11:40:57 AM, on 28/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} - C:\WINDOWS\system32\geebx.dll (file missing)
O2 - BHO: (no name) - {A1DC79C1-EA16-45A7-960F-972706899B2A} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: (no name) - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: tuvvttu - C:\WINDOWS\SYSTEM32\tuvvttu.dll
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
Thanks in advance for any assistance.
You probably have a new variant of Vundo-infection, so lets upload it to the programmers, that they can add it to the database.
1. Go to http://www.uploadmalware.com/
2. Write the wanted information ( username etc. )
3. To Topic Where File Was Requested-part, put this: http://www.short-media.com/forum/showthread.php?t=54743
4. Upload the file by clicking the Browse and finding C:\WINDOWS\SYSTEM32\tuvvttu.dll and clicking it.
5. The file should appear to the box
6. To Comments Or Further Info-part type: New variant of Vundo?
7. Click Send File(s)
****************************
Get VirtumundoBegone
from here
and save it to your desktop.
Then:
Reboot your computer in Safe Mode.
In safe mode run VirtumundoBeGone.exe by following the instructions.
****************************
In your next reply, please include the following logs: a Fresh HijackThis and VirtumundoBeGone report. Thanks.
d/l'd VirtumundoBeGone.exe
Shutdown for 30sec, Rebooted in safe mode, ran VirumundoBeGone.exe
Shutdown for 30sec, rebooted normal, ran HJT
VirtumundoBeGone Report
[02/28/2007, 12:50:40] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Eric Robertson\Desktop\Security\VirtumundoBeGone.exe" )
[02/28/2007, 12:50:49] - Detected System Information:
[02/28/2007, 12:50:49] - Windows Version: 5.1.2600, Service Pack 2
[02/28/2007, 12:50:49] - Current Username: Eric Robertson (Admin)
[02/28/2007, 12:50:49] - Windows is in SAFE mode with Networking.
[02/28/2007, 12:50:49] - Searching for Browser Helper Objects:
[02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} ()
[02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\mllmj
[02/28/2007, 12:50:49] - Found: HKLM\...\Winlogon\Notify\mllmj - This is probably Virtumundo.
[02/28/2007, 12:50:49] - Assigning {79565386-3161-498B-B54D-C963B1E65172} MSEvents Object
[02/28/2007, 12:50:49] - BHO list has been changed! Starting over...
[02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} (MSEvents Object)
[02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:49] - BHO 4: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
[02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\geebx
[02/28/2007, 12:50:49] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
[02/28/2007, 12:50:49] - BHO 5: {A1DC79C1-EA16-45A7-960F-972706899B2A} ()
[02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\vtstr
[02/28/2007, 12:50:49] - Found: HKLM\...\Winlogon\Notify\vtstr - This is probably Virtumundo.
[02/28/2007, 12:50:49] - Assigning {A1DC79C1-EA16-45A7-960F-972706899B2A} MSEvents Object
[02/28/2007, 12:50:49] - BHO list has been changed! Starting over...
[02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} (MSEvents Object)
[02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:49] - BHO 4: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
[02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\geebx
[02/28/2007, 12:50:49] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
[02/28/2007, 12:50:49] - BHO 5: {A1DC79C1-EA16-45A7-960F-972706899B2A} (MSEvents Object)
[02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:49] - BHO 6: {C47A9554-195A-4769-9B13-04F15B450A39} ()
[02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\tuvvttu
[02/28/2007, 12:50:49] - Found: HKLM\...\Winlogon\Notify\tuvvttu - This is probably Virtumundo.
[02/28/2007, 12:50:49] - Assigning {C47A9554-195A-4769-9B13-04F15B450A39} MSEvents Object
[02/28/2007, 12:50:49] - BHO list has been changed! Starting over...
[02/28/2007, 12:50:49] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:49] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:49] - BHO 3: {79565386-3161-498B-B54D-C963B1E65172} (MSEvents Object)
[02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:49] - BHO 4: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
[02/28/2007, 12:50:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:49] - Checking for HKLM\...\Winlogon\Notify\geebx
[02/28/2007, 12:50:49] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
[02/28/2007, 12:50:49] - BHO 5: {A1DC79C1-EA16-45A7-960F-972706899B2A} (MSEvents Object)
[02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:49] - BHO 6: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
[02/28/2007, 12:50:49] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:49] - Finished Searching Browser Helper Objects
[02/28/2007, 12:50:49] - *** Detected MSEvents Object
[02/28/2007, 12:50:49] - Trying to remove MSEvents Object...
