Trojan Progdav

hobbesotr · 01-20-2007, 02:55 PM

Well, someplace along the way I got nailed by this p.o.s. And, as most have noted, have not been able to clean it thru any conventional/unconventional method. Spy Sweeper won't touch it. Niether Zone Alarm spy scan or firewall do not see it at all. And, of course, MS's mighty Windows Defender is also blind to it's existance. NOD32 never saw it either. Ran Hijack This w/results below. Anyone have thoughts/advise on how to get this beast off the pc? Thanx much in advance!

Logfile of HijackThis v1.97.7
Scan saved at 4:42:53 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\taskswitch.exe
D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
E:\Hank's Documents\palmOne\Hotsync.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
d:\Program Files\Webroot\Spy Sweeper\SSU.EXE
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\cmd.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe"
O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SpeedUpMyPC.lnk = D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Citi (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...=hubble_anniv1
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76

**Glaswegian** · 01-21-2007, 08:34 AM

Hi and welcome to TSF.

You are using an outdated version of HijackThis. Please download and install the latest version by going to this Site. Then run a scan and post a fresh log.

Please also create a uninstall list:

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Open Uninstall Manager"
Click on the button "Save list"
Copy and past the List from the notebook into your next post

hobbesotr · 01-21-2007, 12:28 PM

Hi Glaswegian,

Thanx for the update info. Have run as requested. Results as follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:20:15 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
d:\Program Files\Eset\nod32krn.exe
d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\taskswitch.exe
D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Eset\nod32kui.exe
D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
E:\Hank's Documents\palmOne\Hotsync.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
d:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\Disks & Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe"
O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKCU\..\Run: [Weather] "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" 1
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: SpeedUpMyPC.lnk = D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe
O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...=hubble_anniv1
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - d:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: X - Unknown owner - C:\DOCUME~1\HANKAU~1\LOCALS~1\Temp\X.exe (file missing)

AcuteFinder 1.3
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0 Templates
Adobe Reader 7.0.9
Alt-Tab Task Switcher Powertoy for Windows XP
AM-DeadLink 2.8
Apple Software Update
ArcSoft PhotoStudio 5
ASUS Enhanced Display Driver
ASUS Utilities
ASUS VideoSecurity Online
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Atomic Clock Sync
AttachmentOptions
AttachmentsSave
Belarc Advisor 7.2
Beyond Compare Version 2.4.3
Calculator Powertoy for Windows XP
Citi Virtual Account Numbers
CmdHere Powertoy For Windows XP
Comet
Corel Paint Shop Pro Photo XI
Corel Photo Album 6
Corel Photo Album Additional Content
Data Lifeguard Tools
Delete Duplicated Email
DiscAPI (Studio 10)
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Documents To Go
DV Network Software
DVD Solution
eBay Toolbar
ExamForce Engine Installation
File Access Manager (remove only)
FileSnoop 2
Gadwin PrintScreen
Garmin City Navigator North America v8
Garmin MapSource
GdiplusUpgrade
Gemmico FolderInfo 2.20
Genie Backup Manager Pro 7.0
Genie FAM
GenSmarts
Google Earth
Google Toolbar for Internet Explorer
GSAK 6.6.4 Build 20 (Final)
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB928388)
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HTML Slideshow Powertoy for Windows XP
Image Resizer Powertoy for Windows XP
iTunes
J2SE Runtime Environment 5.0 Update 6
jv16 PowerTools 2006
Karen's WhoIs
Laridian Daily Light on the Daily Path for PalmOS
Laridian Easton's Bible Dictionary for PalmOS
Laridian Laridian DailyReader for PalmOS
Laridian Laridian Memorize! for PalmOS
Laridian Laridian Reading Plans for PalmOS
Laridian Matthew Henry Concise Commentary for PalmOS
Laridian Morning and Evening for PalmOS
Laridian My Utmost for His Highest for PalmOS
Laridian MyBible 4 for PalmOS
Laridian MyBible American Standard Version (ASV) for PalmOS
Laridian MyBible Darby's New Translation (DNT) for PalmOS
Laridian MyBible King James Version (KJV) for PalmOS
Laridian MyBible New International Version (NIV) for PalmOS
Laridian MyBible New King James Version (NKJV) for PalmOS
Laridian MyBible NIV (XRef Edition) for PalmOS
Laridian MyBible The Message (MSG) for PalmOS
Laridian MyBible World English Version (WEB) for PalmOS
Laridian MyBible Young's Literal Translation (YLT) for PalmOS
Laridian Nave's Topical Bible for PalmOS
Laridian NIV Study Bible Notes for PalmOS
Laridian One Year Chronological Bible for PalmOS
Laridian Ryrie Study Bible for PalmOS
Laridian Topiocal Memory System for PalmOS
LG ODD Auto Firmware Update
Magnifier Powertoy for Windows XP
MapSource
MapSource - City Select North America v6
MapSource - Trip & Waypoint Manager v2
MediaWiper
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Color Control Panel Applet for Windows XP
Microsoft Money 2007 Home & Business
Microsoft Money Shared Libraries
Microsoft Office 2003 Resource Kit
Microsoft Office InfoPath 2003 SDK
Microsoft Office Professional Edition 2003
Microsoft Office Sounds
Microsoft Outlook Personal Folders Backup
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft Windows Vista Upgrade Advisor
Mobipocket Reader 5.2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Multimedia Launcher
Musicmatch® Jukebox
MyPublisher BookMaker
Nero 7 Demo
Nero PhotoShow Deluxe 4
NOD32 antivirus system
OneTouch Software
overland
PAF Insight
palmOne
PC Probe II
PC Study Bible (remove only)
Personal Ancestral File 5
Personal Ancestral File Companion 5.2
PHOTORECOVERY® Limited Edition 3.0
Pinnacle HFX Volume 2
Pinnacle Instant DVD Recorder
Pinnacle PCI Performance Enhancer
Pinnacle Studio MediaSuite
PocketMirror (Professional Edition) 4.2.2
PowerDVD
proDAD Heroglyph 2.5
Proxy Host Input Port Drivers
Proxy Master
Quicken 2007
Quicken Legal Business Pro 2006
Quicken Legal Business Pro 2007
QuickTime
Radio365
RAPID (Studio 10)
RawShooter essentials 2005
Realtek High Definition Audio Driver
Remove Hidden Data Tool
RS Delete Duplicated Contacts
ScanSoft OmniPage 15.0
ScanSoft PDF Professional 4
SecureClean4
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Slideshow Generator Powertoy for Windows XP
SmartSound Quicktracks Plugin
SplashID
Spy Sweeper
Studio 10
Studio 10 Bonus DVD
Studio 10.5.2 Patch
Studio Premium Pack 2
Studio RTFx Volume 2
SyncToy
Time Expense Automobile Keeper (TEAK) Program
Timershot Powertoy for Windows XP
TreeSize Professional 4.1.1
tunebite 3.0.1.8
Tweak UI
U3Launcher
ULi Sata Driver
Uniblue SpeedUpMyPC
Universal Explorer 4.2
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Virtual Cable Tester
Virtual Desktop Manager Powertoy for Windows XP
VMware DiskMount Utility
VMware Workstation
WeatherBug
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Resource Kit Tools
Windows Resource Kit Tools - GPInventory.exe
Windows Server 2003 Service Pack 1 Administration Tools Pack
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinTasks
WinUndelete
WinZip
Zinio Reader
ZoneAlarm Pro

**Glaswegian** · 01-21-2007, 01:11 PM

Hi again

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Disable Webroot SpySweeper
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

To disable Webroot SpySweeper:

Click on Options> then Program tab
Uncheck Load at Windows Startup
Click Shields on the left.
Click Web Browser and uncheck all items.
Click Startup Programs and uncheck all items.
Exit Spysweeper.

Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware.

Services
Click Start->Run - type SERVICES.MSC & then click on the OK button

Locate the service - X
Double-click on it to open the Properties dialog.
- Under the General tab, note down the name of "Service name". We shall need it later.
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button

Then start HiJackThis & go to Config > Misc.Tools...> Delete an NT service...
In the popup box that appears, type in "Service name", i.e the name of the service you just noted as above, & then click on the OK button

.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

Viewpoint Manager
Viewpoint Media Player
WeatherBug

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [Weather] "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" 1
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...=hubble_anniv1
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?

Please remember to close all other windows, including browsers then click Fix checked.

File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\ntos.exe
C:\PROGRA~1\AWS
C:\Program Files\Viewpoint

Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run AVG Anti Spyware
Run AVG with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

NOTE: AVG scan may require an hour.

Reboot
Reboot your system in Normal Mode.

Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
AVG Log
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.

hobbesotr · 01-21-2007, 03:59 PM

thanx! will do and advise results...

hobbesotr · 01-21-2007, 07:00 PM

ok 2 things w/the instructions. first avg that's available now doesn't display as noted. currently i have v7.5.432 w/def 268.17.4/643. i disabled the resident shield. it appears once the scan is run, there is an option to move to 'vault'. x and disabled. however, when attempting to delete w/hjt, a msg that "Service <fib> was not found in the Registry. Make sure you entered the short name of the service., vbExclamation". both cut 'n paste and manually entering the svc name same result. what's next boss, just dive in and proceed on from the safe mode reboot step?

hobbesotr · 01-21-2007, 07:25 PM

did a search of the registry w/jv16 for 'x.exe' and found it located at hklm\system\controlset001\services\x\; hklm\system\controlset002\services\x\ and hklm\system\currentcontrolset\services\x\. entry name for each was 'ImagePath'. all 3 referred to a value as indicated during the x svc's properties step. a ck of the sub-dir which is supposed to contain 'x.exe' showed it did not exist. the closest match was 0 length files xx2, xx3, xx4, xx5 and xx6 having no extenesion.

Quote:

Originally Posted by hobbesotr

ok 2 things w/the instructions. first avg that's available now doesn't display as noted. currently i have v7.5.432 w/def 268.17.4/643. i disabled the resident shield. it appears once the scan is run, there is an option to move to 'vault'. x and disabled. however, when attempting to delete w/hjt, a msg that "Service <fib> was not found in the Registry. Make sure you entered the short name of the service., vbExclamation". both cut 'n paste and manually entering the svc name same result. what's next boss, just dive in and proceed on from the safe mode reboot step?

**Glaswegian** · 01-22-2007, 06:31 AM

Hi

OK - ignore the Service bit and complete what you can, then post any logs. We'll take it from there.

hobbesotr · 01-23-2007, 04:47 AM

Followed your steps as closely as possible. It was not possible to delete the NTOS file. It errored as in use. Here are the results of the completed scans.

AVG -
Complete Test,1/22/2007,8:18:48 PM,261031,0,0

Panda -

Incident Status Location

Adware:adware/cashsaver Not disinfected c:\windows\system32\CSUninstall.exe
Adware:adware/cws Not disinfected C:\Documents and Settings\hank ausse\Favorites\Health
Dialer:Dialer.Gen Not disinfected C:\PaperPort11\Other\PagisConverter\English\data1.cab[convproc.exe]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Personal Folders-old\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Virus:W32/Sober.AF.worm Disinfected Personal Folders-Current\Sent Items\FW: Your eMail Password\Accept_e-Text.zip[accept_emailTextData.exe]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Personal Folders-old\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Virus:W32/Sober.AF.worm Disinfected Personal Folders-Current\Sent Items\FW: Your eMail Password\Accept_e-Text.zip[accept_emailTextData.exe]
Spyware:Cookie/RealMedia Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@247realmedia[2].txt
Spyware:Cookie/2o7 Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@as1.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@azjmp[1].txt
Spyware:Cookie/Bluestreak Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@bluestreak[1].txt
Spyware:Cookie/Bridgetrack Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@citi.bridgetrack[1].txt
Spyware:Cookie/Doubleclick Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@hitbox[1].txt
Spyware:Cookie/Hitbox Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@questionmarket[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@server.iad.liveperson[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@statse.webtrendslive[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@tribalfusion[1].txt
Spyware:Cookie/Tucows Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@tucows[1].txt
Spyware:Cookie/Valueclick Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@valueclick[2].txt
Spyware:Cookie/BurstBeacon Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@www.burstbeacon[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@www.myaffiliateprogram[1].txt
Spyware:Cookie/Xiti Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@xiti[1].txt
Spyware:Cookie/Zedo Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@zedo[2].txt
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Adware:Adware/MediaTickets Not disinfected Personal Folders-old\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7]
Virus:W32/Sober.AF.worm Disinfected Personal Folders-Current\Sent Items\FW: Your eMail Password\Accept_e-Text.zip[accept_emailTextData.exe]
HijackThis -
Logfile of HijackThis v1.99.1
Scan saved at 6:42:33 AM, on 1/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
H:\Disks & Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe"
O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

hobbesotr · 01-24-2007, 08:50 AM

I've come up w/at least a couple ways to kill the file. Will see about deleting it after work. If successful, will re-run the outlined steps/scans. Due to the number/size of attached drives, the scans run for hours. I should have the results tomorrow, or Fri at the latest.

**Glaswegian** · 01-24-2007, 02:34 PM

I didn't really expect that file to go easily. We have a number of tools at our disposal that will deal with it (they've worked before) so leave it for now and I'll provide instructions in my next post.

hobbesotr · 01-24-2007, 02:48 PM

ok fine, i'm ready any time you are.

**Glaswegian** · 01-24-2007, 02:52 PM

Hi again

As you can see from the Panda scan you have some infected e-mails – I recommend you clear out your archive of these items.

Clear your IE cookies. Start > Settings > Control Panel > Internet Options > General tab > under Temporary files, click on Delete Cookies.

Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Let’s remove that file.

1. Please download The Avenger to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\system32\ntos.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt at the end of this fix.

Delete the following File indicated in RED if it still exists.

c:\windows\system32\CSUninstall.exe

Note: If it resists, you may have to boot to Safe Mode to delete it.

Please run combofix again, just as you did previously.

Please post back with c:\avenger.txt. c:\combofix.txt and a fresh HijackThis Log.

hobbesotr · 01-24-2007, 06:24 PM

Hello again -

CWShredder restored no IE pages, restore hidden option tabs - done, removing hosts file redirections - none.

Combofix was not previously requested to be run. Where would you suggest download?

Avenger and HijackThis logs below. The F2 Reg system ini error remained. Tho, this time (as noted by its absence below) it was fixed.

It would seem we're making progress. What's next?

++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Avenger Log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\qogskgkj

*******************

Script file located at: \??\C:\Program Files\iuxdvwps.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\ntos.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:58:51 PM, on 1/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\taskswitch.exe
D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe
C:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
E:\Hank's Documents\palmOne\Hotsync.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
H:\Disks & Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe"
O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

**Glaswegian** · 01-25-2007, 03:55 PM

Quote:

Combofix was not previously requested to be run. Where would you suggest download?

