G
Guest
These 2 spyware ar not being detected by Microsift Antispyware (Beta 1)
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
G
Guest
Steps to take if you have spyware that is not removed by Microsoft Windows
AntiSpyware (betª)
1) Open up AntiSpywªre
2) Click Tools at the tºp
3) Click "Submit a Suspected Spyware Repºrt"
4) Fill out the form with as much detail so they can anªlyze quickly.
Have you tried these operations running in safe mºde?
1) Update both Microsoft Antispyware and your antivirus applicªtion.
2B)Shut down the computer and turn off the power. Wait for at least 30
seconds, and then restart the computer in Safe mode or VGA mºde.
Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those fºlders.
http://www.mvps.org/winhelp2002/delcache.htm
3) Do full deep scans with Microsoft Antispyware. Repeat scanning until a
complete scan comes through clean. Ditto with the ªntivirus.
Let us know how it works ºut.
..
Download the following and run a thorough scan in safe mºde:
NOTE: Make certain to update every app before booting into Safe Mode since
you WILL NOT have access to the Internet from Safe Mºde.
Ad-Aware - http://www.lavasoftusa.com
http://hem.bredband.net/b288305/lavasofts_adaware_quick_start.htm
Spybot S&D - http://www.safer-networking.org/
http://net-integration.net/index.html
Make certain to not to select any of the pernament protection for Spybot and
DO NOT immunize the system, as this can interfere with MSAS' Real-tme
Protectiºn.
CWShredder - http://www.intermute.com/products/cwshredder.html
Spy Sweeper - http://www.webroot.com
Ccleaner - http://www.ccleaner.com
Also check windows updates to make sure you have the latest security patches
and service packs instªlled :
http://windowsupdate.microsoft.com/
From: "AndyManchesta"
This is Backdoor Haxdoor so it is nasty infection.
Haxdoor opens a backdoor and can give access on the infected pc to the
attacker also it can act as a keylogger, steal passwords and install rootkits
that can prevent it being stopped or deleted and can disable other Security
software (Antivirus, Firewall & Antispy)
Your best using AntiVius scanners for this and if the problems continue then
use we can use Hijack This and other tools to clean up.
Run these scanners :
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/
----------------------------------------------------------
If the problem is still there use Hijack This and Microworlds Escan and post
the log's they produce either on here or to my email and we can manually
remove all the junk.
Download Hijack This, Save it to desktop or C:drive, Extract and run then
choose "system scan and save logfile" and post that back
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Also download Microworlds eScan
http://www.mwti.net/download/tools/mwav.exe
Save it to a folder.
Double click the Mwav.exe file.
Select all local drives, scan all files, and press SCAN.
When it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL
C on your keyboard to copy everything found in the lower pane and save it to
a notepad file
*Note* If prompted that a virus was found and you need to purchase the
product to remove the malware, just close out the prompt and let it continue
scanning. We are not going to use this to remove anything...but to Identify
the bad files.
Once you copy that to a Notepad file...highlight the text and copy it here
with a Hijack This log
Good luck
Engel
AntiSpyware (betª)
1) Open up AntiSpywªre
2) Click Tools at the tºp
3) Click "Submit a Suspected Spyware Repºrt"
4) Fill out the form with as much detail so they can anªlyze quickly.
Have you tried these operations running in safe mºde?
1) Update both Microsoft Antispyware and your antivirus applicªtion.
2B)Shut down the computer and turn off the power. Wait for at least 30
seconds, and then restart the computer in Safe mode or VGA mºde.
Empty your IE cache and your other temporary file folders, eg: c:\temp,
c:\windows\temp or C:\Documents and Settings\<name>\Local Settings\Temp (the
path to your temp folder will change depending on your name) - sometimes
programmes can be hidden in there - watch out for mysterious *.exe files or
*.dll files in those fºlders.
http://www.mvps.org/winhelp2002/delcache.htm
3) Do full deep scans with Microsoft Antispyware. Repeat scanning until a
complete scan comes through clean. Ditto with the ªntivirus.
