Post by: birdman on January 01, 2006, 07:18:40 PM
Scan saved at 6:14:20 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\marcus\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.yahoo.com/zzzzzzzzlll?intl...n&ver=7,0,0,437 (http://\"http://profiles.yahoo.com/zzzzzzzzlll?intl=us&os=win&ver=7,0,0,437\")
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab (http://\"http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E11725F-6298-4F18-8C4F-C48A16BCDE44}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
i dont have any problems as of yet but my virus scanner picks up worm vb.ce can anyone help me remove this please......!!!!!!
Post by: guestolo on January 01, 2006, 08:21:22 PM
How many AV's do you have running
It appears you use AVG but I also see an entry for AntiVir?
Can you do the following please, just want to check on something
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after
Reboot back to Normal mode
Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder
Post by: birdman on January 02, 2006, 12:26:14 AM
I only use one AV i uninstalled the other i dont even remember what waz on there.
ok first ill post the
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 8/3/2004 7:07:00 PM 41397 C:\WINNT\SYSTEM32\dfrg.msc
PECompact2 12/7/2005 1:38:52 PM 2714976 C:\WINNT\SYSTEM32\MRT.exe
aspack 12/7/2005 1:38:52 PM 2714976 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/3/2004 7:07:00 PM 708096 C:\WINNT\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 7:07:00 PM 657920 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 8/3/2004 7:07:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
UPX! 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
FSG! 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
PEC2 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
aspack 12/21/2005 2:57:26 AM 749600 C:\WINNT\SYSTEM32\drivers\avg7core.sys
Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
1/1/2006 10:50:02 PM S 2048 C:\WINNT\bootstat.dat
12/20/2005 6:51:40 PM H 363912 C:\WINNT\ShellIconCache
12/20/2005 9:24:16 PM RH 749 C:\WINNT\WindowsShell.Manifest
12/20/2005 9:02:56 PM S 64 C:\WINNT\CSC\00000001
12/20/2005 9:24:28 PM H 65 C:\WINNT\Downloaded Program Files\desktop.ini
12/20/2005 9:25:50 PM HS 67 C:\WINNT\Fonts\desktop.ini
12/21/2005 12:46:40 AM H 0 C:\WINNT\inf\oem11.inf
12/20/2005 9:24:28 PM H 65 C:\WINNT\Offline Web Pages\desktop.ini
12/20/2005 9:25:08 PM RHS 727 C:\WINNT\pchealth\helpctr\PackageStore\package_1.cab
12/20/2005 9:25:08 PM RHS 19854 C:\WINNT\pchealth\helpctr\PackageStore\package_2.cab
12/20/2005 9:25:08 PM RHS 244933 C:\WINNT\pchealth\helpctr\PackageStore\package_3.cab
12/20/2005 9:26:58 PM H 249856 C:\WINNT\repair\ntuser.dat
12/19/2005 4:22:14 PM H 10842 C:\WINNT\system32\ATMenuxx.GID
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\cdplayer.exe.manifest
12/20/2005 9:24:28 PM RH 488 C:\WINNT\system32\logonui.exe.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\ncpa.cpl.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\nwc.cpl.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\sapi.cpl.manifest
1/1/2006 9:10:20 PM H 35870 C:\WINNT\system32\vsconfig.xml
12/20/2005 9:24:28 PM RH 488 C:\WINNT\system32\WindowsLogon.manifest
12/20/2005 9:24:16 PM RH 749 C:\WINNT\system32\wuaucpl.cpl.manifest
12/26/2005 5:21:22 AM H 4212 C:\WINNT\system32\zllictbl.dat
11/30/2005 10:17:10 PM S 21633 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
12/1/2005 6:12:48 PM S 10925 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
1/1/2006 10:50:12 PM H 40960 C:\WINNT\system32\config\default.LOG
12/20/2005 3:09:56 PM H 0 C:\WINNT\system32\config\default.tmp.LOG
1/1/2006 10:52:10 PM H 1024 C:\WINNT\system32\config\SAM.LOG
1/1/2006 10:50:02 PM H 16384 C:\WINNT\system32\config\SECURITY.LOG
1/1/2006 10:52:10 PM H 69632 C:\WINNT\system32\config\software.LOG
12/20/2005 3:09:54 PM H 0 C:\WINNT\system32\config\software.tmp.LOG
1/1/2006 10:50:08 PM H 819200 C:\WINNT\system32\config\system.LOG
12/20/2005 3:09:46 PM H 0 C:\WINNT\system32\config\system.tmp.LOG
12/20/2005 3:09:36 PM H 1024 C:\WINNT\system32\config\TempKey.LOG
12/20/2005 3:09:56 PM H 1024 C:\WINNT\system32\config\userdiff.LOG
12/20/2005 9:37:30 PM H 1024 C:\WINNT\system32\config\userdifr.LOG
12/21/2005 7:46:48 PM H 1024 C:\WINNT\system32\config\systemprofile\ntuser.dat.LOG
12/20/2005 9:12:14 PM HS 62 C:\WINNT\system32\config\systemprofile\Application Data\desktop.ini
12/20/2005 9:26:58 PM S 1047 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7C8A03C4580C6B04FDF34357F3474EDC
12/20/2005 9:26:56 PM S 1370 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/20/2005 9:26:58 PM S 126 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7C8A03C4580C6B04FDF34357F3474EDC