LOL - my apologies. That's what happens when I'm running several fixes for different users at the same time.

Avenger zapped that file - good work.

Here's combofix now...

Please download combofix.exe to your desktop.

IMPORTANT - You must place combofix on your desktop!!

Double click combofix.exe & follow the prompts.

When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

hobbesotr · 01-25-2007, 05:25 PM

Here ya go.

"hank" - 07-01-25 18:52:01 Service Pack 2
ComboFix 07-01-25 - Running from: "C:\Documents and Settings\hank ausse\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 ))))))))))))))))))))))))))))))))))

2007-01-24 19:50 <DIR> d-------- C:\avenger
2007-01-22 07:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-21 21:32 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Webroot
2007-01-21 20:28 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-21 20:28 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-21 20:28 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-01-21 20:28 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-21 20:28 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-01-21 20:28 <DIR> d-------- C:\Program Files\Grisoft
2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\AVG7
2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-01-21 14:21 <DIR> d-------- C:\HJT
2007-01-20 17:26 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2007-01-20 17:26 <DIR> d-------- C:\Program Files\Belarc
2007-01-20 16:36 160,768 --a------ C:\HijackThis.exe
2007-01-20 16:22 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem
2007-01-19 20:41 15,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-01-19 20:41 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-01-19 20:41 14,848 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-01-19 20:41 122,368 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-01-19 20:41 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Webroot
2007-01-19 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Webroot
2007-01-19 20:39 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\Webroot
2007-01-19 14:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-01-19 13:28 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-01-19 13:28 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-01-15 11:12 <DIR> d-------- C:\Program Files\Common Files\Zinio
2007-01-15 11:12 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\ContentGuard
2007-01-12 19:55 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\Uniblue
2007-01-11 12:41 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\Pixmantec
2007-01-11 12:34 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\DivX
2007-01-11 12:16 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-01-11 12:13 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-01-11 10:39 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\CyberLink
2007-01-11 09:48 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\ArcSoft
2007-01-10 17:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Viewpoint
2007-01-09 11:16 391,984 --a------ C:\WINDOWS\system32\vnetlib.dll
2007-01-09 11:16 22,576 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys
2007-01-09 11:16 142,128 --a------ C:\WINDOWS\system32\vmnat.exe
2007-01-09 11:16 113,456 --a------ C:\WINDOWS\system32\vmnetdhcp.exe
2007-01-03 11:18 <DIR> d-------- C:\Program Files\iTunes
2007-01-03 11:18 <DIR> d-------- C:\Program Files\iPod
2007-01-01 17:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\NETg
2006-12-29 17:24 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\ADC Software

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-23 02:01 -------- d-------- C:\Program Files\google
2007-01-23 01:59 -------- d-------- C:\Program Files\Common Files\dataviz
2007-01-22 20:18 2517 --a------ C:\DOCUME~1\HANKAU~1\Application Data\cleanup!.log
2007-01-22 07:17 -------- d-------- C:\Program Files\citi virtual account numbers
2007-01-15 17:32 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\adobeum
2007-01-14 19:22 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\wholesecurity
2007-01-12 19:17 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-01-11 13:35 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\tunebite
2007-01-11 11:37 286720 --a------ C:\WINDOWS\iun506.exe
2007-01-11 10:48 -------- d-------- C:\Program Files\divx
2007-01-11 10:29 13664 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-11 10:27 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\corel
2007-01-09 11:11 -------- d-------- C:\Program Files\Common Files\vmware
2007-01-09 10:45 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\vmware
2007-01-06 09:20 -------- d--h----- C:\Program Files\installshield installation information
2007-01-06 09:20 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\google
2007-01-03 11:17 -------- d-------- C:\Program Files\quicktime
2007-01-03 09:25 -------- d-------- C:\Program Files\apple software update
2007-01-01 19:06 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\u3
2006-12-15 14:47 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\officeupdate12
2006-12-12 11:30 520192 --a------ C:\WINDOWS\system32\divxsm.exe
2006-12-12 11:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-12-12 11:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-12-12 11:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-12-12 11:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-12-12 11:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-12-12 11:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-12-12 11:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-12-12 11:25 635486 --a------ C:\WINDOWS\system32\divx.dll
2006-12-12 11:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2006-12-12 11:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-12-12 11:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2006-12-12 11:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-12-12 11:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-12-12 11:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-12-12 11:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-12-12 11:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll
2006-12-12 11:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-12-08 12:08 -------- d---s---- C:\DOCUME~1\HANKAU~1\Application Data\microsoft
2006-12-07 10:24 -------- d-------- C:\Program Files\vga usb camera
2006-12-07 10:22 -------- d-------- C:\Program Files\asus
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 17:08 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\talkback
2006-12-03 17:08 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\mozilla
2006-12-01 08:49 -------- d-------- C:\Program Files\the weather channel fw
2006-11-26 15:40 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\adobe
2006-11-25 11:25 168 -r-hs---- C:\WINDOWS\system32\6b82f4480f.sys
2006-11-18 06:44 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll
2006-11-13 13:01 44848 --a------ C:\WINDOWS\system32\vmnetbridge.dll
2006-11-13 13:00 12080 --a------ C:\WINDOWS\system32\vnetinst.dll
2006-11-13 12:46 170800 --a------ C:\WINDOWS\system32\vmnc.dll
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Nero PhotoShow Media Manager"="D:\\PROGRA~1\\Nero\\NEROPH~1\\data\\Xtras\\mssysmgr.exe"
"Mobipocket Reader Notifications"="\"D:\\Program Files\\Mobipocket.com\\Mobipocket Reader\\readernotify.exe\""
"GBMPro7Agent"="\"d:\\Program Files\\Genie-Soft\\GBMPro7\\GBMAgent.exe\""
"Genie Backup"=""
"PowerBar"=""
"Gadwin PrintScreen 3.5"="\"d:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe\" /nosplash"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"RemoteControl"="\"d:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"LGODDFU"="\"d:\\Program Files\\lg_fwupdate\\fwupdate.exe\""
@=""
"CitiVAN"="\"C:\\Program Files\\Citi Virtual Account Numbers\\CitiVAN.exe\" /dontopenmycards"
"HP Software Update"="\"D:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\""
"SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"Opware15"="\"D:\\Program Files\\ScanSoft\\OmniPage15.0\\Opware15.exe\""
"OpScheduler"="\"D:\\Program Files\\ScanSoft\\OmniPage15.0\\OpScheduler.exe\""
"PDF4 Registry Controller"="\"D:\\Program Files\\ScanSoft\\PDF Professional 4.0\\\\RegistryController.exe\""
"CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe"
"GBMPro7Agent"="\"d:\\Program Files\\Genie-Soft\\GBMPro7\\GBMAgent.exe\""
"Genie Backup"=""
"RTHDCPL"="RTHDCPL.EXE"
"PCLEPCI"="d:\\PROGRA~1\\Pinnacle\\PPE\\PPE.EXE"
"Zone Labs Client"="\"d:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"eBayToolbar"="\"d:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe\""
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"AVG7_CC"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J]
Shell\AutoRun\command J:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L]
Shell\AutoRun\command L:\LaunchU3.exe -a

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IPoint_exe.job
C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IType_exe.job
C:\WINDOWS\tasks\Registry-Complete.job

Completion time: 07-01-25 18:53:23

**Glaswegian** · 01-26-2007, 03:22 PM

Hi again

One file I’m not sure about.