Let us know how it works ºut.
..
Download the following and run a thorough scan in safe mºde:
NOTE: Make certain to update every app before booting into Safe Mode since
you WILL NOT have access to the Internet from Safe Mºde.
Ad-Aware - http://www.lavasoftusa.com
http://hem.bredband.net/b288305/lavasofts_adaware_quick_start.htm
Spybot S&D - http://www.safer-networking.org/
http://net-integration.net/index.html
Make certain to not to select any of the pernament protection for Spybot and
DO NOT immunize the system, as this can interfere with MSAS' Real-tme
Protectiºn.
CWShredder - http://www.intermute.com/products/cwshredder.html
Spy Sweeper - http://www.webroot.com
Ccleaner - http://www.ccleaner.com
Also check windows updates to make sure you have the latest security patches
and service packs instªlled :
http://windowsupdate.microsoft.com/
From: "AndyManchesta"
This is Backdoor Haxdoor so it is nasty infection.
Haxdoor opens a backdoor and can give access on the infected pc to the
attacker also it can act as a keylogger, steal passwords and install rootkits
that can prevent it being stopped or deleted and can disable other Security
software (Antivirus, Firewall & Antispy)
Your best using AntiVius scanners for this and if the problems continue then
use we can use Hijack This and other tools to clean up.
Run these scanners :
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/
----------------------------------------------------------
If the problem is still there use Hijack This and Microworlds Escan and post
the log's they produce either on here or to my email and we can manually
remove all the junk.
Download Hijack This, Save it to desktop or C:drive, Extract and run then
choose "system scan and save logfile" and post that back
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Also download Microworlds eScan
http://www.mwti.net/download/tools/mwav.exe
Save it to a folder.
Double click the Mwav.exe file.
Select all local drives, scan all files, and press SCAN.
When it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL
C on your keyboard to copy everything found in the lower pane and save it to
a notepad file
*Note* If prompted that a virus was found and you need to purchase the
product to remove the malware, just close out the prompt and let it continue
scanning. We are not going to use this to remove anything...but to Identify
the bad files.
Once you copy that to a Notepad file...highlight the text and copy it here
with a Hijack This log
Good luck
Engel
Hijachthis report log
Logfile of HijackThis v1.99.1
Scan saved at 1:13:18 AM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
"C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moneycentral.msn.com/investor/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp?r=al&cf=sp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124728010281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B75C344-AB3D-4232-A087-913BB159E7FF}: NameServer = 67.108.16.254,67.101.238.238
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B75C344-AB3D-4232-A087-913BB159E7FF}: NameServer = 67.108.16.254,67.101.238.238
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B75C344-AB3D-4232-A087-913BB159E7FF}: NameServer = 67.108.16.254,67.101.238.238
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe"
Logfile of HijackThis v1.99.1
Scan saved at 1:13:18 AM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
"C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Program Files\Trend Micro\Tmas\tmas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://moneycentral.msn.com/investor/home.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://my.netzero.net/s/sp?r=al&cf=sp
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124728010281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B75C344-AB3D-4232-A087-913BB159E7FF}: NameServer = 67.108.16.254,67.101.238.238
O17 - HKLM\System\CS1\Services\Tcpip\..\{3B75C344-AB3D-4232-A087-913BB159E7FF}: NameServer = 67.108.16.254,67.101.238.238
O17 - HKLM\System\CS2\Services\Tcpip\..\{3B75C344-AB3D-4232-A087-913BB159E7FF}: NameServer = 67.108.16.254,67.101.238.238
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe"
MWAV Report Log
Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "system soap pro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "lop.com Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "powerreg scheduler Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4FD5C4D3-6C15-4EA0-9EB9-EEE8FC74A91B}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A63D47D-1BA2-48ff-9955-31207899BE01}" refers to invalid object "c:\program files\mcafee.com\shared\mcinfo.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{620D55B0-F2FB-464E-A278-B4308DB1DB2B}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{741BEEFD-AEC0-4AFF-84AF-4F61D15F5526}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7A41359E-0407-470F-B3F7-7C6A0F7C449A}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7C4A630A-DE98-4E3E-8093-E8F5E159BB72}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7ED1E9B1-CB57-4FA0-84E8-FAE653FE8E6B}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A6931B16-90FA-4D69-A49F-3ABFA2C04060}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5AA36A1-8BD1-47E0-90F8-47E7239C6EA1}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E678CBDC-D022-41F5-AB21-C43DFD9DFC3E}" refers to invalid object "C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SBTrayAppPS.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F49E3694-7E8F-43ef-AE89-568DA20C6527}" refers to invalid object "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\Shredder.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA2CBAFB-F7B1-4F41-9B7A-73329A6C1CB7}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2D5E2D34-BED5-4B9F-9793-A31E26E6806E}" refers to invalid object "C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\Redemption.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{58DCD6BF-86B1-4780-ABBF-BDF4EFAD0F09}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7D3F5DE4-E980-4407-A10F-9AC771ABAAE6}" refers to invalid object "C:\Program Files\AOL Toolbar\toolbar.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9574F2A8-BC7C-4CA4-B568-CC8182FDFB98}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\dmx.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9C8DC5B0-D47D-445B-B8B5-37CFB1982699}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A73B6F3D-FD35-4992-AB4B-4AD729BB20E7}" refers to invalid object "c:\program files\mcafee.com\shared\mcinfo.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B55B9108-FF52-474f-A15C-03DE72F52E33}" refers to invalid object "piproj.dll". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPEnvelope.1" refers to invalid object "{286E500C-EF0A-4AA3-A94D-E495F653EF4B}". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPMain.1" refers to invalid object "{9809A6B4-70B1-4BB2-B3B5-B415763A534E}". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPMessage.1" refers to invalid object "{319260AB-BE0C-4025-8569-7A27ED2FAAB9}". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPRecipients.1" refers to invalid object "{D5178F77-C5E6-4E8F-9787-48B5D7ECCCE8}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DMX.IEObj" refers to invalid object "{6D3CED33-9C0A-44BA-AAB9-252EE67A436C}". Action Taken: No Action Taken.
Entry "HKCR\DMX.IEObj.1" refers to invalid object "{6D3CED33-9C0A-44BA-AAB9-252EE67A436C}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.MailAnim" refers to invalid object "{31A59636-0FA3-4A56-954D-DB7AD02840D8}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.MailAnim.1" refers to invalid object "{31A59636-0FA3-4A56-954D-DB7AD02840D8}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.WebmailSend" refers to invalid object "{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.WebmailSend.1" refers to invalid object "{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.HtmlMenuUI" refers to invalid object "{354382DB-DF55-4DA9-85A3-41696A0F510F}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.HtmlMenuUI.1" refers to invalid object "{354382DB-DF55-4DA9-85A3-41696A0F510F}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.ToolbarCtl" refers to invalid object "{0AB71193-EC19-4D70-85C2-E46E2FF02755}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.ToolbarCtl.1" refers to invalid object "{0AB71193-EC19-4D70-85C2-E46E2FF02755}". Action Taken: No Action Taken.
Entry "HKCR\SpamBlockerConfig.Application.1" refers to invalid object "{D9882035-7745-47c7-8D5E-C11178F9C553}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\xwwhmtvg.exe tagged as "not-a-virus:AdWare.Win32.Shopper.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP128\A0012098.exe tagged as "not-a-virus:AdWare.Win32.Hotbar.ar". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP129\A0012108.dll tagged as "not-a-virus:AdWare.Win32.HotBar.be". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP129\A0012117.dll tagged as "not-a-virus:AdWare.Win32.Hotbar.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP129\A0012118.exe tagged as "not-a-virus:AdWare.Win32.Hotbar.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP89\A0008195.dll tagged as "not-a-virus:AdWare.Win32.HotBar.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP89\A0008197.dll tagged as "not-a-virus:AdWare.Win32.Hotbar.q". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP89\A0008202.exe tagged as "not-a-virus:AdWare.Win32.HotBar.an". Action Taken: No Action Taken.