12/20/2005 9:26:56 PM S 194 C:\WINNT\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\B82262A5D5DA4DDACE9EDA7F787D0DEB
12/20/2005 9:12:14 PM HS 62 C:\WINNT\system32\config\systemprofile\Local Settings\desktop.ini
12/20/2005 9:24:32 PM HS 348 C:\WINNT\system32\config\systemprofile\My Documents\My Pictures\Desktop.ini
12/20/2005 9:24:32 PM HS 181 C:\WINNT\system32\config\systemprofile\SendTo\desktop.ini
12/20/2005 9:12:14 PM HS 62 C:\WINNT\system32\config\systemprofile\Start Menu\desktop.ini
12/20/2005 9:26:54 PM HS 148 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\desktop.ini
12/20/2005 9:26:52 PM HS 482 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
12/20/2005 9:26:52 PM HS 348 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
12/20/2005 9:26:52 PM HS 84 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
12/20/2005 9:26:52 PM HS 84 C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
12/20/2005 6:50:12 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\58fb89f9-d3cc-4923-af97-ccff153d3241
12/20/2005 6:50:12 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
12/20/2005 9:34:34 PM HS 352 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\61b441ba-c637-4d4a-8e4f-ebfaf22c702c
12/20/2005 10:34:38 PM HS 388 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\ecf4dbf3-65d0-409b-a4f2-431d3ce4eff0
12/20/2005 10:34:38 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
1/1/2006 10:48:48 PM H 6 C:\WINNT\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 549888 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 110592 C:\WINNT\SYSTEM32\bthprops.cpl
Labtec Inc. 2/12/2004 4:59:12 PM 151552 C:\WINNT\SYSTEM32\CamCpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 135168 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 80384 C:\WINNT\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 155136 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 358400 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 129536 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 380416 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 187904 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 618496 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 35840 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 25600 C:\WINNT\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 257024 C:\WINNT\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 36864 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 32768 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 114688 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 298496 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 28160 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 94208 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 148480 C:\WINNT\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 549888 C:\WINNT\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 135168 C:\WINNT\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 80384 C:\WINNT\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 155136 C:\WINNT\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 358400 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 129536 C:\WINNT\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 68608 C:\WINNT\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 187904 C:\WINNT\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 618496 C:\WINNT\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 35840 C:\WINNT\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 25600 C:\WINNT\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 257024 C:\WINNT\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 36864 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 32768 C:\WINNT\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 114688 C:\WINNT\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 155648 C:\WINNT\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 298496 C:\WINNT\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 28160 C:\WINNT\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 94208 C:\WINNT\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 8/3/2004 7:07:00 PM 148480 C:\WINNT\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
12/20/2005 9:26:52 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/26/2005 5:08:14 AM 702 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpywareBlaster.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
12/20/2005 9:12:14 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
12/20/2005 9:26:52 PM HS 84 C:\Documents and Settings\marcus\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
12/20/2005 9:12:14 PM HS 62 C:\Documents and Settings\marcus\Application Data\desktop.ini
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\system32\docprop2.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Yahoo! Toolbar Helper = C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
