|
Problems with Dialer.bpl-Java/ByteVerify
|
|
lastrednk
Junior Member
|
12. April 2006 @ 01:34 |
Link to this message
|
My AVG keeps picking up the trojan "Dialer.bpl". I did a google search for it, but not much of anything was there about it. How do I get rid of it and eliminate any future threats?
Also, after doing an AVG scan, it tells me that I have Java/ByteVerify on my computer, the same thing that I believe led to my old hard drive going R.I.P. What's the best way of eliminating that for good?
Here's a logfile of a HijackThis scan I just did:
Logfile of HijackThis v1.99.1
Scan saved at 4:27:57 AM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MUSICA~1\mac.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1141697642\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mschkdsk.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CleanCache 3.0\CleanCache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tom Willenbring\My Documents\The File full of Stuff\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=thelast_resort66&login=... R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;<local>;localhost
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpEE26.tmp (file missing)
O3 - Toolbar: Yellowbook.com Toolbar - {A0BC4BAA-B046-442E-A3DB-6F067F7EFC61} - C:\WINDOWS\system32\ybkIEToolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Music Alarm Clock] C:\PROGRA~1\MUSICA~1\mac.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141697642\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dmglx.exe] C:\WINDOWS\system32\dmglx.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1038626.exe O16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} (XMRADIO.XM_SystemProfiler) - http://xmro.xmradio.com/xstream/registration/dell/xmprofiler.CAB O20 - Winlogon Notify: winhab32 - C:\WINDOWS\SYSTEM32\winhab32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Documents and Settings\Tom Willenbring\Local Settings\Temp\p95v2414\PRIME95.EXE (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
I appreciate any help you all can provide.
|
Advertisement
|
|
|
Senior Member
|
12. April 2006 @ 07:03 |
Link to this message
|
Ok, you got some infections.
You don't have a firewall on your computer. Download and install one firewall.
These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com
Cleaning instructions:
Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/
Download smitrem to your desktop >
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1 Doubleclick it and press Start, smitrem folder appears to the desktop.
Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)
Go to Control Panel -> Add/Remove programs -> Remove PartyPoker if found.
Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/... R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=thelast_resort66&login=... O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpEE26.tmp (file missing)
O4 - HKLM\..\Run: [dmglx.exe] C:\WINDOWS\system32\dmglx.exe
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1038626.exe O20 - Winlogon Notify: winhab32 - C:\WINDOWS\SYSTEM32\winhab32.dll
Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.
Delete this folder if found:
C:\Program Files\PartyGaming
Delete these files if found:
C:\WINDOWS\system32\dmglx.exe
C:\WINDOWS\system32\mschkdsk.exe
C:\WINDOWS\SYSTEM32\winhab32.dll
Then go to the smitrem folder on your desktop, run RunThis.bat file and follow the instructions.
Empty the Recycle Bin
Make your hidden files invisible again:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Do not show hidden files and folders.
Scan yor computer with Ewido and save the log file.
Restart your computer normally.
Post the following logs to here:
-> fresh HijackThis log
-> Ewido's log
-> C:\smitfiles.txt
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
lastrednk
Junior Member
|
13. April 2006 @ 00:51 |
Link to this message
|
Ok, did all that. I did a rescan of HijackThis just for shits and grins. Here's the log files for everything:
Logfile of HijackThis v1.99.1
Scan saved at 3:48:51 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\MUSICA~1\mac.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\AOL\1141697642\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tom Willenbring\My Documents\The File full of Stuff\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;<local>;localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yellowbook.com Toolbar - {A0BC4BAA-B046-442E-A3DB-6F067F7EFC61} - C:\WINDOWS\system32\ybkIEToolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Music Alarm Clock] C:\PROGRA~1\MUSICA~1\mac.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1141697642\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab O16 - DPF: {FC0A65F2-8DFF-4F0F-B411-D4A50311628D} (XMRADIO.XM_SystemProfiler) - http://xmro.xmradio.com/xstream/registration/dell/xmprofiler.CAB O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Documents and Settings\Tom Willenbring\Local Settings\Temp\p95v2414\PRIME95.EXE (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 3:41:34 AM, 4/13/2006
+ Report-Checksum: CA286177
+ Scan result:
:mozilla.56:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.129:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Onestat : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.238:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.241:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.264:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.270:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.271:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.272:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.273:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.274:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.344:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Pro-market : Cleaned with backup
:mozilla.349:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.350:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.359:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.360:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.373:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.374:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.386:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.389:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.390:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.398:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.408:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.409:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.419:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.420:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.421:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup
:mozilla.443:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.452:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.453:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.458:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.489:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.490:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.491:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.492:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.493:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.494:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.495:C:\Documents and Settings\Tom Willenbring\Application Data\Mozilla\Firefox\Profiles\6sjmw7yo.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
C:\Program Files\EMCO Malware Destroyer\Quarantine\THE-CHAMP\NMC.ZLOB.FX\Files\WINDOWS\System32\nvctrl.exe -> Downloader.Zlob.ku : Cleaned with backup
C:\WINDOWS\system32\dmskh.exe -> Trojan.Pakes : Cleaned with backup
::Report End
Sorry, I couldn't find a log of my Smitrem execution, but so far, so good. Used to I'd get my AVG popping up once every few minutes letting me know of another temporary file the dialer.bpl trojan has claimed. Now, nothing like that since the cleanup.
I appreciate the help. Once again, Afterdawn forums comes through again.
Death.
Taxes.
Afterdawn.
This message has been edited since posting. Last time this message was edited on 13. April 2006 @ 01:17
|
Senior Member
|
13. April 2006 @ 03:02 |
Link to this message
|
Ok looking good, but lets make sure that you're clean...
