Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Display changes automatically.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 01-21-2007, 03:37 PM   #1 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


Display changes automatically.
My display changes from XP style to Classic style every night around 4 or 5 pm.

Here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 5:34:46 PM, on 1/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\scvhost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\PrinterAnywhere\paConsole.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\windows media player\wmplayer.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on AMYLAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P44 "Auto EPSON Stylus CX4800 Series on AMYLAPTOP" /O17 "\\AMYLAPTOP\EPSON" /M "Stylus CX4800"
O4 - HKLM\..\Run: [PrinterAnywhere] C:\Program Files\PrinterAnywhere\paConsole.exe -minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Microsoft] svhost.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [Microsoft] svhost.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1167957340500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168097020812
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D0EFBCB-FE0C-4259-BCA9-3B7FB4664377}: NameServer = 205.246.142.11,204.117.214.10
O18 - Protocol: bw+0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Workstation Application - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: windows firewall svc - Unknown owner - C:\WINDOWS\navapsvc.exe (file missing)
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 01-23-2007, 03:57 PM   #2 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


bump.
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-26-2007, 04:53 PM   #3 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


bump.
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-29-2007, 06:22 PM   #4 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


bump.
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 01-29-2007, 10:31 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,949
OS: WinXP and Vista


Hello chickenNsims2,

Thank you for your patience, our apologies for the oversight of your thread.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

-------------------------------------

Close any open browsers.

-------------------------------------



Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /wow-drv Microsoft Workstation Application windows firewall svc

When finished, it shall produce a log for you that will ultimately be named ComboFix2.txt. I'll need that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Microsoft] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft] svhost.exe

Fix all of those Logitech O18 entries except the very first, and the last one listed.

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files if they still exist.

**Please be very careful of the spelling--make sure you are deleting the files spelled exactly as shown below:

C:\WINDOWS\ scvhost.exe
svhost.exe <--Do a search via Start>Search>All Files and folders and delete.

--------------------------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix2.txt
AVG Anti-Spyware results
Panda results
C:\ComboFix.txt
New HijackThis log
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2007, 07:58 AM   #6 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


Ok, I only had one problem, I think I have a different version of AVG Anti-Spyware than what the directions said. So I'm not sure if that stuff is right...

C:\ComboFix2.txt-
"user" - 07-02-04 17:14:02 Service Pack 2
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\user\desktop"
Command switches used :: /wow-drv Microsoft Workstation Application windows firewall svc

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\a.exe
C:\b.exe
C:\p.exe
C:\WINDOWS\scvhost.exe


((((((((((((((((((((((((((((((( Files Created from 2007-01-04 to 2007-02-04 ))))))))))))))))))))))))))))))))))