File C:\WINDOWS\system32\xwwhmtvg.exe tagged as "not-a-virus:AdWare.Win32.Shopper.c". Action Taken: No Action Taken.
Object "searchexe Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "hotbar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "system soap pro Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "lop.com Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "powerreg scheduler Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "redv Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "whenu.savenow Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4FD5C4D3-6C15-4EA0-9EB9-EEE8FC74A91B}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A63D47D-1BA2-48ff-9955-31207899BE01}" refers to invalid object "c:\program files\mcafee.com\shared\mcinfo.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{620D55B0-F2FB-464E-A278-B4308DB1DB2B}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{741BEEFD-AEC0-4AFF-84AF-4F61D15F5526}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7A41359E-0407-470F-B3F7-7C6A0F7C449A}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7C4A630A-DE98-4E3E-8093-E8F5E159BB72}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{7ED1E9B1-CB57-4FA0-84E8-FAE653FE8E6B}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A6931B16-90FA-4D69-A49F-3ABFA2C04060}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5AA36A1-8BD1-47E0-90F8-47E7239C6EA1}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E678CBDC-D022-41F5-AB21-C43DFD9DFC3E}" refers to invalid object "C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SBTrayAppPS.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F49E3694-7E8F-43ef-AE89-568DA20C6527}" refers to invalid object "C:\Program Files\McAfee\McAfee Shared Components\Shredder 5\Shredder.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA2CBAFB-F7B1-4F41-9B7A-73329A6C1CB7}" refers to invalid object "C:\PROGRA~1\SPAMBL~1\Bin\461~1.0\REDEMP~1.DLL". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{2D5E2D34-BED5-4B9F-9793-A31E26E6806E}" refers to invalid object "C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\Redemption.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{58DCD6BF-86B1-4780-ABBF-BDF4EFAD0F09}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\Word8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{7D3F5DE4-E980-4407-A10F-9AC771ABAAE6}" refers to invalid object "C:\Program Files\AOL Toolbar\toolbar.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9574F2A8-BC7C-4CA4-B568-CC8182FDFB98}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\dmx.dll". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{9C8DC5B0-D47D-445B-B8B5-37CFB1982699}" refers to invalid object "C:\DOCUME~1\Owner\LOCALS~1\Temp\Excel8.0\MSForms.exd". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{A73B6F3D-FD35-4992-AB4B-4AD729BB20E7}" refers to invalid object "c:\program files\mcafee.com\shared\mcinfo.exe". Action Taken: No Action Taken.
Entry "HKCR\TypeLib\{B55B9108-FF52-474f-A15C-03DE72F52E33}" refers to invalid object "piproj.dll". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPEnvelope.1" refers to invalid object "{286E500C-EF0A-4AA3-A94D-E495F653EF4B}". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPMain.1" refers to invalid object "{9809A6B4-70B1-4BB2-B3B5-B415763A534E}". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPMessage.1" refers to invalid object "{319260AB-BE0C-4025-8569-7A27ED2FAAB9}". Action Taken: No Action Taken.
Entry "HKCR\ASAPCom.ASAPRecipients.1" refers to invalid object "{D5178F77-C5E6-4E8F-9787-48B5D7ECCCE8}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DMX.IEObj" refers to invalid object "{6D3CED33-9C0A-44BA-AAB9-252EE67A436C}". Action Taken: No Action Taken.
Entry "HKCR\DMX.IEObj.1" refers to invalid object "{6D3CED33-9C0A-44BA-AAB9-252EE67A436C}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.MailAnim" refers to invalid object "{31A59636-0FA3-4A56-954D-DB7AD02840D8}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.MailAnim.1" refers to invalid object "{31A59636-0FA3-4A56-954D-DB7AD02840D8}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.WebmailSend" refers to invalid object "{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}". Action Taken: No Action Taken.