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
And you seem to have EMCO Malware Destroyder on your pc. It can't be trusted so it should be removed.
Remove it through Control Panel -> Add or Remove programs
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
lastrednk
Junior Member
|
13. April 2006 @ 14:50 |
Link to this message
|
Here's the textfile for the SmitFraudFix scan:
SmitFraudFix v2.29
Scan done at 17:49:28.82, Thu 04/13/2006
Run from C:\Documents and Settings\Tom Willenbring\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\amcompat.tlb FOUND !
C:\WINDOWS\system32\nscompat.tlb FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tom Willenbring\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Tom Willenbring\Favorites
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
-------------------------------------------------
Also removed EMCO. I've used it in the past and I've noticed it wasn't able to remove the Smitfraud malware at all, even though it'd pick it up. It's gone and as long as I have Smitrem and Ewido, it's not really necessary, I guess.
This message has been edited since posting. Last time this message was edited on 13. April 2006 @ 14:52
|
Senior Member
|
14. April 2006 @ 08:04 |
Link to this message
|
Ok, EMCO wasn't able to remove the entire smitfraud infection (what a suprice), so lets clean those files with smitfraudfix.
And sorry for the delay, I've been busy ;)
Print this instructions.
Cleaning instructions
Restart your computer to the safemode and choose your normal user account.
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 14. April 2006 @ 08:05
|
lastrednk
Junior Member
|
14. April 2006 @ 20:23 |
Link to this message
|
Done.
SmitFraudFix v2.29
Scan done at 23:19:36.76, Fri 04/14/2006
Run from C:\Documents and Settings\Tom Willenbring\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\amcompat.tlb Deleted
C:\WINDOWS\system32\nscompat.tlb Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End
|
Senior Member
|
14. April 2006 @ 20:42 |
Link to this message
|
Ok good, you're clean =)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
lastrednk
Junior Member
|
15. April 2006 @ 01:18 |
Link to this message
|
Woohoo! Thanks for the help!
|
Senior Member
|
15. April 2006 @ 02:35 |
Link to this message
|
You're welcome =)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
23. April 2006 @ 18:54 |
Link to this message
|
i had dialer.bpl too. i followed the instructions and everything good again. ThankS
|
tippee
Newbie
|
24. April 2006 @ 04:17 |
Link to this message
|
when i finished with all the instructions my display theme changed from the classic windows theme that i had been using to the xp theme. as soon as i changed it back AVG found dialer.blp again! i was on the computer all night yesterday and it was working fine...
|
Senior Member
|
24. April 2006 @ 05:30 |
Link to this message
|
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
24. April 2006 @ 15:09 |
Link to this message
|
here ya go!
Logfile of HijackThis v1.99.1
Scan saved at 8:07:38 PM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ATIMACE] C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit3.1\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
|
Senior Member
|
24. April 2006 @ 19:43 |
Link to this message
|
Hi tippee, your log isn't whole. Please sent the full log ....
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
25. April 2006 @ 07:51 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 12:49:48 PM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ATIMACE] C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit3.1\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcins... O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
|
Senior Member
|
25. April 2006 @ 10:11 |
Link to this message
|
You don't have a firewall on your computer. Download and install one firewall .
These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com Kerio--> http://www.sunbelt-software.com/Kerio.cfm Outpost-> http://www.agnitum.com
Cleaning instructions:
Update your Ewido.
Run HijackThis, press Do a system scan only and checkmark this entry:
O20 - Winlogon Notify: wintuh32 - wintuh32.dll (file missing)
Then close all other windows, (including your browser) and press Fix checked button.
Scan and clean your computer with Ewido and save the log file.
Post a fresh HijackThis log and Ewido's log to here so we can see if your computer is now clean.
Does AVG give you the location of the infected file?
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
25. April 2006 @ 10:38 |
Link to this message
|
well i've got a lot of files in my avg virus vault under the virus name 'trojan dialer.blp'. four of them have red exclamation points the rest have blue?
the four red are
C:\WINDOWS\TEMP\winnbb.tmp.exe
C:\WINDOWS\TEMP\win56.tmp.exe
C:\WINDOWS\TEMP\winAE.tmp.exe
C:\WINDOWS\TEMP\win163.tmp.exe
I ran hijack this and fixed the entry you told me to. now i will install a firewall and run ewido.
|
Senior Member
|
25. April 2006 @ 10:49 |
Link to this message
|
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
25. April 2006 @ 20:27 |
Link to this message
|
here's the ewido report...
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 1:25:05 AM, 4/26/2006
+ Report-Checksum: 8CBEA324
+ Scan result:
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\cxnqd78k.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
::Report End
|
Senior Member
|
25. April 2006 @ 20:55 |
Link to this message
|
Ok,Ewidos log looks clean, please post a new HijackThis log too =)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
26. April 2006 @ 05:46 |
Link to this message
|
Logfile of HijackThis v1.99.1
Scan saved at 10:42:34 AM, on 4/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Device Detector] "C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe" -autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ATIMACE] C:\Program Files\ATI Technologies\ATI.ACE\MACE.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: WinZIP Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit3.1\bsurl.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcins... O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
|
Senior Member
|
26. April 2006 @ 06:35 |
Link to this message
|
Ok, your log looks clean =)
You should install a firewall...
Is AVG still alerting you about the trojan/dialer ?
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
tippee
Newbie
|
26. April 2006 @ 09:48 |
Link to this message
|
everything seems to be all clear. Thanks for the help!
|
Advertisement
|
|
|
Senior Member
|
26. April 2006 @ 19:34 |
Link to this message
|
Ok good, you're welcome =)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|