Post by: Justa on July 02, 2007, 10:40:58 AM
But, I'm going to close this topic soon
Can you start your own
Keeps it a bit less confusing
We'll take steps from there, thanks[/quote]
guestolo,
I followed your advice on removing mgrs.exe and would very much appreciate your comments on my logs (even if he didn't post back) :P
I appologize for using someone elses thread, but it seems relevent to me
Original Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 10:10:14 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer (http://\"http://www.thetechguide.com/forum/index.php?showtopic=63195#\") v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Statbar\StatBar\StatBar.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\mgrs.exe
C:\Documents and Settings\B and G\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [fklivwrk.exe] C:\WINDOWS\system32\fklivwrk.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\wboplxmd.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
SDFix log
SDFix: Version 1.88
Run by Administrator on Mon 07/02/2007 at 10:39 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SdFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\WINDOWS\Temp\winA3.tmp.exe - Deleted
C:\WINDOWS\Temp\winA3.tmp.exe - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\cookie.dat - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ps.dat - Deleted
Removing Temp Files...
ADS Check:
Checking C:\WINDOWS
C:\WINDOWS
No streams found.
Fixwareout log
Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"Alcmtr"="ALCMTR.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"fklivwrk.exe"="C:\\WINDOWS\\system32\\fklivwrk.exe"
"SC2"="C:\\WINDOWS\\system32\\scchk32.exe"
"icq.com"="rundll32.exe \"C:\\WINDOWS\\system32\\wboplxmd.dll\",forkonce"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Fresh Hijack This Log
Logfile of HijackThis v1.99.1
Scan saved at 11:17:59 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fklivwrk.exe] C:\WINDOWS\system32\fklivwrk.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\wboplxmd.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Besides the obvious can I remove the c:/DnsBak.reg file
Thank you so much for your time and effort
Post by: guestolo on July 02, 2007, 10:47:26 AM
Just leave it for now please
Can you do the following
Download [color=\"blue\"]VundoFix.exe[/color] (http://\"http://www.atribune.org/ccount/click.php?id=4\")
to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."
I'll need to see this report from Vundofix later>>C:\Vundofix.txt
Next:
Then, Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post back the following
1. Post the log from combofix
2. Post the report from vundofix
3. Post a fresh hijackthis log
Post by: Justa on July 02, 2007, 11:16:05 AM
ComboFix
"B and G" - 2007-07-02 11:59:43 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\winhdn32.dll
C:\WINDOWS\system32\hgghhhf.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\gyrpsy23.dll
((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))
2007-07-30 12:07 <DIR> d--hs---- C:\RECYCLER
2007-07-30 12:02 1,310,720 --ah----- C:\DOCUME~1\BANDG~1\NTUSER.DAT
2007-07-30 12:00 225,280 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-07-30 12:00 225,280 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-07-30 12:00 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-07-30 12:00 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-30 11:56 225,280 ---h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-07-30 11:56 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-07-30 11:56 0 -rahs---- C:\MSDOS.SYS
2007-07-30 11:56 0 -rahs---- C:\IO.SYS
2007-07-30 11:56 0 --a------ C:\CONFIG.SYS
2007-07-30 11:56 0 --a------ C:\AUTOEXEC.BAT
2007-07-30 11:56 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-07-30 11:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-07-30 11:55 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-07-30 11:55 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-07-30 11:55 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-07-30 11:54 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2007-07-30 11:54 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2007-07-30 11:54 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2007-07-30 11:54 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-07-30 11:54 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-07-30 11:54 <DIR> d---s---- C:\WINDOWS\Tasks
2007-07-30 11:54 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-07-30 11:54 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-07-30 11:53 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-07-30 11:53 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-07-30 11:53 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-07-30 11:53 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-07-30 11:53 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-07-30 11:53 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-07-30 11:53 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-07-30 11:53 683,520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-07-30 11:53 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-07-30 11:53 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-07-30 11:53 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-07-30 11:53 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:53 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:53 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-07-30 11:53 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-07-30 11:53 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-07-30 11:53 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-07-30 11:53 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-07-30 11:53 