[02/28/2007, 12:50:50] - Terminating Process: IEXPLORE.EXE
[02/28/2007, 12:50:50] - Terminating Process: RUNDLL32.EXE
[02/28/2007, 12:50:50] - Disabling Automatic Shell Restart
[02/28/2007, 12:50:50] - Terminating Process: EXPLORER.EXE
[02/28/2007, 12:50:51] - Suspending the NT Session Manager System Service
[02/28/2007, 12:50:51] - Terminating Windows NT Logon/Logoff Manager
[02/28/2007, 12:50:51] - Re-enabling Automatic Shell Restart
[02/28/2007, 12:50:51] - File to disable: C:\WINDOWS\system32\mllmj.dll
[02/28/2007, 12:50:51] - Renaming C:\WINDOWS\system32\mllmj.dll -> C:\WINDOWS\system32\mllmj.dll.vir
[02/28/2007, 12:50:51] - File successfully renamed!
[02/28/2007, 12:50:51] - Removing HKLM\...\Browser Helper Objects\{79565386-3161-498B-B54D-C963B1E65172}
[02/28/2007, 12:50:51] - Removing HKCR\CLSID\{79565386-3161-498B-B54D-C963B1E65172}
[02/28/2007, 12:50:51] - Adding Kill Bit for ActiveX for GUID: {79565386-3161-498B-B54D-C963B1E65172}
[02/28/2007, 12:50:51] - Deleting ATLEvents/MSEvents Registry entries
[02/28/2007, 12:50:51] - Removing HKLM\...\Winlogon\Notify\mllmj
[02/28/2007, 12:50:51] - Searching for Browser Helper Objects:
[02/28/2007, 12:50:51] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:51] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:51] - BHO 3: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
[02/28/2007, 12:50:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:51] - Checking for HKLM\...\Winlogon\Notify\geebx
[02/28/2007, 12:50:51] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
[02/28/2007, 12:50:51] - BHO 4: {A1DC79C1-EA16-45A7-960F-972706899B2A} (MSEvents Object)
[02/28/2007, 12:50:51] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:51] - BHO 5: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
[02/28/2007, 12:50:51] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:51] - Finished Searching Browser Helper Objects
[02/28/2007, 12:50:51] - *** Detected MSEvents Object
[02/28/2007, 12:50:51] - Trying to remove MSEvents Object...
[02/28/2007, 12:50:52] - Terminating Process: IEXPLORE.EXE
[02/28/2007, 12:50:52] - Terminating Process: RUNDLL32.EXE
[02/28/2007, 12:50:52] - Disabling Automatic Shell Restart
[02/28/2007, 12:50:52] - Terminating Process: EXPLORER.EXE
[02/28/2007, 12:50:53] - Suspending the NT Session Manager System Service
[02/28/2007, 12:50:53] - Terminating Windows NT Logon/Logoff Manager
[02/28/2007, 12:50:53] - Re-enabling Automatic Shell Restart
[02/28/2007, 12:50:53] - File to disable: C:\WINDOWS\system32\vtstr.dll
[02/28/2007, 12:50:53] - Removing HKLM\...\Browser Helper Objects\{A1DC79C1-EA16-45A7-960F-972706899B2A}
[02/28/2007, 12:50:53] - Removing HKCR\CLSID\{A1DC79C1-EA16-45A7-960F-972706899B2A}
[02/28/2007, 12:50:53] - Adding Kill Bit for ActiveX for GUID: {A1DC79C1-EA16-45A7-960F-972706899B2A}
[02/28/2007, 12:50:53] - Deleting ATLEvents/MSEvents Registry entries
[02/28/2007, 12:50:53] - Removing HKLM\...\Winlogon\Notify\vtstr
[02/28/2007, 12:50:53] - Searching for Browser Helper Objects:
[02/28/2007, 12:50:53] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:53] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:53] - BHO 3: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
[02/28/2007, 12:50:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:53] - Checking for HKLM\...\Winlogon\Notify\geebx
[02/28/2007, 12:50:53] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
[02/28/2007, 12:50:53] - BHO 4: {C47A9554-195A-4769-9B13-04F15B450A39} (MSEvents Object)
[02/28/2007, 12:50:53] - ALERT: Found MSEvents Object!