AtiPTA atiptaxx.exe
AVGCtrl "C:\Program Files\AVPersonal\AVGNT.EXE" /min
LogitechVideoRepair C:\Program Files\Logitech\Video\ISStart.exe
LogitechVideoTray C:\Program Files\Logitech\Video\LogiTray.exe
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\system32\stobject.dll
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/1/2006 11:01:08 PM
OK NEXT IS MY AVG HISTORY LOG
<rec time="2005/12/30 20:47:41" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2005/12/31 02:40:06" user="marcus" source="Virus">
<value>@HL_ReportFindRS</value>
<attr name="filename">C:\DOCUME~1\marcus\LOCALS~1\Temp\Temporary Directory 1 for Limewire Pro 4.10.0 Final + All Skins.zip\Setup.exe</attr>
<attr name="finding">@EID_Id_vir</attr>
<attr name="virusname">Worm/VB.CC</attr>
</rec>
- <rec time="2005/12/31 02:40:32" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\DOCUME~1\marcus\LOCALS~1\Temp\Temporary Directory 1 for Limewire Pro 4.10.0 Final + All Skins.zip\Setup.exe</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
- <rec time="2005/12/31 02:41:39" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
- <rec time="2005/12/31 02:41:39" user="marcus" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\marcus\My Documents\Limewire Pro 4.10.0 Final + All Skins.zip</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/VB.CC</attr>
</rec>
- <rec time="2005/12/31 02:41:39" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2005/12/31 02:41:51" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\marcus\My Documents\Limewire Pro 4.10.0 Final + All Skins.zip</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
- <rec time="2005/12/31 02:43:21" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2005/12/31 03:02:05" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2005/12/31 08:00:03" user="SYSTEM" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2005/12/31 08:17:37" user="SYSTEM" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
- <rec time="2005/12/31 11:13:21" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_12</attr>
</rec>
- <rec time="2005/12/31 11:13:21" user="marcus" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\marcus\My Documents\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/VB.CE</attr>
</rec>
- <rec time="2005/12/31 11:13:21" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_12</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2005/12/31 11:13:39" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\marcus\My Documents\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="action">@HL_ActVVInserted</attr>
</rec>
- <rec time="2006/01/01 16:56:17" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2006/01/01 16:58:08" user="marcus" source="Virus">
<value>@HL_ReportFind</value>
<attr name="where">C:\Documents and Settings\marcus\Shared\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="type">@EID_Id_vir</attr>
<attr name="what">Worm/VB.CE</attr>
</rec>
- <rec time="2006/01/01 17:12:07" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">1</attr>
</rec>
- <rec time="2006/01/01 17:12:08" user="marcus" source="Virus">
<value>@HL_ActionTaken</value>
<attr name="filename">C:\Documents and Settings\marcus\Shared\AVG Anti-Virus 7.0.344.618.zip</attr>
<attr name="action">@HL_ActCleaned</attr>
</rec>
- <rec time="2006/01/01 17:18:28" user="marcus" source="General">
<value>@HL_TestStarted</value>
<attr name="testname">@TestName_02</attr>
</rec>
- <rec time="2006/01/01 17:33:55" user="marcus" source="General">
<value>@HL_TestEnded</value>
<attr name="testname">@TestName_02</attr>
<attr name="infectedfiles">0</attr>
</rec>
</history>
Ok i hope that helps you help me ,i just got this computer and would hate to lose it because
i waz downloading programs from limewire but i should of know better......thx
Post by: guestolo on January 02, 2006, 12:49:06 AM
Can you open "MyComputer"
Double click to open Local Disk C: drive
Right click an empty spot and left click NEW>>Folder
A new folder will be placed in the C: folder , name it BFU
So you now have C:\BFU
Download and save p2pnetwork.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=426\")
Then UNZIP it to the BFU Folder
So you now have p2pnetwork.bfu extracted to the BFU folder
Download and save and then UNZIP to the BFU folder
BFU.zip (http://\"http://www.merijn.org/files/bfu.zip\")
So you now have BFU.exe extracted
==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet
==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
If you don't have the latest version of Ad-Aware
Download and InstallAd-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
In the event you already have Ad-aware, check for updates now please
Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!
RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter
Once in safe mode
Open the BFU folder
Double click to run BFU.exe
Use the "Open Script file" button (the folder icon next to Scriptfile to execute)
Navigate to p2pnetwork.bfu in the BFU folder
Right click p2pnetwork.bfu and choose Select
In Brute Force Uninstaller select Execute
Let it finish then Exit
==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer
Remain in safe mode for the following
==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows
Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Normal mode
Back in Windows
Can I see the following
1. Post a fresh hijackthis log
2. Post the whole report from Ewido's you saved earlier
Post by: birdman on January 02, 2006, 04:25:57 AM
Scan saved at 6:14:20 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\LVComS.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\marcus\My Documents\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com (http://\"http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com\")
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://profiles.yahoo.com/zzzzzzzzlll?intl...n&ver=7,0,0,437 (http://\"http://profiles.yahoo.com/zzzzzzzzlll?intl=us&os=win&ver=7,0,0,437\")
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: SpywareBlaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab (http://\"http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab\")
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E11725F-6298-4F18-8C4F-C48A16BCDE44}: NameServer = 207.69.188.187 207.69.188.186
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
THIS IS THE ONLY REPORT I SEEN FOR EWIDO
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 2:52:15 AM, 1/2/2006
+ Report-Checksum: 49C71749
+ Scan result:
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\pyi2inm5.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
::Report End
Ok it found 12 infection which were deleted ...I hope this helps you help me........thx for the great help..!!
Post by: guestolo on January 02, 2006, 04:41:36 AM
Those were just cookies
If you run a scan with AVG, let me know if it finds anything in the System volume information folder
I'll check back later as I'm off to be soon
Post by: birdman on January 02, 2006, 05:09:03 AM
thanks guestlolo for all your help.those cookies had me a little nervous.What should i now do with all these
programs i have downloaded when trial runs out,should i keep spyblaster with all of these other programs i would
not want to cause conflict between them..........anywayz you guyz are the best and have helped me out alot....
Post by: guestolo on January 02, 2006, 02:32:55 PM
If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Make sure you reenable system restore feature
The tools you have
You can manually delete the following folder
C:\BFU <-this folder
Also delete WPFind.zip and the WPfind folder
I would hold onto Ad-Aware and check for updates every couple of weeks and run a scan
Optionally, I would also hold onto CleanUp! to clean your temp files, cookies, etc.. every week
Ewido is also a great tool, I run it once a month
It will be a limited version in a couple weeks, but still a great scanner
and still removes bad guys
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> SpywareBlaster, do not get rid of it
It is free, but you look like you bought the version your using
That's as good as Donating to Javacools, I'm sure they appreciate it very much
There was a recent update with SpywareBlaster program, did you get notified of it?
You should now be using version 3.5.1
Be sure to use proper uninstall and install procedures if you haven't updated yet...
Post by: birdman on January 03, 2006, 01:20:32 AM
So i think im good to go .Everything seems to be running smooth as silk .
thanks,
marcus
Post by: guestolo on January 03, 2006, 01:27:20 AM
I seen you were reading the sticky at the top of the forum
http://www.thetechguide.com/forum/index.php?showtopic=25085 (http://\"http://www.thetechguide.com/forum/index.php?showtopic=25085\")
I've edited it a bit, can you read it again
You only need to apply the patch, no need to unregister the .dll, if you did you can reregister it
Keep checking windows updates for a fix, at which time you should be able to remove the patch from add/remove programs