If geeks love it, we’re on it

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Hlep find the last fragments of junk

edcentricedcentric Icrontiannear Milwaukee, Wisconsin Icrontian
edited June 2007 in Spyware & Virus Removal
I am helping someone else (isn't that always the case) clean up a machine.
I have almost everything, but still getting some trash.
I get an error saying that it can't find uvhpxga.dll, which is nonesense.
Let's see if we can't root this out.
thanks guys, ed

Logfile of HijackThis v1.99.1
Scan saved at 10:08:23 AM, on 6/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gangstagays.com/maintour.php/22307/133/A
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://portal.uwstout.edu/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uvohpxga.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129902710971
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor2/sis/mjolauncher.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://ct4a.uwstout.edu/webinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O20 - AppInit_DLLs: KATRACK.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Comments

  • TroganTrogan London, UK
    edited June 2007
    Hi ed,

    Nothing bad in the log, but the file you mention looks like Vundo.

    1. Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt in your next reply.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


    2. I need to see another log from HijackThis.
    • Run Hijackthis.
    • Click on Open the Misc Tools section.
    • Next click on Open uninstall manager.
    • Press the Save list button.
    • Save the file to your desktop, with the default name of uninstall_list
    • Copy & Paste the entire contents of that file in your in your next post.
    3. Please post the following...

    VundoFix log
    Uninstall list
    New HijackThis log
  • edcentricedcentric Icrontian near Milwaukee, Wisconsin Icrontian
    edited June 2007
    VundoFix V6.5.0

    Checking Java version...

    Java version is 1.5.0.5
    Old versions of java are exploitable and should be removed.

    Scan started at 12:58:30 PM 6/13/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\agxphovu.ini
    C:\WINDOWS\system32\uvohpxga.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\agxphovu.ini
    C:\WINDOWS\system32\agxphovu.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    the uninstall list

    AC3Filter (remove only)
    Ad-Aware SE Personal
    Adobe Bridge 1.0
    Adobe Flash Player 9 ActiveX
    Adobe Flash Player Plugin
    Adobe Reader 7.0.9
    Adobe SVG Viewer 3.0
    Age of Empires III
    AIM 6.0
    ATI - Software Uninstall Utility
    Bonjour Core for Windows
    Broadcom NetXtreme Ethernet Controller
    ContextPlus
    DC++ 0.698
    DivX Codec
    DivX Content Uploader
    DivX Converter
    DivX Player
    DivX Web Player
    EasyCleaner
    ENFUNS Updater
    Google Desktop
    Graphical Analysis 3.2
    HijackThis 1.99.1
    Hotfix for Windows Media Format SDK (KB902344)
    Hotfix for Windows Media Format SDK (KB910998)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    InterActual Player
    InterVideo DVD Check
    InterVideo WinDVD
    J2SE Runtime Environment 5.0 Update 5
    LimeWire 4.12.11
    LiveUpdate 3.1 (Symantec Corporation)
    Logger Pro 3.2.1
    Macromedia Dreamweaver MX 2004
    Macromedia Extension Manager
    Macromedia Shockwave Player
    Maple 9.5
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Hotfix (KB886903)
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office FrontPage 2003
    Microsoft Office Professional Edition 2003
    MINITAB Release 14
    Mozilla Firefox (2.0.0.4)
    MSXML 4.0 SP2 (KB927978)
    Musicmatch® Jukebox
    Oblivion
    Quick Launch Buttons 5.10 A1
    QuickTime
    Ruckus Player
    Security Update for CAPICOM (KB931906)
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB883939)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901190)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB903235)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    SiSoftware Sandra Lite XI.SP2 (Win64/32/CE)
    SoundMAX
    SPSS 12.0 for Windows
    Spybot - Search & Destroy 1.4
    Spyware Doctor 5.0
    Symantec AntiVirus
    Synaptics Pointing Device Driver
    TreeSize Free V2.1
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player
    Viewpoint Toolbar
    Winamp (remove only)
    Windows Defender Signatures
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Connect
    Windows Media Connect
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB884575
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885855
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB887797
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888239
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893066
    Windows XP Hotfix - KB893086
    WinRAR archiver

    and another hjt scan

    Logfile of HijackThis v1.99.1
    Scan saved at 1:07:00 PM, on 6/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16441)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gangstagays.com/maintour.php/22307/133/A
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://portal.uwstout.edu/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129902710971
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor2/sis/mjolauncher.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://ct4a.uwstout.edu/webinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O20 - AppInit_DLLs: KATRACK.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
    O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • TroganTrogan London, UK
    edited June 2007
    Hi ed,

    Please do the following...

    1. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u1.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement."
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
      • J2SE Runtime Environment 5.0 Update 5
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
    2. Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    - Close ALL open windows (especially Internet Explorer!)
    - Click Fix Checked
    Close HiajckThis

    3. Please do an online scan with Panda ActiveScan

    - Once you are on the Panda site, click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

    Post the contents of the Panda scan report, along with a new HijackThis Log
  • edcentricedcentric Icrontian near Milwaukee, Wisconsin Icrontian
    edited June 2007
    Ok, I am back. activscan was a bear to get to run.
    there is still work to be done.
    thanks, guys.