File Upload
Please submit the following file to Jotti File Scan

C:\WINDOWS\system32\6b82f4480f.sys

At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread.

Delete the following Folder indicated in BLUE if it still exists.

C:\DOCUMENTS AND SETTINGS\ALLUSERS\Application Data\Viewpoint

Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.

hobbesotr · 01-26-2007, 05:58 PM

Hi Iain -
Jotti results below. The AllUsers Viewpoint dir has been nuked. Will run the rest of the steps next. Couple questions for you. I notice that c:\windows\system32\wsnpoem\audio.dll (51kb, 1/22/07 7:08am) and video.dll (0kb, 1/20/07 4:22pm) still exist. Weren't they supposed to be long gone? One thing re: system performance. Whether, or not, it's related; on shutdown I've been getting several windows about ok or not to end HP related files. And dwwin (or something similar) can't run because windows is shutting down. For some time now, prior to getting nailed (?), I've lost the ability to do a system restore because the registry files are not restored. I've had some success w/manually copying the registry files from restore points in the system volume dir's. These are issues that have only been noted since last May when I builit this computer. I've been attributing it to the crappy ASUS motherboard which has caused more than one problem. And prob's w/on board components. As in 1 of the onboard NIC's went belly up w/in 2wks.

Service
Service load: 0% 100%

File: 6b82f4480f.sys
Status: OK
MD5 b355532b6c9eaa6f9bfa8a700a2698d4

Packers detected: -
Scanner results
Scan taken on 27 Jan 2007 00:21:17 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing

hobbesotr · 01-27-2007, 02:32 PM

Hello Again -

Here are the Kaspersky and HijackThis reports. The only for sure virus that I see listed in the Kaspersky scan is NTOS in the Avenger scan. There are alot of infected, not a virus entries. However, I'm not concerned about them as they are Sysinternal utilities which were dl'd from a known site. What's next? I've pulled AVG off for the Kaspersky scan. Once the dust has settled I'll be pulling the rest of the security sfw and installing Symantec's internet suite. From what I've been reading, it's probably about as good as they come now. And, they've reported cleaned up their act in several previous prob areas. I know individual sfw app's from several companies will do just as good, if not better. However, having the integrated suite makes it easier to handle things and should eliminate any potential conflicts between 3 separate pieces.

Ok, what's next?

--------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, January 27, 2007 4:05:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/01/2007
Kaspersky Anti-Virus database records: 262626
--------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 217819
Number of viruses found: 5
Number of infected objects: 64 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:38:53