2007-02-04 17:56 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-04 17:05 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-04 17:05 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-04 17:05 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-04 17:05 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-04 17:05 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-04 17:05 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-04 17:05 <DIR> d-------- C:\DOCUME~1\user\Application Data\AVG7
2007-02-04 17:05 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-04 17:04 <DIR> d-------- C:\Program Files\Grisoft
2007-02-04 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-02-04 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-02-03 16:36 <DIR> d-------- C:\DOCUME~1\user\Application Data\ArcSoft
2007-02-03 16:31 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-02-03 16:31 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-02-03 14:06 8,413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-02-03 14:06 <DIR> d-------- C:\DOCUME~1\user\Application Data\Real
2007-02-03 14:05 <DIR> d-------- C:\Program Files\Best Buy Rhapsody
2007-02-03 13:50 10,368 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2007-02-03 13:49 10,368 --a------ C:\WINDOWS\system32\iviaspi.sys
2007-02-03 13:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\InstallShield
2007-02-03 13:48 <DIR> d-------- C:\Program Files\Sandisk
2007-02-03 13:48 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-01-31 15:25 <DIR> d-------- C:\DOCUME~1\user\Application Data\IDS_COMPANY
2007-01-21 08:03 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-21 08:03 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-21 08:03 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-01-21 08:03 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-20 19:40 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-01-19 18:57 <DIR> d-------- C:\Program Files\balldroppings
2007-01-16 15:44 <DIR> d-------- C:\WINDOWS\pss
2007-01-14 14:30 <DIR> d-------- C:\DOCUME~1\user\Application Data\EPSON
2007-01-14 12:00 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-01-14 08:44 <DIR> d-------- C:\Program Files\Future Pinball
2007-01-13 16:41 <DIR> d-------- C:\DOCUME~1\user\Application Data\BitTorrent
2007-01-13 16:40 <DIR> d-------- C:\Program Files\BitTorrent
2007-01-13 14:56 <DIR> d-------- C:\Program Files\Disaffected
2007-01-13 12:51 <DIR> d-------- C:\Program Files\De Blob
2007-01-13 09:41 <DIR> d-------- C:\rh
2007-01-11 10:57 <DIR> d-------- C:\DOCUME~1\user\Application Data\Viewpoint
2007-01-06 21:44 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-01-06 21:42 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-01-06 21:42 <DIR> d-------- C:\Program Files\Realtek
2007-01-06 21:20 90,112 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-01-06 21:20 9,698,816 --a------ C:\WINDOWS\RTLCPL.EXE
2007-01-06 21:20 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2007-01-06 21:20 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2007-01-06 21:20 3,160,576 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-01-06 21:20 294,912 --a------ C:\WINDOWS\HideWin.exe
2007-01-06 21:20 2,805,248 --a------ C:\WINDOWS\ALCWZRD.EXE
2007-01-06 21:20 2,087,936 --a------ C:\WINDOWS\MicCal.exe
2007-01-06 21:20 14,565,376 --a------ C:\WINDOWS\RTHDCPL.EXE
2007-01-06 21:19 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2007-01-06 13:46 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-06 10:35 <DIR> d-------- C:\WINDOWS\system32\PreInstall


