Winfirewall Popups

snub · 05-27-2005, 12:48 PM

A computer within our company is getting the winfirewall popups and then IE shuts down. Ran AVG 7, found nothing - ran Housecall Trend Micro, found 6 items: ksidca.dat, s.dat, logtask.exe, wms.exe, catsys.exe and avrms.exe; deleted them - ran Adaware and found 4 items of Virtumonde, deleted them. The computer still has the same symptoms: Winfirewall popups and IE shuts down. AVG and Adaware were both updated prior to running. Posting my Hijackthis log that has been analyzed by the Hijackthis analyzer recommeded here:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.97.7
Scan saved at 1:46:34 PM, on 5/27/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Speech\playeula.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nualue.dat (file missing)
O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vaniw.dat (file missing)
O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sndniam.dat
O2 - BHO: (no name) - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat
O2 - BHO: (no name) - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kabbew.dat
O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\Run: [sysexp] C:\WINNT\Web\sysexp.exe
O4 - HKLM\..\Run: [*tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\Run: [*avodbc] C:\WINNT\system\avodbc.exe
O4 - HKLM\..\Run: [*vsswave] C:\WINNT\msagent\vsswave.exe
O4 - HKLM\..\Run: [*fontip] C:\WINNT\Tasks\fontip.exe
O4 - HKLM\..\Run: [*netplay] C:\WINNT\addins\netplay.exe
O4 - HKLM\..\Run: [*acdisk] C:\WINNT\Cursors\acdisk.exe
O4 - HKLM\..\Run: [*cabsvr] C:\WINNT\msagent\chars\cabsvr.exe
O4 - HKLM\..\Run: [*waves] C:\WINNT\java\TrustLib\waves.exe
O4 - HKLM\..\Run: [*dbmfc] C:\WINNT\repair\dbmfc.exe
O4 - HKLM\..\Run: [*accmp3] C:\WINNT\Speech\accmp3.exe
O4 - HKLM\..\Run: [*cat] C:\WINNT\Driver Cache\cat.exe
O4 - HKLM\..\Run: [*wms] C:\WINNT\repair\wms.exe
O4 - HKLM\..\Run: [*urlxml] C:\WINNT\addins\urlxml.exe
O4 - HKLM\..\Run: [*vbtapi] C:\WINNT\inf\vbtapi.exe
O4 - HKLM\..\Run: [*dbkey] C:\WINNT\Windows Update Setup Files\dbkey.exe
O4 - HKLM\..\Run: [*playinfo] C:\WINNT\Speech\playinfo.exe
O4 - HKCU\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun
O9 - Extra button: Click to toggle the DealerTrack Toolbar (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB
O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.517662037
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}:

End of KRC HijackThis Analyzer Log.
====================================================================

Ried · 05-27-2005, 10:35 PM

Hello snub and welcome to TSF,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet.

Download these two tools from Symantec:

Trojan.Vundo Removal Tool
http://securityresponse.symantec.com...oval.tool.html

FixVundo http:securityresponse.symantec.com/avcenter/FixVundo.exe and run it.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