Infected Object Name / Virus Name / Last Action
C:\avenger\backup.zip/avenger/ntos.exe Infected: Trojan-Downloader.Win32.Delf.aww skipped
C:\avenger\backup.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0414098977bd8ac31b04bdafa179661b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04a31e819e2f7ab60e39ede9f93d9f19_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0560ffb7c50c0fa7dec4d5307687c414_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\065b00736ed3ad056628f65b186c5a26_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0677b41fb11f172a8739ee94a9333772_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09511b86e8d906a6826e8395de9f23a2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d328c98cd3ceac7f81b095b05175730_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d8f89442fef1dd01bedfc562f6bb00b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f860b7b15fd0f9e1a6edb7593682277_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\110f4a42efe32835d521fe0fa56c8b59_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11796fcd2a708ed034bec711c44b9658_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\11be34d2cc395bdca51e32c497a8bc9d_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13f3326ba2a723ff23696260e0d34231_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\17b5fe5bb07ffeb2382376f7045be18c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\196de0184c9f021c85ab7e5cbe19f3c4_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b264a5690acbc35c9d51ee8bbd2d8e2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b4761e2e2f61cb4d64355f635bd9161_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c057783f47dfa537eef8051f530df28_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c3eaf4cd43d5f1b4de1526c9ca8f912_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1eec8d3eb817fb342a3618f0e97fef3c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2364274fc77bbdc6a1320a3031a2b204_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\23fba850b18dd419fcf928f6cd9ab503_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\242f7acd0f2bdb170f2a6876775dc389_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\246bf96b452b8185f52588bf815ac559_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2d69e338d0b7ce096437f91be02e7b77_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2ebefce177b29a5e71171eccc889cc14_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\31514d136b28bd5cc281a6d3ea367e56_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3267a8fa8083c838f9a5a986112c3b84_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3393ae9562de62089da494082f618d4a_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\36fc6c79e433714d32b34bcd33168a01_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37e60a0c87491c8fed77d0df8cbdea61_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38c0d2730761453e21bb65d69eb86b08_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\39b5042012ebd25ab5826d5ccc477a9f_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ac8f5ef64ae9aef8295327d279882ca_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3d8beda112cfdb5f3af77f1087a1e0d0_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e1717d00064afa68e7260d859b88981_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3eb05181226c3b49f12b1fa8e2fed93b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f09e13594066a12440fdf17ba5a290e_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f0de9cb6ebadc1ccbfd244b71fd52f6_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4231dfd3e3c4dabe4ec6f9380c1c55a5_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\42da338f08e9d7899a39f2ce10af1131_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4795c30b3e7da4193f5c974c78a3e89e_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47f34257aa0ea58236b958903fdb61e4_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\48f6ae20eaef03c90f996afbecc9437c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4b4eb6af537d47e93f9e0ec6fb4e1312_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\53c9cabfd99dc172940c0bf030ff2b86_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\53da7ef6db6fa5605c134f9a230a4b25_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\54a15e98215c29ec96f9cf47d6260af8_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\59b69a5f25780503e405aa91616fdb35_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5d835467cb0747fd63c4cbf01fcebb95_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60063bd3ace69343026f0552f2cb6db6_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61ca3315abdd503f123c03dd76def2eb_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\63a11b5998bb43525ae0e4da42549f67_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\66b638072867a843494a528f36d3bdfc_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6d448b8ee7d185304cbd07f15130bc33_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6e0bceeaba5d8fb82d2ef9eee12f485c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\71c71768ecc7765e50311c1d55891cf3_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\71f3207989bdfdd3b21e62fa8ef2640f_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\74410a182b0b01bd37449fb903cc7015_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\76ed27689e61ae0295bc41adf8ab6516_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\771f4292d71bf15f373a97b899fa1186_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\775dd5d1aa582cb4b613674de264e4e9_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\809cb620eb704339428e94eb1b2a6998_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\811881de81e65b6e959fec8665b049d2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\835ed34771096db80773ac34c64fb4b4_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\841feae22faba2bdbfedbf1ade8b66cf_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85ab400ebe8e1b75088c3a6fbcb5100c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8664167e1906c62d8a2860cb19a854e0_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8749b7a690e935574e7b38a913fa788f_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\898f8bd03a8bf2bc36c37f858f00d99d_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8e7995a045b6cbcb43405b6c108f50c4_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8f21ac5f860cdd90451a1c0b9cb24777_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8fc633071ffedd500fe79a608635b00d_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\924fc60339098fb040ae12116c02a675_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\93900581934d571b8c4e6f7564952921_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\944409833a36b106b9b2ef04412814c1_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\955f9c6ea3a12856cf65ea45c5df224d_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9859be1d4be729c4857390d6b18aa919_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\987703dd6e5960b4f49c79aace999b47_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\993b9d545cb47d6c8fc236dadf0cdb0f_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9bf59c3a359c10291b6de5b61b15f4b0_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9c48ba185bd43ee0bdb8f7c52ec21e71_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9c5ed227638c84f6ae1e38d1ff0af296_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9d24bf2700c36abc6a44d1e381818cc3_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9fde29e925063879c848bcc819002dc3_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a05e0930b406906f9ca05ee431ecc71f_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a5414c668d3e1d4dbe6a94e13f25a28e_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a56fe6dd0ec0a70ab1895072fae379a0_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a81af6d859ff0f0dd25ff5406b2694b3_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a9b03088606ee8ebf40ae31b4d2b1951_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa42298fb48754a3e5c5b2d65ffbd487_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac04584d3e89692a57174b9550f21d74_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ad149c78bf861e8ff42417cba2bd5f10_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\afd7ffa8a6324b463a004af36d540f03_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b18581d736584307fb96a39f8bf319eb_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b3cbd03a3d0c30d72dc14c91156af971_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b424074b9135108d6e3827fc726420e4_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b655e887a13588b96f5e9f0ef3cb7751_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b6d1c00bb942df139bbceee428c15c79_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b86f525ff2e5af417a0e4dda51c72f95_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\be2a3c4d80fdb5bf1d7bc273caac1225_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\be59bb2f5354b29b08093c35c991d51b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c475d446f4d005c917acc05347c61f07_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c5558309974d94a2df9f55ec3300720e_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c5cb57dfb2098a5910757c261aa695c5_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c85ff593e85ae8d934e95256da573b14_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cd4f5a20387db336dd4ba7519761cbdd_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ce2124f1f3397861709971c28bb5257f_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ceca7fdd3c0c217d820ccef78810ccc4_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cee3a91e551191dbd8d95e37ed3f00ec_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf350cdbdb08a9244e6de7bde490630b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1bfd6194a60e34c284e788505ed92c2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d2103dd4a28d2b26eff496ddd9050980_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d40497648e18599ef1cf7e9d9775900c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4be8ddc5783639e5530e4cd368de9ea_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d5a622898eb6737cf6d1053b7586afbf_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d6723ce36e9bf4aedc73f6ab0f79a248_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d906f0eaea3ea13b19e2ba1289f9abe9_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d9dedd4dc8325edb2d89ed14ca6edce2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db8092ca8eaf5e6d3debc9f38d576d93_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dcb4f790885ca689212465be71d43868_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dfb21a8dd63edab36ed436248ad9454c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e04c63f88ea500fb84f0ab48b99b4976_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1ccf6931f41ed686186ccb764369ace_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e3e0aec53eb47ecd8ae2b23be3ecc58c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e43be1ec02e59863fb0a5eac7c52cb73_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e48c384d8b2969ada7da94ddc3a89803_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e5592ecad00990011b9b71f8964de0f0_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e5d7e7ce42fe99aa25268fcc59ebf5f2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e69c4144154d485a269688bc27f4b974_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e6de6a15025569430104b77971f0b2f2_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb7b6cf9c7680ee332ca5100c7078231_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ee6bc47caa0460687f8415e6b4392c54_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\efd3aebd2ad3397725790d47985f8e5b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f32d702f945eb034ccc303774721e39c_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7a6f92cf6ec30c8953ab1a050d0d25b_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fb799fcbd6ca5194a37f72e7f93d8bab_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fc716286f9f690342ada32a877f2ca2d_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fdf9d0aa90427f65fcb57c742de6eaa1_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fee15f62edcce5f13db2aea67dfd61cd_90ffcfe5-bf79-43d4-99e5-dcc81aaa1678 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\VMware\vmnetdhcp.leases Object is locked skipped
C:\Documents and Settings\hank ausse\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.1b552ee2.ini.inuse Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Temp\Perflib_Perfdata_8ec.dat Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Temp\Perflib_Perfdata_a40.dat Object is locked skipped
C:\Documents and Settings\hank ausse\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\hank ausse\ntuser.dat Object is locked skipped
C:\Documents and Settings\hank ausse\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\tmp\UIDbgMon.out Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{6A4717DA-8BDB-4CF9-A534-59047287A607}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_65c.dat Object is locked skipped
C:\WINDOWS\Temp\vmware-vmount.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
D:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped
D:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
D:\System Volume Information\tracking.log Object is locked skipped
E:\System Volume Information\tracking.log Object is locked skipped
H:\Disks & Programs\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso/dosutils/tightvnc/tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
H:\Disks & Programs\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso/dosutils/tightvnc/tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
H:\Disks & Programs\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso/dosutils/tightvnc/tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
H:\Disks & Programs\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso ISO image: infected - 3 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools Suite.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools Suite.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools Suite.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Miscellaneous\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Miscellaneous\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Miscellaneous\PsTools.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Networking\PsTools Suite.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Networking\PsTools Suite.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Networking\PsTools Suite.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Networking\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Networking\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Networking\PsTools.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Processes & Threads\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Processes & Threads\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Processes & Threads\PsTools.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Processes & Threads\PsToolsSuite.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Processes & Threads\PsToolsSuite.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Processes & Threads\PsToolsSuite.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Security Utilities\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Security Utilities\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\Security Utilities\PsTools.zip ZIP: infected - 2 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\System Information\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\System Information\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
H:\Disks & Programs\Sysinternals - Nov 27, 2006\System Information\PsTools.zip ZIP: infected - 2 skipped
H:\System Volume Information\tracking.log Object is locked skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso/dosutils/tightvnc/tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso/dosutils/tightvnc/tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso/dosutils/tightvnc/tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Linux Distributions\SUSE\10.1\SUSE-Linux-10.1-Remastered-i386-CD1.iso ISO image: infected - 3 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools Suite.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools Suite.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools Suite.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\File & Disk Utils\PsTools.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Miscellaneous\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Miscellaneous\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Miscellaneous\PsTools.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Networking\PsTools Suite.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Networking\PsTools Suite.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Networking\PsTools Suite.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Networking\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Networking\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Networking\PsTools.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Processes & Threads\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Processes & Threads\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Processes & Threads\PsTools.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Processes & Threads\PsToolsSuite.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Processes & Threads\PsToolsSuite.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Processes & Threads\PsToolsSuite.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Security Utilities\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Security Utilities\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\Security Utilities\PsTools.zip ZIP: infected - 2 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\System Information\PsTools.zip/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.172 skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\System Information\PsTools.zip/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.r skipped
I:\BU's - Sync Tool\Disks 'n Pgm's\Sysinternals - Nov 27, 2006\System Information\PsTools.zip ZIP: infected - 2 skipped
I:\System Volume Information\tracking.log Object is locked skipped

Scan process completed.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 4:29:19 PM, on 1/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\Program Files\Internet Explorer\iexplore.exe
H:\Disks & Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe"
O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards
O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe"
O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109
O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76
O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

hobbesotr · 01-27-2007, 05:49 PM

FYI -
Service 'X' which was requested to be deleted, but wouldn't, was able to be nuked today. It is no longer in the system.