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-04 17:57 -------- d-------- C:\Documents and Settings\user\Application Data\avg7
2007-02-04 17:07 -------- d-------- C:\Program Files\mozilla firefox
2007-02-04 17:04 -------- d---s---- C:\Documents and Settings\user\Application Data\microsoft
2007-02-03 16:36 -------- d-------- C:\Documents and Settings\user\Application Data\arcsoft
2007-02-03 14:15 -------- d-------- C:\Program Files\creative
2007-02-03 14:07 -------- d-------- C:\Program Files\Common Files\real
2007-02-03 14:06 -------- d-------- C:\Program Files\real
2007-02-03 14:06 -------- d-------- C:\Documents and Settings\user\Application Data\real
2007-02-03 13:48 -------- d--h----- C:\Program Files\installshield installation information
2007-01-31 15:25 -------- d-------- C:\Documents and Settings\user\Application Data\ids_company
2007-01-28 14:30 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-27 15:13 -------- d-------- C:\Documents and Settings\user\Application Data\u3
2007-01-23 13:26 -------- d-------- C:\Program Files\printeranywhere
2007-01-18 17:22 -------- d-------- C:\Program Files\java
2007-01-14 14:30 -------- d-------- C:\Documents and Settings\user\Application Data\epson
2007-01-14 13:33 -------- d-------- C:\Program Files\sierra
2007-01-13 16:42 -------- d-------- C:\Documents and Settings\user\Application Data\bittorrent
2007-01-11 10:57 -------- d-------- C:\Documents and Settings\user\Application Data\viewpoint
2007-01-06 09:05 -------- d-------- C:\Program Files\aim gadgets
2007-01-01 17:56 -------- d-------- C:\Program Files\movie maker
2007-01-01 14:00 -------- d-------- C:\Documents and Settings\user\Application Data\utorrent
2007-01-01 10:48 -------- d-------- C:\Program Files\abexo
2006-12-27 16:46 -------- d-------- C:\Program Files\playlinc
2006-12-26 13:25 -------- d-------- C:\Program Files\pcpitstop
2006-12-23 21:46 802816 --a------ C:\WINDOWS\feedingfrenzy.scr
2006-12-23 21:45 774144 --a------ C:\Program Files\rnginterstitial.dll
2006-12-23 21:24 -------- d-------- C:\Program Files\microsoft windows vista upgrade advisor
2006-12-23 19:57 27615 --a------ C:\ba.exe
2006-12-21 19:17 -------- d-------- C:\Documents and Settings\user\Application Data\snapfish
2006-12-21 17:07 -------- d-------- C:\Program Files\stormregion
2006-12-17 08:10 -------- d-------- C:\Program Files\Common Files\aol
2006-12-16 10:56 -------- d-------- C:\Program Files\yahoo!
2006-12-16 10:56 -------- d-------- C:\Program Files\nch swift sound
2006-12-16 09:48 -------- d-------- C:\Program Files\aim6
2006-11-27 03:45 60416 --------- C:\WINDOWS\system32\tzchange.exe
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Steam"=""
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Auto EPSON Stylus CX4800 Series on AMYLAPTOP"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P44 \"Auto EPSON Stylus CX4800 Series on AMYLAPTOP\" /O17 \"\\\\AMYLAPTOP\\EPSON\" /M \"Stylus CX4800\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"RTHDCPL"="RTHDCPL.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaLifeService"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P26 \"EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"AlcWzrd"="ALCWZRD.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"PrinterAnywhere"="C:\\Program Files\\PrinterAnywhere\\paConsole.exe -minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Autorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - user.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-04 19:00:32