HuntBar
WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nualue.dat (file missing)
O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vaniw.dat (file missing)
O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sndniam.dat
O2 - BHO: (no name) - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat
O2 - BHO: (no name) - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kabbew.dat
O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\Run: [sysexp] C:\WINNT\Web\sysexp.exe
O4 - HKLM\..\Run: [*tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\Run: [*avodbc] C:\WINNT\system\avodbc.exe
O4 - HKLM\..\Run: [*vsswave] C:\WINNT\msagent\vsswave.exe
O4 - HKLM\..\Run: [*fontip] C:\WINNT\Tasks\fontip.exe
O4 - HKLM\..\Run: [*netplay] C:\WINNT\addins\netplay.exe
O4 - HKLM\..\Run: [*acdisk] C:\WINNT\Cursors\acdisk.exe
O4 - HKLM\..\Run: [*cabsvr] C:\WINNT\msagent\chars\cabsvr.exe
O4 - HKLM\..\Run: [*waves] C:\WINNT\java\TrustLib\waves.exe
O4 - HKLM\..\Run: [*dbmfc] C:\WINNT\repair\dbmfc.exe
O4 - HKLM\..\Run: [*accmp3] C:\WINNT\Speech\accmp3.exe
O4 - HKLM\..\Run: [*cat] C:\WINNT\Driver Cache\cat.exe
O4 - HKLM\..\Run: [*wms] C:\WINNT\repair\wms.exe
O4 - HKLM\..\Run: [*urlxml] C:\WINNT\addins\urlxml.exe
O4 - HKLM\..\Run: [*vbtapi] C:\WINNT\inf\vbtapi.exe
O4 - HKLM\..\Run: [*dbkey] C:\WINNT\Windows Update Setup Files\dbkey.exe
O4 - HKLM\..\Run: [*playinfo] C:\WINNT\Speech\playinfo.exe
O4 - HKCU\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe
O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINNT\Fonts\tcpnut.exe
C:\WINNT\Web\sysexp.exe
C:\WINNT\system\avodbc.exe
C:\WINNT\msagent\vsswave.exe
C:\WINNT\Tasks\fontip.exe
C:\WINNT\addins\netplay.exe
C:\WINNT\Cursors\acdisk.exe
C:\WINNT\msagent\chars\cabsvr.exe
C:\WINNT\java\TrustLib\waves.exe
C:\WINNT\repair\dbmfc.exe
C:\WINNT\Speech\accmp3.exe
C:\WINNT\Driver Cache\cat.exe
C:\WINNT\repair\wms.exe
C:\WINNT\addins\urlxml.exe
C:\WINNT\inf\vbtapi.exe
C:\WINNT\Windows Update Setup Files\dbkey.exe
C:\WINNT\Speech\playinfo.exe
C:\WINNT\Speech\playeula.exe rerun
C:\Program Files\Huntbar
C:\Program Files\WeatherBug

Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Normal Mode run a new HijackThis scan and post the log.

snub · 05-30-2005, 07:52 AM

Did everything on the list. One of the BHO entries and the C:\WINNT\Speech\playeula.exe are still here. I didn't see the second one when I went to the C drive to delete the files. I have not deleted these two entries yet. Here is the new log.
Thanks for the help.

Logfile of HijackThis v1.99.1
Scan saved at 9:41:29 AM, on 5/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\Speech\playeula.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Click to toggle the DealerTrack Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB
O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}: NameServer = 66.255.85.8,66.255.85.9
O20 - Winlogon Notify: playeula - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

**jgvernonco** · 05-30-2005, 04:16 PM

A little bit moe to do...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the upate".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"

===============

Let's download the Symantec VirtuMundo remo'al tool, and run it.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINNT\Speech\playeula.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Now, let's open a command prompt and unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u DealerTrackToolbar.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:

O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat

O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll

O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun

O9 - Extra button: Click to toggle the DealerTrack Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll

O20 - Winlogon Notify: playeula - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat

Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

C:\WINNT\Speech
C:\Program Files\DealerTrack

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Post back a new log, and let us know how everything goes.

snub · 05-31-2005, 06:59 AM

Dealer Track is a program we use on a daily basis within the company. I'm going to leave that alone and do all of the other things you suggested. I will post a log when I'm done.

Thanks for the support.

snub · 05-31-2005, 08:30 AM

CWShredder and VirtuMondo both ran clean. Could not "Kill Process" on Playeula.exe when running Hijackthis. It would immediately return to the list as well as the three entries that I tried to remove from the Hijackthis list. Could not delete the Speech folder in normal mode or safe mode due to a sharing violation, "in use". I tried using KillBox to delete the file on reboot but it came back. The file seems to get loaded at startup but doesn't show up in the Task Manager. I ran CleanUp with a custom setup and told it to delete the Speech folder, which it tried to do when I restarted but couldn't delete the entire folder but did delete most of the items there. I could then manually delete the playeula.exe file. Re-ran Hijackthis, playeula.exe was not in the process list, deleted the O2 and the O20 entries you told me to delete and now it looks clean. I am posting the new Hijackthis log. Tell me if it looks clean, thanks for the assistance.

Logfile of HijackThis v1.99.1
Scan saved at 10:18:27 AM, on 5/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Click to toggle the DealerTrack Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB
O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab
O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}: NameServer = 66.255.85.8,66.255.85.9
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

**jgvernonco** · 06-01-2005, 05:36 AM

Congratulations! Your log looks clean - good work!