01-20-2007, 02:55 PM	#1 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	Trojan Progdav Well, someplace along the way I got nailed by this p.o.s. And, as most have noted, have not been able to clean it thru any conventional/unconventional method. Spy Sweeper won't touch it. Niether Zone Alarm spy scan or firewall do not see it at all. And, of course, MS's mighty Windows Defender is also blind to it's existance. NOD32 never saw it either. Ran Hijack This w/results below. Anyone have thoughts/advise on how to get this beast off the pc? Thanx much in advance! Logfile of HijackThis v1.97.7 Scan saved at 4:42:53 PM, on 1/20/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\WINDOWS\ATKKBService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE d:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\HPZipm12.exe d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe D:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe D:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe D:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe C:\WINDOWS\system32\taskswitch.exe D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe C:\WINDOWS\RTHDCPL.EXE D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\Eset\nod32kui.exe D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\iPod\bin\iPodService.exe D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe C:\PROGRA~1\AWS\WEATHE~1\Weather.exe D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe E:\Hank's Documents\palmOne\Hotsync.exe D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe d:\Program Files\Webroot\Spy Sweeper\SSU.EXE D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe C:\WINDOWS\system32\cmd.exe C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/ F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe" O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [nod32kui] "d:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [SpySweeper] "D:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe" O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1 O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: SpeedUpMyPC.lnk = D:\Program Files\LIUtilities\SpeedUpMyPC\speedupmypc.exe O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Citi (HKLM) O9 - Extra button: Research (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...=hubble_anniv1 O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab? O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109 O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc4.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get...nt/swflash.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76 O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76

01-21-2007, 08:34 AM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,427 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Hi and welcome to TSF. You are using an outdated version of HijackThis. Please download and install the latest version by going to this Site. Then run a scan and post a fresh log. Please also create a uninstall list: Open HiJackThis Click on the configure button on the bottom right Click on the tab "Misc Tools" Click on the Box that says "Open Uninstall Manager" Click on the button "Save list" Copy and past the List from the notebook into your next post __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

01-21-2007, 01:11 PM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,427 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Hi again My name is Iain and I will be helping you clean your system. You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please ensure that you follow the instructions in the order I have them listed. Show Hidden Files Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Disable Webroot SpySweeper Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper: Click on Options> then Program tab Uncheck Load at Windows Startup Click Shields on the left. Click Web Browser and uncheck all items. Click Startup Programs and uncheck all items. Exit Spysweeper. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Download AVG Anti Spyware Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows" Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti Spyware. Services Click Start->Run - type SERVICES.MSC & then click on the OK button Locate the service - X Double-click on it to open the Properties dialog. Under the General tab, note down the name of "Service name". We shall need it later. Stop the service by using the Stop button. Change the Startup type to Disabled & then click on the OK button Then start HiJackThis & go to Config > Misc.Tools...> Delete an NT service... In the popup box that appears, type in "Service name", i.e the name of the service you just noted as above, & then click on the OK button . Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. Uninstall Programmes Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present): Viewpoint Manager Viewpoint Media Player WeatherBug HijackThis Entries Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU\..\Run: [Weather] "C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" 1 O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...=hubble_anniv1 O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab? Please remember to close all other windows, including browsers then click Fix checked. File Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\ntos.exe C:\PROGRA~1\AWS C:\Program Files\Viewpoint Run CleanUp! NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run AVG Anti Spyware Run AVG with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. NOTE: AVG scan may require an hour. Reboot Reboot your system in Normal Mode. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required AVG Log Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

01-22-2007, 06:31 AM	#8 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,427 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Hi OK - ignore the Service bit and complete what you can, then post any logs. We'll take it from there. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

01-23-2007, 04:47 AM	#9 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	Scans Complete Followed your steps as closely as possible. It was not possible to delete the NTOS file. It errored as in use. Here are the results of the completed scans. AVG - Complete Test,1/22/2007,8:18:48 PM,261031,0,0 Panda - Incident Status Location Adware:adware/cashsaver Not disinfected c:\windows\system32\CSUninstall.exe Adware:adware/cws Not disinfected C:\Documents and Settings\hank ausse\Favorites\Health Dialer:Dialer.Gen Not disinfected C:\PaperPort11\Other\PagisConverter\English\data1.cab[convproc.exe] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Personal Folders-old\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Virus:W32/Sober.AF.worm Disinfected Personal Folders-Current\Sent Items\FW: Your eMail Password\Accept_e-Text.zip[accept_emailTextData.exe] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Personal Folders-old\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Virus:W32/Sober.AF.worm Disinfected Personal Folders-Current\Sent Items\FW: Your eMail Password\Accept_e-Text.zip[accept_emailTextData.exe] Spyware:Cookie/RealMedia Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@247realmedia[2].txt Spyware:Cookie/2o7 Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@2o7[1].txt Spyware:Cookie/YieldManager Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@adrevolver[1].txt Spyware:Cookie/Adrevolver Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@adrevolver[2].txt Spyware:Cookie/PointRoll Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@ads.pointroll[2].txt Spyware:Cookie/Advertising Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@advertising[2].txt Spyware:Cookie/Falkag Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@as1.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@atdmt[2].txt Spyware:Cookie/Azjmp Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@azjmp[1].txt Spyware:Cookie/Bluestreak Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@bluestreak[1].txt Spyware:Cookie/Bridgetrack Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@citi.bridgetrack[1].txt Spyware:Cookie/Doubleclick Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@doubleclick[1].txt Spyware:Cookie/FastClick Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@fastclick[1].txt Spyware:Cookie/Hitbox Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@hitbox[1].txt Spyware:Cookie/Hitbox Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@hitbox[2].txt Spyware:Cookie/Mediaplex Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@perf.overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@questionmarket[1].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@server.iad.liveperson[1].txt Spyware:Cookie/WebtrendsLive Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@statse.webtrendslive[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@trafficmp[1].txt Spyware:Cookie/Tribalfusion Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@tribalfusion[1].txt Spyware:Cookie/Tucows Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@tucows[1].txt Spyware:Cookie/Valueclick Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@valueclick[2].txt Spyware:Cookie/BurstBeacon Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@www.burstbeacon[1].txt Spyware:Cookie/myaffiliateprogram Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@www.myaffiliateprogram[1].txt Spyware:Cookie/Xiti Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@xiti[1].txt Spyware:Cookie/Zedo Not disinfected I:\BU's - Sync Tool\BeyComp-Doc's 'n Settings\hank ausse\Cookies\hank@zedo[2].txt Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Archive Folders\Inbox\Save/Keep\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Adware:Adware/MediaTickets Not disinfected Personal Folders-old\Inbox\.Router\192.168.123.101-2 FT\NETGEAR Security Log [05:d8:e7] Virus:W32/Sober.AF.worm Disinfected Personal Folders-Current\Sent Items\FW: Your eMail Password\Accept_e-Text.zip[accept_emailTextData.exe] HijackThis - Logfile of HijackThis v1.99.1 Scan saved at 6:42:33 AM, on 1/23/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe D:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe C:\WINDOWS\system32\taskswitch.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\HPZinw12.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe H:\Disks & Programs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe" O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe" O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109 O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76 O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

01-21-2007, 03:59 PM	#5 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	thanx! will do and advise results...

01-21-2007, 07:00 PM	#6 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	ok 2 things w/the instructions. first avg that's available now doesn't display as noted. currently i have v7.5.432 w/def 268.17.4/643. i disabled the resident shield. it appears once the scan is run, there is an option to move to 'vault'. x and disabled. however, when attempting to delete w/hjt, a msg that "Service <fib> was not found in the Registry. Make sure you entered the short name of the service., vbExclamation". both cut 'n paste and manually entering the svc name same result. what's next boss, just dive in and proceed on from the safe mode reboot step?

01-24-2007, 08:50 AM	#10 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	Update - NTOS.EXE I've come up w/at least a couple ways to kill the file. Will see about deleting it after work. If successful, will re-run the outlined steps/scans. Due to the number/size of attached drives, the scans run for hours. I should have the results tomorrow, or Fri at the latest.