[02/28/2007, 12:50:53] - Finished Searching Browser Helper Objects
[02/28/2007, 12:50:53] - *** Detected MSEvents Object
[02/28/2007, 12:50:53] - Trying to remove MSEvents Object...
[02/28/2007, 12:50:54] - Terminating Process: IEXPLORE.EXE
[02/28/2007, 12:50:54] - Terminating Process: RUNDLL32.EXE
[02/28/2007, 12:50:54] - Disabling Automatic Shell Restart
[02/28/2007, 12:50:54] - Terminating Process: EXPLORER.EXE
[02/28/2007, 12:50:54] - Suspending the NT Session Manager System Service
[02/28/2007, 12:50:54] - Terminating Windows NT Logon/Logoff Manager
[02/28/2007, 12:50:54] - Re-enabling Automatic Shell Restart
[02/28/2007, 12:50:54] - File to disable: C:\WINDOWS\system32\tuvvttu.dll
[02/28/2007, 12:50:54] - Renaming C:\WINDOWS\system32\tuvvttu.dll -> C:\WINDOWS\system32\tuvvttu.dll.vir
[02/28/2007, 12:50:54] - File successfully renamed!
[02/28/2007, 12:50:54] - Removing HKLM\...\Browser Helper Objects\{C47A9554-195A-4769-9B13-04F15B450A39}
[02/28/2007, 12:50:54] - Removing HKCR\CLSID\{C47A9554-195A-4769-9B13-04F15B450A39}
[02/28/2007, 12:50:54] - Adding Kill Bit for ActiveX for GUID: {C47A9554-195A-4769-9B13-04F15B450A39}
[02/28/2007, 12:50:54] - Deleting ATLEvents/MSEvents Registry entries
[02/28/2007, 12:50:54] - Removing HKLM\...\Winlogon\Notify\tuvvttu
[02/28/2007, 12:50:54] - Searching for Browser Helper Objects:
[02/28/2007, 12:50:54] - BHO 1: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/28/2007, 12:50:54] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[02/28/2007, 12:50:54] - BHO 3: {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} ()
[02/28/2007, 12:50:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/28/2007, 12:50:54] - Checking for HKLM\...\Winlogon\Notify\geebx
[02/28/2007, 12:50:54] - Key not found: HKLM\...\Winlogon\Notify\geebx, continuing.
[02/28/2007, 12:50:54] - Finished Searching Browser Helper Objects
[02/28/2007, 12:50:54] - Finishing up...
[02/28/2007, 12:50:54] - A restart is needed.
[02/28/2007, 12:50:54] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[02/28/2007, 12:51:15] - Attempting to Restart via STOP error (Blue Screen!)
Fresh HJT log
Logfile of HijackThis v1.99.1
Scan saved at 12:59:27 PM, on 28/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Media Experience\DMXLauncher.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: MSEvents Object - {79565386-3161-498B-B54D-C963B1E65172} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: (no name) - {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} - C:\WINDOWS\system32\geebx.dll (file missing)
O2 - BHO: MSEvents Object - {A1DC79C1-EA16-45A7-960F-972706899B2A} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: MSEvents Object - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ojioumun.dll",setvm
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: tuvvttu - tuvvttu.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
I'm learning...i think...
****************************
With all other windows closed, start your HijackThis and Click "Do a System Scan Only"
Click in the check-box to the left of each of the following entries, if found:
Select Fix Checked
O2 - BHO: MSEvents Object - {79565386-3161-498B-B54D-C963B1E65172} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: (no name) - {7BCA36EB-EDBD-4C53-8A44-FFE0FDCF155A} - C:\WINDOWS\system32\geebx.dll (file missing)
O2 - BHO: MSEvents Object - {A1DC79C1-EA16-45A7-960F-972706899B2A} - C:\WINDOWS\system32\vtstr.dll (file missing)
O2 - BHO: MSEvents Object - {C47A9554-195A-4769-9B13-04F15B450A39} - C:\WINDOWS\system32\tuvvttu.dll (file missing)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: mllmj - C:\WINDOWS\system32\mllmj.dll (file missing)
O20 - Winlogon Notify: tuvvttu - tuvvttu.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)
****************************
Lets run AVG:AS to make sure your computer is clean:
Please follow the instructions provided, you may want to print out these instructions and use them as a reference:
AVG Anti-Spyware only works on Windows 2000 and Windows XP (32-Bit)
First download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
This is a 30 day trial of the program
- Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Under "Reports"
Close AVG Anti-Spyware, Do Not run a scan yet!* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"
- Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
- Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
- If you have any infections you will prompted, then select "Apply all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system
- Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.