Entry "HKCR\SbHostOL.WebmailSend.1" refers to invalid object "{C2BAA4C9-AE1E-4605-AE2F-A1C49A30D881}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.HtmlMenuUI" refers to invalid object "{354382DB-DF55-4DA9-85A3-41696A0F510F}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.HtmlMenuUI.1" refers to invalid object "{354382DB-DF55-4DA9-85A3-41696A0F510F}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.ToolbarCtl" refers to invalid object "{0AB71193-EC19-4D70-85C2-E46E2FF02755}". Action Taken: No Action Taken.
Entry "HKCR\SbToolbar.ToolbarCtl.1" refers to invalid object "{0AB71193-EC19-4D70-85C2-E46E2FF02755}". Action Taken: No Action Taken.
Entry "HKCR\SpamBlockerConfig.Application.1" refers to invalid object "{D9882035-7745-47c7-8D5E-C11178F9C553}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\xwwhmtvg.exe tagged as "not-a-virus:AdWare.Win32.Shopper.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP128\A0012098.exe tagged as "not-a-virus:AdWare.Win32.Hotbar.ar". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP129\A0012108.dll tagged as "not-a-virus:AdWare.Win32.HotBar.be". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP129\A0012117.dll tagged as "not-a-virus:AdWare.Win32.Hotbar.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP129\A0012118.exe tagged as "not-a-virus:AdWare.Win32.Hotbar.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP89\A0008195.dll tagged as "not-a-virus:AdWare.Win32.HotBar.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP89\A0008197.dll tagged as "not-a-virus:AdWare.Win32.Hotbar.q". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP89\A0008202.exe tagged as "not-a-virus:AdWare.Win32.HotBar.an". Action Taken: No Action Taken.
File C:\WINDOWS\system32\xwwhmtvg.exe tagged as "not-a-virus:AdWare.Win32.Shopper.c". Action Taken: No Action Taken.
G
Guest
I also have Haxdoor.cx which is not removed by MS antispyware (or it is
removed and comes back with every scan).
I have done all the recommended methods found in this forum.
I've scanned in safe mode with MS antispyware, spybot, adaware, panda,
sysclean (which found 11 other virus's!) and Computer associate's EZ Armor.
here is my Hijackthis logfile (run with all above programs shutdown):
Logfile of HijackThis v1.99.1
Scan saved at 7:14:00 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\wavdriver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\barry\LOCALS~1\Temp\ab62f1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program
Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [wavdriver] "C:\WINDOWS\wavdriver.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ
Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [ISUSScheduler]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [scrbmk] "C:\WINDOWS\scrbmk.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [Jjwxlqq] C:\WINDOWS\system32\?hkntfs.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Program
Files\SoftStuff\softstrt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SoftStuff Wallpaper Changer.lnk = C:\Program
Files\SoftStuff\softstrt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant
Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server -
C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant
Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program
Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program
Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents
and Settings\All Users\Application
Data\Infospace\OptimumOnline\contextsearch.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant
Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: HushEncryptionEngine -
https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: YExplorer1_8US.CAB -
http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class)
- http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131464010214
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload
Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class)
- http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader)
- http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload
Tool Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) -
http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EA297219-593E-408D-BFD4-2D43E203550D} (strprint.trprints) -
https://partnering.one.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
https://music.msn.com/client/msnmusax2416.cab
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O23 - Service: CAISafe - Computer Associates International, Inc. -
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
removed and comes back with every scan).
I have done all the recommended methods found in this forum.