===============

Download, install and run Cleanup! from Steven Gould, then:

1. Click "Cleanup!"

(wait for the program to finish scanning your system, and selecting files to be removed.)

2. Exit the program and reboot the computer, if necessary.

-

For more information about using Cleanup! see here.

===============

Let us know if you system is behaving normally.

snub · 06-01-2005, 09:18 AM

I have CleanUp! and ran it. All day yesterday and no WinFirewall popups, thanks for the help, you guys are a HUGE benefit to the computer world.

05-27-2005, 12:48 PM	#1 (permalink)
snub Registered User Join Date: May 2005 Posts: 35 OS: Win 2000	Winfirewall Popups A computer within our company is getting the winfirewall popups and then IE shuts down. Ran AVG 7, found nothing - ran Housecall Trend Micro, found 6 items: ksidca.dat, s.dat, logtask.exe, wms.exe, catsys.exe and avrms.exe; deleted them - ran Adaware and found 4 items of Virtumonde, deleted them. The computer still has the same symptoms: Winfirewall popups and IE shuts down. AVG and Adaware were both updated prior to running. Posting my Hijackthis log that has been analyzed by the Hijackthis analyzer recommeded here: ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.97.7 Scan saved at 1:46:34 PM, on 5/27/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\Speech\playeula.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\New Folder\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file) O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: (no name) - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nualue.dat (file missing) O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vaniw.dat (file missing) O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sndniam.dat O2 - BHO: (no name) - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat O2 - BHO: (no name) - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kabbew.dat O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe O4 - HKLM\..\Run: [sysexp] C:\WINNT\Web\sysexp.exe O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe O4 - HKLM\..\Run: [avodbc] C:\WINNT\system\avodbc.exe O4 - HKLM\..\Run: [vsswave] C:\WINNT\msagent\vsswave.exe O4 - HKLM\..\Run: [fontip] C:\WINNT\Tasks\fontip.exe O4 - HKLM\..\Run: [netplay] C:\WINNT\addins\netplay.exe O4 - HKLM\..\Run: [acdisk] C:\WINNT\Cursors\acdisk.exe O4 - HKLM\..\Run: [cabsvr] C:\WINNT\msagent\chars\cabsvr.exe O4 - HKLM\..\Run: [waves] C:\WINNT\java\TrustLib\waves.exe O4 - HKLM\..\Run: [dbmfc] C:\WINNT\repair\dbmfc.exe O4 - HKLM\..\Run: [accmp3] C:\WINNT\Speech\accmp3.exe O4 - HKLM\..\Run: [cat] C:\WINNT\Driver Cache\cat.exe O4 - HKLM\..\Run: [wms] C:\WINNT\repair\wms.exe O4 - HKLM\..\Run: [urlxml] C:\WINNT\addins\urlxml.exe O4 - HKLM\..\Run: [vbtapi] C:\WINNT\inf\vbtapi.exe O4 - HKLM\..\Run: [dbkey] C:\WINNT\Windows Update Setup Files\dbkey.exe O4 - HKLM\..\Run: [playinfo] C:\WINNT\Speech\playinfo.exe O4 - HKCU\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun O9 - Extra button: Click to toggle the DealerTrack Toolbar (HKLM) O9 - Extra button: WeatherBug (HKCU) O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7862.517662037 O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}: End of KRC HijackThis Analyzer Log. ====================================================================