****************************Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Once the scan is complete do the following:
(make sure to remember where you saved that file, this is important).
And lets remove temp-files etc.
Please download ATF Cleaner
Double-click
ATF-Cleaner.exe to run the program.Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click
Firefox at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click
Opera at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
In your next reply, please include the following logs: AVG A-S log and a Fresh HijackThis. Thanks.
Used HJT to remove 8 above mentioned entries.
AVG Antispyware found 77 items in safe mode....:sad2:
Most of which tracking cookies...no biggie...but it also found "Trojan.Agent.Acl", and found tuvvttu.dll again.
AVG Anti-Spyware - Scan Report
+ Created at: 1:01:57 PM 01/03/2007
+ Scan result:
C:\Documents and Settings\Eric Robertson\Desktop\Security\backups\backup-20070225-014757-457.dll -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP278\A0022648.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\system32\opnkkhf.dll -> Adware.Virtumonde : Cleaned.
C:\WINDOWS\system32\tuvvttu.dll.vir -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP277\A0022295.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned.
:mozilla.46:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.48:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.52:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.54:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@2o7%5B1%5D.txt"]robertson@2o7[1].txt[/EMAIL] -> TrackingCookie.2o7 : Cleaned.
:mozilla.162:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@atdmt%5B2%5D.txt"]robertson@atdmt[2].txt[/EMAIL] -> TrackingCookie.Atdmt : Cleaned.
:mozilla.253:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.234:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.228:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.229:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.230:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.231:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.232:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.235:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.41:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@cpvfeed%5B2%5D.txt"]robertson@cpvfeed[2].txt[/EMAIL] -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.199:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.25:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@doubleclick%5B1%5D.txt"]robertson@doubleclick[1].txt[/EMAIL] -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.74:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.99:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.85:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.86:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.87:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.88:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.89:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.206:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.211:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.271:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.22:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.23:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.24:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.49:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@ehg-hollywoodmedia.hitbox%5B1%5D.txt"]robertson@ehg-hollywoodmedia.hitbox[1].txt[/EMAIL] -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@hitbox%5B2%5D.txt"]robertson@hitbox[2].txt[/EMAIL] -> TrackingCookie.Hitbox : Cleaned.
:mozilla.171:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@mediaplex%5B1%5D.txt"]robertson@mediaplex[1].txt[/EMAIL] -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.149:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@perf.overture%5B1%5D.txt"]robertson@perf.overture[1].txt[/EMAIL] -> TrackingCookie.Overture : Cleaned.
:mozilla.97:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Quarterserver : Cleaned.
:mozilla.59:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.114:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.151:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.152:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.157:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.158:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.159:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@stats1.reliablestats%5B2%5D.txt"]robertson@stats1.reliablestats[2].txt[/EMAIL] -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.36:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.40:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.43:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.44:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.45:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.174:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.175:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.176:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.177:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.178:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.179:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@bs.serving-sys%5B2%5D.txt"]robertson@bs.serving-sys[2].txt[/EMAIL] -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@serving-sys%5B2%5D.txt"]robertson@serving-sys[2].txt[/EMAIL] -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.222:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.223:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.164:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.62:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.64:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.68:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.69:C:\Documents and Settings\Eric Robertson\Application Data\Mozilla\Firefox\Profiles\y6mmhczu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Eric Robertson\Cookies\eric [EMAIL="robertson@ad.yieldmanager%5B2%5D.txt"]robertson@ad.yieldmanager[2].txt[/EMAIL] -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\VSAdd-in\VSAdd-in.dll -> Trojan.Agent.acl : Cleaned.
::Report end
Fresh HJT log;
Logfile of HijackThis v1.99.1
Scan saved at 1:07:08 PM, on 01/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\DELLSU~1\DSAgnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DC
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\ojioumun.dll",setvm
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {66E79B75-F711-4A88-9C6D-10BCA64F3306} (DriveCamPlayer Class) - http://www.drivecam.com/videos/DriveCamEvent.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149032704055
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
Open AVG Anti Spyware
-> Infections
-> Select All
-> Remove finally
-> Yes
-> Close AVG:AS
Since this issue appears resolved, this Topic is closed, glad we could help .
If you need this topic reopened, please request this by sending the moderating team
a PM, with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.