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-07-30 11:53 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 11:53 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:53 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-07-30 11:53 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-07-30 11:53 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-07-30 11:53 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-07-30 11:53 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-07-30 11:53 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-07-30 11:53 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-07-30 11:53 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-07-30 11:53 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-07-30 11:53 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:53 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-07-30 11:53 183,296 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-07-30 11:53 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-07-30 11:53 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-07-30 11:53 165,888 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-07-30 11:53 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-07-30 11:53 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2007-07-30 11:53 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-07-30 11:53 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-07-30 11:53 1,710,936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:53 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-07-30 11:53 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-07-30 11:53 <DIR> d-------- C:\WINDOWS\srchasst
2007-07-30 11:53 <DIR> d-------- C:\Program Files\Movie Maker
2007-07-30 11:52 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-07-30 11:52 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-07-30 11:52 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-07-30 11:52 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-07-30 11:52 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-07-30 11:52 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-07-30 11:52 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-07-30 11:52 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-07-30 11:52 <DIR> d-------- C:\WINDOWS\Registration
2007-07-30 11:52 <DIR> d-------- C:\Program Files\Online Services
2007-07-30 11:52 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2007-07-30 11:52 <DIR> d-------- C:\Program Files\Messenger
2007-07-30 11:51 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-07-30 11:51 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-07-30 11:51 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-07-30 11:51 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-07-30 11:51 9,728 --a------ C:\WINDOWS\system32\reset.exe
2007-07-30 11:51 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-07-30 11:51 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-07-30 11:51 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-07-30 11:51 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-07-30 11:51 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-07-30 11:51 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-07-30 11:51 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-07-30 11:51 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-07-30 11:51 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-07-30 11:51 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-07-30 11:51 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-07-30 11:51 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-07-30 11:51 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A}=C:\WINDOWS\system32\vtsts.dll []
{930D35D2-094D-41B9-8E89-D1B76F2C6E97}=C:\WINDOWS\system32\yayvsrs.dll []
{B1FBF2E1-C164-4ebe-AB04-B839655CC927}=gyrpsy23.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 23:44 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 06:43 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2004-10-12 08:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{930D35D2-094D-41B9-8E89-D1B76F2C6E97}"="C:\WINDOWS\system32\yayvsrs.dll" []
"{8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7}"="C:\WINDOWS\system32\hgghhhf.dll" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghhhf]
hgghhhf.dll
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2007-07-02 12:08:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-02 12:10:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-02 12:10
--- E O F ---
VundoFix
VundoFix V6.5.4
Checking Java version...
Sun Java not detected
Scan started at 11:51:27 AM 7/2/2007
Listing files found while scanning....
C:\windows\system32\dmxlpobw.ini
C:\WINDOWS\system32\juamhlsr.dll
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\wboplxmd.dll
C:\windows\system32\wvusqpn.dll
C:\windows\system32\xkpjdupw.exe
C:\windows\system32\yayvsrs.dll
Beginning removal...
Attempting to delete C:\windows\system32\dmxlpobw.ini
C:\windows\system32\dmxlpobw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\juamhlsr.dll
C:\WINDOWS\system32\juamhlsr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ststv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vtsts.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wboplxmd.dll
C:\WINDOWS\system32\wboplxmd.dll Has been deleted!
Attempting to delete C:\windows\system32\wvusqpn.dll
C:\windows\system32\wvusqpn.dll Has been deleted!
Attempting to delete C:\windows\system32\xkpjdupw.exe
C:\windows\system32\xkpjdupw.exe Has been deleted!
Attempting to delete C:\windows\system32\yayvsrs.dll
C:\windows\system32\yayvsrs.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\yayvsrs.dll
C:\windows\system32\yayvsrs.dll Has been deleted!
Performing Repairs to the registry.
Done!