05-27-2005, 10:35 PM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 24,048 OS: WinXP and Vista	Hello snub and welcome to TSF, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it. Do not run it yet. Download these two tools from Symantec: Trojan.Vundo Removal Tool http://securityresponse.symantec.com...oval.tool.html FixVundo http:securityresponse.symantec.com/avcenter/FixVundo.exe and run it. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: HuntBar WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file) O2 - BHO: (no name) - {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nualue.dat (file missing) O2 - BHO: (no name) - {446CF8A5-617E-4D91-95AE-AE78CE0D06AF} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vaniw.dat (file missing) O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sndniam.dat O2 - BHO: (no name) - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat O2 - BHO: (no name) - {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kabbew.dat O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe O4 - HKLM\..\Run: [sysexp] C:\WINNT\Web\sysexp.exe O4 - HKLM\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe O4 - HKLM\..\Run: [avodbc] C:\WINNT\system\avodbc.exe O4 - HKLM\..\Run: [vsswave] C:\WINNT\msagent\vsswave.exe O4 - HKLM\..\Run: [fontip] C:\WINNT\Tasks\fontip.exe O4 - HKLM\..\Run: [netplay] C:\WINNT\addins\netplay.exe O4 - HKLM\..\Run: [acdisk] C:\WINNT\Cursors\acdisk.exe O4 - HKLM\..\Run: [cabsvr] C:\WINNT\msagent\chars\cabsvr.exe O4 - HKLM\..\Run: [waves] C:\WINNT\java\TrustLib\waves.exe O4 - HKLM\..\Run: [dbmfc] C:\WINNT\repair\dbmfc.exe O4 - HKLM\..\Run: [accmp3] C:\WINNT\Speech\accmp3.exe O4 - HKLM\..\Run: [cat] C:\WINNT\Driver Cache\cat.exe O4 - HKLM\..\Run: [wms] C:\WINNT\repair\wms.exe O4 - HKLM\..\Run: [urlxml] C:\WINNT\addins\urlxml.exe O4 - HKLM\..\Run: [vbtapi] C:\WINNT\inf\vbtapi.exe O4 - HKLM\..\Run: [dbkey] C:\WINNT\Windows Update Setup Files\dbkey.exe O4 - HKLM\..\Run: [playinfo] C:\WINNT\Speech\playinfo.exe O4 - HKCU\..\Run: [tcpnut] C:\WINNT\Fonts\tcpnut.exe O4 - HKLM\..\RunOnce: [playeula] C:\WINNT\Speech\playeula.exe rerun O9 - Extra button: WeatherBug (HKCU) O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuit.../ITDetector.cab Delete the following Files* indicated in RED and Folders indicated in BLUE if they still exist. C:\WINNT\Fonts\tcpnut.exe C:\WINNT\Web\sysexp.exe C:\WINNT\system\avodbc.exe C:\WINNT\msagent\vsswave.exe C:\WINNT\Tasks\fontip.exe C:\WINNT\addins\netplay.exe C:\WINNT\Cursors\acdisk.exe C:\WINNT\msagent\chars\cabsvr.exe C:\WINNT\java\TrustLib\waves.exe C:\WINNT\repair\dbmfc.exe C:\WINNT\Speech\accmp3.exe C:\WINNT\Driver Cache\cat.exe C:\WINNT\repair\wms.exe C:\WINNT\addins\urlxml.exe C:\WINNT\inf\vbtapi.exe C:\WINNT\Windows Update Setup Files\dbkey.exe C:\WINNT\Speech\playinfo.exe C:\WINNT\Speech\playeula.exe rerun C:\Program Files\Huntbar C:\Program Files\WeatherBug Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Normal Mode run a new HijackThis scan and post the log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

05-30-2005, 04:16 PM	#4 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	A little bit moe to do... Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). =============== Download, unzip to your desktop CWShredder and run it, then: 1. Click "*Check For Update" (If an update isn't available, skip to step #4.) 2. Click "Click here to Download the upate". 3. When the new version has been downloaded, click "Save". 4. Click "Fix ->" =============== Let's download the Symantec* VirtuMundo remo'al tool, and run it. =============== Run HiJackThis then: 1. Click "*Config..." 2. Click "Misc Tools" 3. Click "Open Process manager" - Next, while holding down the CTRL* key, locate (if present) and click on (highlight) each of the following: C:\WINNT\Speech\playeula.exe Now double-check and make sure that only those item(s) above are highlighted, then click "*Kill process". Now, click "Refresh", check again, and repeat this step if any remain. =============== Now, let's open a command prompt* and unregister the dll(s) we're going to remove, by entering the following: regsvr32 /u DealerTrackToolbar.dll It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save on the typing. =============== Run HiJackThis and click "*Scan", then check(tick) the following, if present: O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat* O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll *O4 - HKLM\..\RunOnce: [playeula] C:\WINNT\Speech\playeula.exe rerun O9 - Extra button: Click to toggle the DealerTrack Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll O20 - Winlogon Notify: playeula - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat Now, with all windows closed except HiJackThis, click "Fix checked*". =============== Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders: folders...* C:\WINNT\Speech C:\Program Files\DealerTrack - Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode". =============== Post back a new log, and let us know how everything goes. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