AVG Anti-Spyware results (I'm not sure if this is the right thing or not?)

General properties
Report name Complete Test
Start time 7/2/2004 17:57
End time 07-02-04 18:52 (total: 55:17.3 Min)
Launch method Scanning launched manually
Scanning result No threats found
Report status Scanning completed successfully

Object summary
Scanned 90127
Threats Found 0
Cleaned 0
Moved to vault 0
Deleted 0
Errors 0

Test messages
Info Exception while scanning C:\Program Files\Valve\Steam\SteamApps\chickennsims2\counter-strike source\cstrike\cache\gg_de_alivemetal.bsp.bz20000



C:\ComboFix.txt

"user" - 07-02-05 9:48:15 Service Pack 2
ComboFix 07.02.04 - Running from: "C:\Documents and Settings\user\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-05 to 2007-02-05 ))))))))))))))))))))))))))))))))))


2007-02-04 19:16 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-04 17:56 <DIR> dr-h----- C:\$VAULT$.AVG
2007-02-04 17:05 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-04 17:05 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-04 17:05 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-04 17:05 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-04 17:05 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-04 17:05 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-04 17:05 <DIR> d-------- C:\DOCUME~1\user\Application Data\AVG7
2007-02-04 17:05 <DIR> d-------- C:\DOCUME~1\LOCALS~1\Application Data\AVG7
2007-02-04 17:04 <DIR> d-------- C:\Program Files\Grisoft
2007-02-04 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Grisoft
2007-02-04 17:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\avg7
2007-02-03 16:36 <DIR> d-------- C:\DOCUME~1\user\Application Data\ArcSoft
2007-02-03 16:31 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2007-02-03 16:31 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2007-02-03 14:06 8,413 --a------ C:\WINDOWS\system32\drivers\mcstrm.sys
2007-02-03 14:06 <DIR> d-------- C:\DOCUME~1\user\Application Data\Real
2007-02-03 14:05 <DIR> d-------- C:\Program Files\Best Buy Rhapsody
2007-02-03 13:50 10,368 --------- C:\WINDOWS\system32\drivers\iviaspi.sys
2007-02-03 13:49 10,368 --a------ C:\WINDOWS\system32\iviaspi.sys
2007-02-03 13:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\InstallShield
2007-02-03 13:48 <DIR> d-------- C:\Program Files\Sandisk
2007-02-03 13:48 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-01-31 15:25 <DIR> d-------- C:\DOCUME~1\user\Application Data\IDS_COMPANY
2007-01-21 08:03 75,512 --a------ C:\WINDOWS\zllsputility.exe
2007-01-21 08:03 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-21 08:03 1,087,216 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-01-21 08:03 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-20 19:40 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-01-19 18:57 <DIR> d-------- C:\Program Files\balldroppings
2007-01-16 15:44 <DIR> d-------- C:\WINDOWS\pss
2007-01-14 14:30 <DIR> d-------- C:\DOCUME~1\user\Application Data\EPSON
2007-01-14 12:00 <DIR> d-------- C:\Program Files\GameSpy Arcade
2007-01-14 08:44 <DIR> d-------- C:\Program Files\Future Pinball
2007-01-13 16:41 <DIR> d-------- C:\DOCUME~1\user\Application Data\BitTorrent
2007-01-13 16:40 <DIR> d-------- C:\Program Files\BitTorrent
2007-01-13 14:56 <DIR> d-------- C:\Program Files\Disaffected
2007-01-13 12:51 <DIR> d-------- C:\Program Files\De Blob
2007-01-13 09:41 <DIR> d-------- C:\rh
2007-01-11 10:57 <DIR> d-------- C:\DOCUME~1\user\Application Data\Viewpoint
2007-01-06 21:44 <DIR> d-------- C:\WINDOWS\system32\Lang
2007-01-06 21:42 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2007-01-06 21:42 <DIR> d-------- C:\Program Files\Realtek
2007-01-06 21:20 90,112 --a------ C:\WINDOWS\SOUNDMAN.EXE
2007-01-06 21:20 9,698,816 --a------ C:\WINDOWS\RTLCPL.EXE
2007-01-06 21:20 69,632 --a------ C:\WINDOWS\ALCMTR.EXE
2007-01-06 21:20 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2007-01-06 21:20 3,160,576 --a------ C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-01-06 21:20 294,912 --a------ C:\WINDOWS\HideWin.exe
2007-01-06 21:20 2,805,248 --a------ C:\WINDOWS\ALCWZRD.EXE
2007-01-06 21:20 2,087,936 --a------ C:\WINDOWS\MicCal.exe
2007-01-06 21:20 14,565,376 --a------ C:\WINDOWS\RTHDCPL.EXE
2007-01-06 21:19 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2007-01-06 13:46 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-06 10:35 <DIR> d-------- C:\WINDOWS\system32\PreInstall