I've scanned in safe mode with MS antispyware, spybot, adaware, panda,
sysclean (which found 11 other virus's!) and Computer associate's EZ Armor.
here is my Hijackthis logfile (run with all above programs shutdown):
Logfile of HijackThis v1.99.1
Scan saved at 7:14:00 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\wavdriver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\barry\LOCALS~1\Temp\ab62f1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program
Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [wavdriver] "C:\WINDOWS\wavdriver.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ
Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [ISUSScheduler]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [scrbmk] "C:\WINDOWS\scrbmk.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [Jjwxlqq] C:\WINDOWS\system32\?hkntfs.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Program
Files\SoftStuff\softstrt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SoftStuff Wallpaper Changer.lnk = C:\Program
Files\SoftStuff\softstrt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant
Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server -
C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant
Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program
Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program
Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents
and Settings\All Users\Application
Data\Infospace\OptimumOnline\contextsearch.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant
Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: HushEncryptionEngine -
https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: YExplorer1_8US.CAB -
http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class)
- http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131464010214
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload
Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class)
- http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader)
- http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload
Tool Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) -
http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EA297219-593E-408D-BFD4-2D43E203550D} (strprint.trprints) -
https://partnering.one.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
https://music.msn.com/client/msnmusax2416.cab
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O23 - Service: CAISafe - Computer Associates International, Inc. -
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
B
Bill Sanderson
You'd be far better off waiting until Andy Manchesta or some other expert
can get a look at this, but these entries stick out for me:
O4 - HKCU\..\Run: [Jjwxlqq] C:\WINDOWS\system32\?hkntfs.exe
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
The fact that they stick out may well mean that they are just the tip of the
iceberg, and removing them won't be sufficient--but that's where I'd start.
Have you tried Ewido or Sunbelt's Counterspy on this?
--
can get a look at this, but these entries stick out for me:
O4 - HKCU\..\Run: [Jjwxlqq] C:\WINDOWS\system32\?hkntfs.exe
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
The fact that they stick out may well mean that they are just the tip of the
iceberg, and removing them won't be sufficient--but that's where I'd start.
Have you tried Ewido or Sunbelt's Counterspy on this?
--
mbny said:I also have Haxdoor.cx which is not removed by MS antispyware (or it is
removed and comes back with every scan).
I have done all the recommended methods found in this forum.
I've scanned in safe mode with MS antispyware, spybot, adaware, panda,
sysclean (which found 11 other virus's!) and Computer associate's EZ
Armor.
here is my Hijackthis logfile (run with all above programs shutdown):
Logfile of HijackThis v1.99.1
Scan saved at 7:14:00 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\wavdriver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\barry\LOCALS~1\Temp\ab62f1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program
Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program
Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [diagent] "C:\Program
Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator
5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [VOBRegCheck]
C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust
EZ
Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [wavdriver] "C:\WINDOWS\wavdriver.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ
Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [ISUSScheduler]
"C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [scrbmk] "C:\WINDOWS\scrbmk.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program
Files\SETI@home\[email protected] -min
O4 - HKCU\..\Run: [Jjwxlqq] C:\WINDOWS\system32\?hkntfs.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI
RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Program
Files\SoftStuff\softstrt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SoftStuff Wallpaper Changer.lnk = C:\Program
Files\SoftStuff\softstrt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
present
O8 - Extra context menu item: Add to AD Black List - C:\Program
Files\Avant
Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server -
C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program
Files\Siber
Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Highlight - C:\Program Files\Avant
Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program
Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Program
Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents
and Settings\All Users\Application
Data\Infospace\OptimumOnline\contextsearch.htm
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program
Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Search - C:\Program Files\Avant
Browser\Search.htm
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -
file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms -
{320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -
file://C:\Program Files\Siber Systems\AI
RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -
{724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber
Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program
Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: HushEncryptionEngine -
https://mailserver2.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: YExplorer1_8US.CAB -
http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup
Class)
- http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup
Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
Tool) -
http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6632A7E9-FE1F-43D2-A04A-A15951ED63E0} -
http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131464010214
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture
Upload
Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller
Class)
- http://h30155.www3.hp.com/ediags/gs/install/guidedsolutions.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo
Uploader)
- http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy
Upload
Tool Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload
Tool) -
http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) -
http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab
O16 - DPF: {EA297219-593E-408D-BFD4-2D43E203550D} (strprint.trprints) -
https://partnering.one.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj
Class) -
http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} -
https://music.msn.com/client/msnmusax2416.cab
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O23 - Service: CAISafe - Computer Associates International, Inc. -
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology
Ltd -
C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation -
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA
Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates
International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ
Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
From: "AndyManchesta"
This is Backdoor Haxdoor so it is nasty infection.