05-31-2005, 08:30 AM	#6 (permalink)
snub Registered User Join Date: May 2005 Posts: 35 OS: Win 2000	I think it's gone CWShredder and VirtuMondo both ran clean. Could not "Kill Process" on Playeula.exe when running Hijackthis. It would immediately return to the list as well as the three entries that I tried to remove from the Hijackthis list. Could not delete the Speech folder in normal mode or safe mode due to a sharing violation, "in use". I tried using KillBox to delete the file on reboot but it came back. The file seems to get loaded at startup but doesn't show up in the Task Manager. I ran CleanUp with a custom setup and told it to delete the Speech folder, which it tried to do when I restarted but couldn't delete the entire folder but did delete most of the items there. I could then manually delete the playeula.exe file. Re-ran Hijackthis, playeula.exe was not in the process list, deleted the O2 and the O20 entries you told me to delete and now it looks clean. I am posting the new Hijackthis log. Tell me if it looks clean, thanks for the assistance. Logfile of HijackThis v1.99.1 Scan saved at 10:18:27 AM, on 5/31/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Click to toggle the DealerTrack Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}: NameServer = 66.255.85.8,66.255.85.9 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

06-01-2005, 05:36 AM	#7 (permalink)
jgvernonco Old Timer Join Date: Sep 2003 Location: Northern Arizona Posts: 7,958 OS: Vista Home Premium, SP 27	Congratulations! Your log looks clean - good work! =============== Download, install and run Cleanup! from Steven Gould, then: 1. Click "Cleanup!" (wait for the program to finish scanning your system, and selecting files to be removed.) 2. Exit the program and reboot the computer, if necessary. - For more information about using Cleanup! see here. =============== Let us know if you system is behaving normally. __________________ Donations keep TSF moving forward. Please help. http://www.myspace.com/speedbumpthecelt

05-30-2005, 07:52 AM	#3 (permalink)
snub Registered User Join Date: May 2005 Posts: 35 OS: Win 2000	Did everything on the list. One of the BHO entries and the C:\WINNT\Speech\playeula.exe are still here. I didn't see the second one when I went to the C drive to delete the files. I have not deleted these two entries yet. Here is the new log. Thanks for the help. Logfile of HijackThis v1.99.1 Scan saved at 9:41:29 AM, on 5/30/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINNT\system32\svchost.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\Speech\playeula.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.dealertrack.com/creditbureau/CBArchive.asp O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: CATLEvents Object - {BB54DE33-E539-4749-BFAC-CC49617E8F2A} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: DealerTrack Toolbar - {A6790AA5-C6C7-4BCF-A46F-0FDAC4EA90EB} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\RunOnce: [*playeula] C:\WINNT\Speech\playeula.exe rerun O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Click to toggle the DealerTrack Toolbar - {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - C:\Program Files\DealerTrack\DealerTrack Toolbar\DealerTrackToolbar.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: PrintTemplateViewerCab - http://salespoint.dealerconnection.c...lateViewer.cab O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {4E8AEBE0-31A6-43B0-A429-748DB14A70A0} (SysEngW2k Control) - http://206.93.126.238/apps/common/in...NFIG-CHECK.CAB O16 - DPF: {57453726-BB83-11D2-9047-00105ACE49EC} (PhotoLoad Control) - http://www.dmotorworks.com/activex/IA/PhotoLoad.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {C7E73900-EF7C-4E63-B36E-E8EEE1CD7DA5} (MPGridControl Class) - http://salespoint.dealerconnection.c...ridControl.cab O16 - DPF: {DAEB8818-608B-40D2-8AD6-193753623CEB} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CD39F89D-F845-4F60-82FB-8494BD4DA072}: NameServer = 66.255.85.8,66.255.85.9 O20 - Winlogon Notify: playeula - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\alueyalp.dat O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

05-31-2005, 06:59 AM	#5 (permalink)
snub Registered User Join Date: May 2005 Posts: 35 OS: Win 2000	Dealer Track is a program we use on a daily basis within the company. I'm going to leave that alone and do all of the other things you suggested. I will post a log when I'm done. Thanks for the support.

06-01-2005, 09:18 AM	#8 (permalink)
snub Registered User Join Date: May 2005 Posts: 35 OS: Win 2000	Thanks again I have CleanUp! and ran it. All day yesterday and no WinFirewall popups, thanks for the help, you guys are a HUGE benefit to the computer world.