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-02-05 09:26 -------- d-------- C:\Program Files\symantec
2007-02-05 09:26 -------- d-------- C:\Program Files\sims2pack clean installer
2007-02-05 09:25 -------- d-------- C:\Program Files\quicktime
2007-02-05 09:23 -------- d-------- C:\Program Files\messenger
2007-02-05 09:20 -------- d-------- C:\Program Files\itunes
2007-02-05 09:12 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-05 09:10 -------- d-------- C:\Program Files\aim6
2007-02-05 09:09 -------- d-------- C:\Program Files\aim gadgets
2007-02-05 08:59 -------- d-------- C:\DOCUME~1\user\Application Data\symantec
2007-02-05 08:55 -------- d-------- C:\Program Files\mozilla firefox
2007-02-04 17:04 -------- d---s---- C:\DOCUME~1\user\Application Data\microsoft
2007-02-03 14:15 -------- d-------- C:\Program Files\creative
2007-02-03 14:07 -------- d-------- C:\Program Files\Common Files\real
2007-02-03 14:06 -------- d-------- C:\Program Files\real
2007-02-03 13:48 -------- d--h----- C:\Program Files\installshield installation information
2007-01-27 15:13 -------- d-------- C:\DOCUME~1\user\Application Data\u3
2007-01-23 13:26 -------- d-------- C:\Program Files\printeranywhere
2007-01-18 17:22 -------- d-------- C:\Program Files\java
2007-01-14 13:33 -------- d-------- C:\Program Files\sierra
2007-01-01 17:56 -------- d-------- C:\Program Files\movie maker
2007-01-01 14:00 -------- d-------- C:\DOCUME~1\user\Application Data\utorrent
2007-01-01 10:48 -------- d-------- C:\Program Files\abexo
2006-12-27 16:46 -------- d-------- C:\Program Files\playlinc
2006-12-26 13:25 -------- d-------- C:\Program Files\pcpitstop
2006-12-23 21:46 802816 --a------ C:\WINDOWS\feedingfrenzy.scr
2006-12-23 21:45 774144 --a------ C:\Program Files\rnginterstitial.dll
2006-12-23 21:24 -------- d-------- C:\Program Files\microsoft windows vista upgrade advisor
2006-12-23 19:57 27615 --a------ C:\ba.exe
2006-12-21 19:17 -------- d-------- C:\DOCUME~1\user\Application Data\snapfish
2006-12-21 17:07 -------- d-------- C:\Program Files\stormregion
2006-12-17 08:10 -------- d-------- C:\Program Files\Common Files\aol
2006-12-16 10:56 -------- d-------- C:\Program Files\yahoo!
2006-12-16 10:56 -------- d-------- C:\Program Files\nch swift sound
2006-11-27 03:45 60416 --------- C:\WINDOWS\system32\tzchange.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"Steam"=""
"LDM"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Auto EPSON Stylus CX4800 Series on AMYLAPTOP"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P44 \"Auto EPSON Stylus CX4800 Series on AMYLAPTOP\" /O17 \"\\\\AMYLAPTOP\\EPSON\" /M \"Stylus CX4800\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"SoundMan"="SOUNDMAN.EXE"
"RTHDCPL"="RTHDCPL.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"MediaLifeService"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"High Definition Audio Property Page Shortcut"="HDAShCut.exe"
"EPSON Stylus CX4800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIADA.EXE /P26 \"EPSON Stylus CX4800 Series\" /O6 \"USB001\" /M \"Stylus CX4800\""
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"AlcWzrd"="ALCWZRD.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"PrinterAnywhere"="C:\\Program Files\\PrinterAnywhere\\paConsole.exe -minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
Shell\AutoRun\command E:\Autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{102273d8-f94c-11da-bcef-806d6172696f}]
Shell\AutoRun\command E:\Autorun.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - user.job


********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-05 9:51:22
C:\ComboFix2.txt ... 07-02-04 19:00


New HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:52:49 AM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on AMYLAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P44 "Auto EPSON Stylus CX4800 Series on AMYLAPTOP" /O17 "\\AMYLAPTOP\EPSON" /M "Stylus CX4800"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PrinterAnywhere] C:\Program Files\PrinterAnywhere\paConsole.exe -minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1167957340500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168097020812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O18 - Protocol: bw+0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Workstation Application - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: windows firewall svc - Unknown owner - C:\WINDOWS\navapsvc.exe (file missing)
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-05-2007, 06:10 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,949
OS: WinXP and Vista


Hi,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as " All Files" and name it FixServices.bat. Please save it on your desktop.

Quote:
@echo off
sc stop "windows firewall svc"
sc delete "windows firewall svc"
exit
Double click FixServices.bat. A window will open and close. This is normal.

-------------------------------------------------

Unfortunately, you downloaded AVG Free Anti Virus is error. (it is a bit confusing as their products are named so similarly)

It's never a good idea to have more than 1 AV installed, so please uninstall AVG Free Edition via the Add/Remove programs, then delete it's folder if it still exists:

C:\Program Files\ Grisoft

-------------------------------------------------

Let's try again to download AVG Anti Spyware.

Download AVG Anti Spyware

**Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

--------------------------------------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------


IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

--------------------------------------------------------------------

Reboot into Normal Mode.

--------------------------------------------------------------------

Were you able to perform the online scan at Panda? If so, please post those results as well.