01-24-2007, 02:34 PM	#11 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,427 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	I didn't really expect that file to go easily. We have a number of tools at our disposal that will deal with it (they've worked before) so leave it for now and I'll provide instructions in my next post. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

01-24-2007, 02:48 PM	#12 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	ok fine, i'm ready any time you are.

01-24-2007, 06:24 PM	#14 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	Combofix?!? Hello again - CWShredder restored no IE pages, restore hidden option tabs - done, removing hosts file redirections - none. Combofix was not previously requested to be run. Where would you suggest download? Avenger and HijackThis logs below. The F2 Reg system ini error remained. Tho, this time (as noted by its absence below) it was fixed. It would seem we're making progress. What's next? ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Avenger Log: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\qogskgkj ***************** Script file located at: \??\C:\Program Files\iuxdvwps.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\WINDOWS\system32\ntos.exe deleted successfully. Completed script processing. ***************** Finished! Terminate. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HijackThis Log: Logfile of HijackThis v1.99.1 Scan saved at 7:58:51 PM, on 1/24/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe C:\WINDOWS\ATKKBService.exe d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\WINDOWS\system32\vmnat.exe d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe D:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe D:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe C:\WINDOWS\system32\taskswitch.exe D:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe C:\WINDOWS\RTHDCPL.EXE D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe D:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe D:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe E:\Hank's Documents\palmOne\Hotsync.exe D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe H:\Disks & Programs\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - d:\Program Files\eBay\eBay Toolbar2\eBayTB.dll O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [RemoteControl] "d:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LGODDFU] "d:\Program Files\lg_fwupdate\fwupdate.exe" O4 - HKLM\..\Run: [CitiVAN] "C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" /dontopenmycards O4 - HKLM\..\Run: [HP Software Update] "D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [Opware15] "D:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe" O4 - HKLM\..\Run: [OpScheduler] "D:\Program Files\ScanSoft\OmniPage15.0\OpScheduler.exe" O4 - HKLM\..\Run: [PDF4 Registry Controller] "D:\Program Files\ScanSoft\PDF Professional 4.0\\RegistryController.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [PCLEPCI] d:\PROGRA~1\Pinnacle\PPE\PPE.EXE O4 - HKLM\..\Run: [Zone Labs Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [eBayToolbar] "d:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [AVG7_CC] d:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] D:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe O4 - HKCU\..\Run: [Mobipocket Reader Notifications] "D:\Program Files\Mobipocket.com\Mobipocket Reader\readernotify.exe" O4 - HKCU\..\Run: [GBMPro7Agent] "d:\Program Files\Genie-Soft\GBMPro7\GBMAgent.exe" O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] "d:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe" /nosplash O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe O4 - Global Startup: HotSync Manager.lnk = E:\Hank's Documents\palmOne\Hotsync.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: &eBay Search - res://D:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open with ScanSoft PDF Converter 4.0 - res://D:\Program Files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommo...ad/tgctlcm.cab O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633 O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/service_c...ex/TmHcmsX.CAB O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156883759109 O16 - DPF: {8BC53B30-32E4-4ED3-BEF9-DB761DB77453} (CInstallLPCtrl Object) - http://u3.sandisk.com/download/apps/LPInstaller.CAB O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.custhelp.com/7530-b.../java/RntX.cab O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://www.musicmatch.com/form/suppo...ionControl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{79AE95EB-B2FB-4829-AF20-A61EC232635B}: NameServer = 65.32.5.74,65.32.3.76 O17 - HKLM\System\CCS\Services\Tcpip\..\{C1339E64-B392-45EC-B9AE-8307A18CA2D9}: NameServer = 65.32.5.74,65.32.3.76 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - d:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NBService - Nero AG - D:\Program Files\Nero 7\Nero BackItUp\NBService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - d:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - d:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