Haxdoor opens a backdoor and can give access on the infected pc to the
attacker also it can act as a keylogger, steal passwords and install
rootkits
that can prevent it being stopped or deleted and can disable other
Security
software (Antivirus, Firewall & Antispy)
Your best using AntiVius scanners for this and if the problems continue
then
use we can use Hijack This and other tools to clean up.
Run these scanners :
Trend Micro
http://housecall.antivirus.com/
Panda
http://www.pandasoftware.com/activescan/
----------------------------------------------------------
If the problem is still there use Hijack This and Microworlds Escan and
post
the log's they produce either on here or to my email and we can manually
remove all the junk.
Download Hijack This, Save it to desktop or C:drive, Extract and run then
choose "system scan and save logfile" and post that back
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Also download Microworlds eScan
http://www.mwti.net/download/tools/mwav.exe
Save it to a folder.
Double click the Mwav.exe file.
Select all local drives, scan all files, and press SCAN.
When it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use
&CTRL
C on your keyboard to copy everything found in the lower pane and save it
to
a notepad file
*Note* If prompted that a virus was found and you need to purchase the
product to remove the malware, just close out the prompt and let it
continue
scanning. We are not going to use this to remove anything...but to
Identify
the bad files.
Once you copy that to a Notepad file...highlight the text and copy it
here
with a Hijack This log
Good luck
Engel
R
Randy Knobloch
<Post your log to /any/ of the following (expert) forums for analysis.>
*Note, registration is required prior to posting a log.
- Not listed in any particular order -
(http://aumha.net/viewforum.php?f=30)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://www.dslreports.com/forum/security)
(http://castlecops.com/forum67.html)
(http://www.cybertechhelp.com/forums/forumdisplay.php?f=25)
(http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html)
(http://gladiator-antivirus.com/forum/index.php?showforum=170)
(http://forum.iamnotageek.com/f-130.html)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://www.spywarewarrior.com/viewforum.php?f=5)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://forums.techguy.org/f54-s.html)
(http://forums.tomcoyote.org/index.php?showforum=27)
(http://forums.subratam.org/index.php?showforum=7)
(http://www.5starsupport.com/ipboard/index.php?showforum=18)
Silj
--
siljaline
MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31
Reply to group, as return address
is invalid that we may all benefit.
*Note, registration is required prior to posting a log.
- Not listed in any particular order -
(http://aumha.net/viewforum.php?f=30)
(http://www.bleepingcomputer.com/forums/forum22.html)
(http://www.dslreports.com/forum/security)
(http://castlecops.com/forum67.html)
(http://www.cybertechhelp.com/forums/forumdisplay.php?f=25)
(http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html)
(http://gladiator-antivirus.com/forum/index.php?showforum=170)
(http://forum.iamnotageek.com/f-130.html)
(http://forums.maddoktor2.com/index.php?showforum=17)
(http://www.spywarewarrior.com/viewforum.php?f=5)
(http://forums.spywareinfo.com/index.php?showforum=18)
(http://forums.techguy.org/f54-s.html)
(http://forums.tomcoyote.org/index.php?showforum=27)
(http://forums.subratam.org/index.php?showforum=7)
(http://www.5starsupport.com/ipboard/index.php?showforum=18)
Silj
--
siljaline
MS - MVP Windows (IE/OE) & Security, AH-VSOP
_________________________________________
Security Tools Updates
http://aumha.net/viewforum.php?f=31
Reply to group, as return address
is invalid that we may all benefit.