    Logfile of HijackThis v1.99.1
    Scan saved at 5:00:14 PM, on 6/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://icrontic.com/forum/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://portal.uwstout.edu/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.6.0\ViewBar.dll
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [KeyAccess] C:\WINDOWS\keyacc32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uvohpxga.dll",setvm
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129902710971
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor2/sis/mjolauncher.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
    O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
    O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://ct4a.uwstout.edu/webinst.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O20 - AppInit_DLLs: KATRACK.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\Win32\RpcDataSrv.exe
    O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI.SP2\RpcSandraSrv.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe




    Incident Status Location

    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.2o7.net/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.atwola.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.advertising.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.doubleclick.net/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.atdmt.com/]
    Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.as-us.falkag.net/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.tribalfusion.com/]
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.ads.pointroll.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.questionmarket.com/]
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.mediaplex.com/]
    Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.citi.bridgetrack.com/]
    Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[citi.bridgetrack.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.ad.yieldmanager.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[ad.yieldmanager.com/]
    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.ad.yieldmanager.com/]
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.trafficmp.com/]
    Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.zedo.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.statcounter.com/]
    Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[stat.onestat.com/]
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.statcounter.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.adrevolver.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.serving-sys.com/]
    Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.hitbox.com/]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[server.iad.liveperson.net/hc/47292500]
    Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[server.iad.liveperson.net/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.z1.adserver.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.fastclick.net/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.z1.adserver.com/]
    Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.fastclick.net/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.z1.adserver.com/]
    Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.tradedoubler.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.realmedia.com/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.burstnet.com/]
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[www.burstbeacon.com/]
    Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.valueclick.com/]
    Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.bluestreak.com/]
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[statse.webtrendslive.com/]
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.maxserving.com/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.overture.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.casalemedia.com/]
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.belnk.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.247realmedia.com/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.perf.overture.com/]
    Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.mysearch.com/]
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.seeq.com/]
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[www48.seeq.com/]
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.xiti.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.adserver.filefront.com/]
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.adtech.de/]
    Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.bravenet.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.com.com/]
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[.go.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-1.txt[adserver.filefront.com/]
    Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.adrevolver.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.atdmt.com/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.doubleclick.net/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.realmedia.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.advertising.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.questionmarket.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.atwola.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.2o7.net/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.burstnet.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.adserver.filefront.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.apmebf.com/]
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.clickbank.net/]
    Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[.mysearch.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[adserver.filefront.com/]
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-2.txt[searchportal.information.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.atdmt.com/]
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.advertising.com/]
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.atwola.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.2o7.net/]
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.doubleclick.net/]
    Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.burstnet.com/]
    Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.casalemedia.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.adserver.filefront.com/]
    Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.apmebf.com/]
    Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.clickbank.net/]
    Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[.mysearch.com/]
    Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[adserver.filefront.com/]
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\student\Application Data\Mozilla\Firefox\Profiles\8cnwdzdr.default\cookies-3.txt[searchportal.information.com/]
    Virus:Trj/QQPass.QV Not disinfected C:\Documents and Settings\student\My Documents\Morpheus Shared\Downloads\Cracked ThriXXX Games - 3D Sex Villa 2.017.001 & HentaII 3D 2.017.004 & Virtually Jenna 2.017.002 Incl. AMD Patch.rar[vjen2_017\VirtuallyJenna-2.017.002-cracked.exe][VirtuallyJenna-2.017
    Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\student\My Documents\SpinBustaSetup-dm.exe
    Virus:Malware Generic Disinfected C:\Program Files\Morpheus\morpheustoolbar.exe
    Potentially unwanted tool:Application/ViewPoint Not disinfected C:\WINDOWS\hijackthis\backups\backup-20070118-114450-427.dll
    Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
  • TroganTrogan London, UK
    edited June 2007
    Hi ed,

    Please do the following...

    1. I'd like a file to be uploaded please...
    • Go here to Upload Malware
    • Fill out the information, and post a link to this thread.
    • In the File(s) To Submit: box 1. copy and paste the following:
      • C:\WINDOWS\system32\uvohpxga.dll
    • Click on Send File and close the page
    2. Open HijackThis
    - Click the Do a system scan only button
    - Check the following entries (below)

    O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\uvohpxga.dll",setvm

    - Close ALL open windows (especially Internet Explorer!)
    - Click Fix Checked
    Close HiajckThis

    3. Run HijackThis again and click on Open the Misc Tools section.
    Click on Delete a file on reboot...
    Copy and paste the following into the "File name:" text box and then click Open:

    C:\WINDOWS\system32\uvohpxga.dll

    When you are asked "Do you want to restart your computer now?", click OK.

    Your PC MUST reboot to delete the file!

    4. Find and delete the following in RED:

    C:\Documents and Settings\student\My Documents\Morpheus Shared\Downloads\Cracked ThriXXX Games - 3D Sex Villa 2.017.001 & HentaII 3D 2.017.004 & Virtually Jenna 2.017.002 Incl. AMD Patch.rar

    C:\Documents and Settings\student\My Documents\SpinBustaSetup-dm.exe

    5. Download this file - combofix.exe
    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    6. Please post the ComboFix log, along with a new HijackThis log.
Sign In or Register to comment.

The 5¢ Tour