-------------------------------------------------

Please include the following in your next reply:

AVG A-S results
Panda results
What is your E:\ drive?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-06-2007, 08:58 AM   #8 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


AVG A-S Results:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:43:14 AM 2/6/2007

+ Scan result:



HKU\S-1-5-21-220523388-1177238915-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8FB8EB3-183B-4598-924D-86F0E5E37085} -> Adware.WhyPPC : No action taken.
C:\System Volume Information\_restore{BA120A9A-9C30-40D7-AF02-033199796543}\RP38\A0004764.exe -> Backdoor.Rbot : No action taken.
C:\System Volume Information\_restore{BA120A9A-9C30-40D7-AF02-033199796543}\RP39\A0005001.exe -> Backdoor.Rbot : No action taken.
C:\System Volume Information\_restore{BA120A9A-9C30-40D7-AF02-033199796543}\RP70\A0010385.exe -> Backdoor.Rbot : No action taken.
C:\System Volume Information\_restore{BA120A9A-9C30-40D7-AF02-033199796543}\RP70\A0010386.exe -> Backdoor.Rbot : No action taken.
C:\Documents and Settings\user\Cookies\user@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\user\Cookies\user@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
:mozilla.36:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\user\Cookies\user@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.27:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.28:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.29:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.30:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.33:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.21:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.22:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.23:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.25:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\user\Cookies\user@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.32:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\System Volume Information\_restore{BA120A9A-9C30-40D7-AF02-033199796543}\RP70\A0010392.exe -> Worm.Opanki.ao : No action taken.


::Report end

Panda Results:(sorry, I just forgot to post these last time.)


Incident Status Location

Adware:adware/24-7-search Not disinfected c:\windows\system32\unPPC.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.atwola.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.2o7.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.statcounter.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.hitbox.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.com.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.burstnet.com/]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[citi.bridgetrack.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\wsarvkr1.Default User\cookies.txt[.trafficmp.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Cookies\user@2o7[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\user\Cookies\user@advertising[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\user\Cookies\user@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\user\Cookies\user@doubleclick[1].txt
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe

My E:\ Drive is a Disc Drive. It has the CD for The Sims 2 Pets in it.
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-06-2007, 06:52 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,949
OS: WinXP and Vista


Hi,

Did you set AVG A-S to Quarantine--the scan results say 'No Action Taken'.

Please check your settings and scan again:

Launch AVG A-S
  • On the main screen select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"

Now run the scan:
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).
--------------------------------------------------------------------

Delete the following file:

c:\windows\system32\ unPPC.exe

**If the above resists deletion, boot into Safe Mode and delete.

--------------------------------------------------------------------

Please post the AVG A-S results again along with a new HijackThis log.

How is your system behaving?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-09-2007, 01:31 PM   #10 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


I think the AVG results say no action taken because I accidently saved the log before I "took action", or whatever you want to call it. If you want me to rescan I can.

I deleted the unPPC.exe file.

Here is a HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:30:05 PM, on 2/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Logitech\MediaLife\MediaLifeService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\user\Desktop\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Auto EPSON Stylus CX4800 Series on AMYLAPTOP] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P44 "Auto EPSON Stylus CX4800 Series on AMYLAPTOP" /O17 "\\AMYLAPTOP\EPSON" /M "Stylus CX4800"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PrinterAnywhere] C:\Program Files\PrinterAnywhere\paConsole.exe -minimized
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1167957340500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1168097020812
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O18 - Protocol: bw+0 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {82FFFEE7-466C-46AB-A1C4-689C5F5D1D17} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Workstation Application - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

My system is acting fine, it actually stopped changing the display after like the 2nd time I bumped this thread. I didn't do anything to it, it just stopped.
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-09-2007, 09:33 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,949
OS: WinXP and Vista


Good.

Just fix this last entry in HijackThis--it's a leftover entry from McAfee and is corrupted. Run the scan with HijackThis, 'check' the following entry and click 'Fix Checked':

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

-----------------------------------------------------

Your logs are now clean. Please continue with these final instructions:

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.


To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

Download the McAfee Site Advisor--free. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and the potential for becoming infected will reduce dramatically.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-10-2007, 07:26 AM   #12 (permalink)
Registered User
 
Join Date: Jan 2007
Posts: 39
OS: XP


Thank you so so so so much!
chickenNsims2 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-10-2007, 06:16 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,949
OS: WinXP and Vista


You're quite welcome.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:19 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85