01-25-2007, 05:25 PM	#16 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	Combofix Results Here ya go. "hank" - 07-01-25 18:52:01 Service Pack 2 ComboFix 07-01-25 - Running from: "C:\Documents and Settings\hank ausse\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-12-25 to 2007-01-25 )))))))))))))))))))))))))))))))))) 2007-01-24 19:50 <DIR> d-------- C:\avenger 2007-01-22 07:05 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2007-01-21 21:32 <DIR> d-------- C:\DOCUME~1\NETWOR~1\Application Data\Webroot 2007-01-21 20:28 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2007-01-21 20:28 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2007-01-21 20:28 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys 2007-01-21 20:28 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2007-01-21 20:28 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys 2007-01-21 20:28 <DIR> d-------- C:\Program Files\Grisoft 2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7 2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\AVG7 2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft 2007-01-21 20:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7 2007-01-21 14:21 <DIR> d-------- C:\HJT 2007-01-20 17:26 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys 2007-01-20 17:26 <DIR> d-------- C:\Program Files\Belarc 2007-01-20 16:36 160,768 --a------ C:\HijackThis.exe 2007-01-20 16:22 <DIR> d--hs---- C:\WINDOWS\system32\wsnpoem 2007-01-19 20:41 15,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys 2007-01-19 20:41 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys 2007-01-19 20:41 14,848 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys 2007-01-19 20:41 122,368 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys 2007-01-19 20:41 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\Webroot 2007-01-19 20:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Webroot 2007-01-19 20:39 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\Webroot 2007-01-19 14:39 <DIR> d-------- C:\Program Files\Trend Micro 2007-01-19 13:28 684,032 --a------ C:\WINDOWS\system32\libeay32.dll 2007-01-19 13:28 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll 2007-01-15 11:12 <DIR> d-------- C:\Program Files\Common Files\Zinio 2007-01-15 11:12 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\ContentGuard 2007-01-12 19:55 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\Uniblue 2007-01-11 12:41 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\Pixmantec 2007-01-11 12:34 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\DivX 2007-01-11 12:16 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro 2007-01-11 12:13 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint 2007-01-11 10:39 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\CyberLink 2007-01-11 09:48 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\ArcSoft 2007-01-10 17:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Viewpoint 2007-01-09 11:16 391,984 --a------ C:\WINDOWS\system32\vnetlib.dll 2007-01-09 11:16 22,576 --a------ C:\WINDOWS\system32\drivers\vmnetuserif.sys 2007-01-09 11:16 142,128 --a------ C:\WINDOWS\system32\vmnat.exe 2007-01-09 11:16 113,456 --a------ C:\WINDOWS\system32\vmnetdhcp.exe 2007-01-03 11:18 <DIR> d-------- C:\Program Files\iTunes 2007-01-03 11:18 <DIR> d-------- C:\Program Files\iPod 2007-01-01 17:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\NETg 2006-12-29 17:24 <DIR> d-------- C:\DOCUME~1\HANKAU~1\Application Data\ADC Software (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-23 02:01 -------- d-------- C:\Program Files\google 2007-01-23 01:59 -------- d-------- C:\Program Files\Common Files\dataviz 2007-01-22 20:18 2517 --a------ C:\DOCUME~1\HANKAU~1\Application Data\cleanup!.log 2007-01-22 07:17 -------- d-------- C:\Program Files\citi virtual account numbers 2007-01-15 17:32 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\adobeum 2007-01-14 19:22 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\wholesecurity 2007-01-12 19:17 -------- d-------- C:\Program Files\Common Files\wise installation wizard 2007-01-11 13:35 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\tunebite 2007-01-11 11:37 286720 --a------ C:\WINDOWS\iun506.exe 2007-01-11 10:48 -------- d-------- C:\Program Files\divx 2007-01-11 10:29 13664 --ahs---- C:\WINDOWS\system32\kgygaavl.sys 2007-01-11 10:27 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\corel 2007-01-09 11:11 -------- d-------- C:\Program Files\Common Files\vmware 2007-01-09 10:45 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\vmware 2007-01-06 09:20 -------- d--h----- C:\Program Files\installshield installation information 2007-01-06 09:20 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\google 2007-01-03 11:17 -------- d-------- C:\Program Files\quicktime 2007-01-03 09:25 -------- d-------- C:\Program Files\apple software update 2007-01-01 19:06 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\u3 2006-12-15 14:47 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\officeupdate12 2006-12-12 11:30 520192 --a------ C:\WINDOWS\system32\divxsm.exe 2006-12-12 11:30 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll 2006-12-12 11:30 200704 --a------ C:\WINDOWS\system32\ssldivx.dll 2006-12-12 11:30 1044480 --a------ C:\WINDOWS\system32\libdivx.dll 2006-12-12 11:25 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll 2006-12-12 11:25 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll 2006-12-12 11:25 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll 2006-12-12 11:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll 2006-12-12 11:25 635486 --a------ C:\WINDOWS\system32\divx.dll 2006-12-12 11:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll 2006-12-12 11:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll 2006-12-12 11:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll 2006-12-12 11:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll 2006-12-12 11:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll 2006-12-12 11:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll 2006-12-12 11:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll 2006-12-12 11:24 12288 --a------ C:\WINDOWS\system32\divxwmpexttype.dll 2006-12-12 11:24 118784 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe 2006-12-08 12:08 -------- d---s---- C:\DOCUME~1\HANKAU~1\Application Data\microsoft 2006-12-07 10:24 -------- d-------- C:\Program Files\vga usb camera 2006-12-07 10:22 -------- d-------- C:\Program Files\asus 2006-12-07 00:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-12-03 17:08 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\talkback 2006-12-03 17:08 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\mozilla 2006-12-01 08:49 -------- d-------- C:\Program Files\the weather channel fw 2006-11-26 15:40 -------- d-------- C:\DOCUME~1\HANKAU~1\Application Data\adobe 2006-11-25 11:25 168 -r-hs---- C:\WINDOWS\system32\6b82f4480f.sys 2006-11-18 06:44 60416 --------- C:\WINDOWS\system32\tzchange.exe 2006-11-16 19:47 524288 --a------ C:\WINDOWS\opuc.dll 2006-11-13 13:01 44848 --a------ C:\WINDOWS\system32\vmnetbridge.dll 2006-11-13 13:00 12080 --a------ C:\WINDOWS\system32\vnetinst.dll 2006-11-13 12:46 170800 --a------ C:\WINDOWS\system32\vmnc.dll 2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Nero PhotoShow Media Manager"="D:\\PROGRA~1\\Nero\\NEROPH~1\\data\\Xtras\\mssysmgr.exe" "Mobipocket Reader Notifications"="\"D:\\Program Files\\Mobipocket.com\\Mobipocket Reader\\readernotify.exe\"" "GBMPro7Agent"="\"d:\\Program Files\\Genie-Soft\\GBMPro7\\GBMAgent.exe\"" "Genie Backup"="" "PowerBar"="" "Gadwin PrintScreen 3.5"="\"d:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe\" /nosplash" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay" "HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\"" "RemoteControl"="\"d:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\"" "LGODDFU"="\"d:\\Program Files\\lg_fwupdate\\fwupdate.exe\"" @="" "CitiVAN"="\"C:\\Program Files\\Citi Virtual Account Numbers\\CitiVAN.exe\" /dontopenmycards" "HP Software Update"="\"D:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\"" "ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup" "ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start" "NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\"" "SSBkgdUpdate"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot" "Opware15"="\"D:\\Program Files\\ScanSoft\\OmniPage15.0\\Opware15.exe\"" "OpScheduler"="\"D:\\Program Files\\ScanSoft\\OmniPage15.0\\OpScheduler.exe\"" "PDF4 Registry Controller"="\"D:\\Program Files\\ScanSoft\\PDF Professional 4.0\\\\RegistryController.exe\"" "CoolSwitch"="C:\\WINDOWS\\system32\\taskswitch.exe" "GBMPro7Agent"="\"d:\\Program Files\\Genie-Soft\\GBMPro7\\GBMAgent.exe\"" "Genie Backup"="" "RTHDCPL"="RTHDCPL.EXE" "PCLEPCI"="d:\\PROGRA~1\\Pinnacle\\PPE\\PPE.EXE" "Zone Labs Client"="\"d:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" "eBayToolbar"="\"d:\\Program Files\\eBay\\eBay Toolbar2\\eBayTBDaemon.exe\"" "PinnacleDriverCheck"="C:\\WINDOWS\\system32\\\\PSDrvCheck.exe" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\"" "IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\"" "itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\"" "AVG7_CC"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "AVG7_Run"="d:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\J] Shell\AutoRun\command J:\LaunchU3.exe [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\L] Shell\AutoRun\command L:\LaunchU3.exe -a Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IPoint_exe.job C:\WINDOWS\tasks\Microsoft_Hardware_Launch_IType_exe.job C:\WINDOWS\tasks\Registry-Complete.job Completion time: 07-01-25 18:53:23

01-26-2007, 03:22 PM	#17 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 25,427 OS: Win XP Pro SP3 / Win 7 Pro My System Blog Entries: 10	Hi again One file I’m not sure about. File Upload Please submit the following file to Jotti File Scan C:\WINDOWS\system32\6b82f4480f.sys At the top of the window you should see "File to Upload & Scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit". When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" back in this thread. Delete the following Folder indicated in BLUE if it still exists. C:\DOCUMENTS AND SETTINGS\ALLUSERS\Application Data\Viewpoint Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Kaspersky Online Scanner A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note of the name(s) and location(s) of any file(s) it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. PC Safety & Security::PC running a bit slow?::Donate::Photographers Corner

01-26-2007, 05:58 PM	#18 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	Jotti Scan Results Hi Iain - Jotti results below. The AllUsers Viewpoint dir has been nuked. Will run the rest of the steps next. Couple questions for you. I notice that c:\windows\system32\wsnpoem\audio.dll (51kb, 1/22/07 7:08am) and video.dll (0kb, 1/20/07 4:22pm) still exist. Weren't they supposed to be long gone? One thing re: system performance. Whether, or not, it's related; on shutdown I've been getting several windows about ok or not to end HP related files. And dwwin (or something similar) can't run because windows is shutting down. For some time now, prior to getting nailed (?), I've lost the ability to do a system restore because the registry files are not restored. I've had some success w/manually copying the registry files from restore points in the system volume dir's. These are issues that have only been noted since last May when I builit this computer. I've been attributing it to the crappy ASUS motherboard which has caused more than one problem. And prob's w/on board components. As in 1 of the onboard NIC's went belly up w/in 2wks. Service Service load: 0% 100% File: 6b82f4480f.sys Status: OK MD5 b355532b6c9eaa6f9bfa8a700a2698d4 Packers detected: - Scanner results Scan taken on 27 Jan 2007 00:21:17 (GMT) AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing F-Secure Anti-Virus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing VirusBuster Found nothing VBA32 Found nothing

01-27-2007, 05:49 PM	#20 (permalink)
hobbesotr Registered User Join Date: Jan 2007 Location: Hurricane alley Posts: 19 OS: xp pro	FYI - Service 'X' which was requested to be deleted, but wouldn't, was able to be nuked today. It is no longer in the system.