Fresh Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 12:12:09 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\yayvsrs.dll (file missing)
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: hgghhhf - hgghhhf.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Post by: guestolo on July 02, 2007, 12:06:41 PM
If these 2 files are still around, delete them
Exact file names
C:\WINDOWS\system32\fklivwrk.exe
C:\WINDOWS\system32\scchk32.exe
EDIT>>>DO THIS PART ONLY AGAIN PLEASE
==========================================================
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box
Code: [Select]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930D35D2-094D-41B9-8E89-D1B76F2C6E97}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1FBF2E1-C164-4ebe-AB04-B839655CC927}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghhhf]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{930D35D2-094D-41B9-8E89-D1B76F2C6E97}"=-
"{8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7}"=- Close all open windows, including your browser
Double click on fix.reg and allow to add/merge to the registry at the prompt
Reboot your computer
============================================================
Back in Windows, I suggest that you run a spyware scanner on your computer
Download and Install Spybot 1.4 from
HERE (http://\"http://fileforum.betanews.com/detail/Spybot_Search_and_Destroy/1043809773/1\")
Install with default settings
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates (Or right click the results pane and SELECT ALL)
Ensure all updates are successful, a [color=\"#00FF00\"]GREEN[/color] check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer to finish any cleaning process
Back in Windows
Can you post back with a fresh hijackthis log please
Let me know how things are running, just some final recommendations
Post by: Justa on July 02, 2007, 12:53:29 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:43:53 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Uniblue\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\yayvsrs.dll (file missing)
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
When I ran SpyBot S&D besides the normal cookies it came up with
AppWindowsFirewallBypass located in
HKEY_LOCAL............System32\usmt\Migwiz.exe
Then on restart it hung with the desktop image but no icons or windows bar for 10 min until I manually restarted again and it was fine. I don't know if this should concern me.
Also this Spybot SD Resident - tea timer thing, it should be left running at startup?
Thank you
Post by: guestolo on July 02, 2007, 03:07:33 PM
eg... TeaTimer
I didn't want it to interfere with any fixes
Can you now do the following
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot
Reboot the computer
Back in Windows
Double click on fix.reg again and allow to add/merge at the prompt
Reboot the computer again, post a fresh hijackthis log
Post by: Justa on July 02, 2007, 04:13:24 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:09:44 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Uniblue\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\yayvsrs.dll (file missing)
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Post by: guestolo on July 02, 2007, 04:34:29 PM
Those 3 values don't exist, but the keys do
I don't know what I was thinking
/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' /> Sorry about that
Can you delete fix.reg
Then go back up to my thread where I had you create it>>I edited it
and save and run it again>>Just fix.reg
Reboot one last time, post one last hijackthis log please
Post by: Justa on July 02, 2007, 04:44:45 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:43:42 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Uniblue\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Post by: guestolo on July 02, 2007, 04:56:52 PM
If everything is running well
Can you do the following:
Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name(any name) and click Create, let it finish
When that's done>>Exit
Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating
Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made
Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning
You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
This tool does not need to run in the background to help protect your computer
- *It Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"
In addition:Hold onto Spybot 1.4 and do the following
Open Spybot 1.4
Click on the Immunize button>>OK>>Click on Immunize at the top green cross
Do that after every update
NOTE: Later, If there are other users on this computer
Log into their account also and enable protection with Spywareblaster and Immunize with Spybot
Removal of tools that we used or you previously used:
You can manually delete fix.reg and c:/DnsBak.reg if you have no Internet connection problems
Can you also download this tool:
[color=\"blue\"]OTMoveIt[/color] (http://\"http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe\") by OldTimer:
- Save it to your desktop.
- Please double-click OTMoveIt.exe to run it.
Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Either select Yes to reboot Now or you can choose No to reboot later if preferred
By the way, you may want to continue using TeaTimer, this is up to you, totally optional
What is the Resident TeaTimer?
As Noted in Spybot's Help section
Quote
The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options how to deal with this process in the future: You can set TeaTimer to:
- be informed, when the process tries to start again
- automatically kill the process
- or generally allow the process to run There is also an option to delete the file associated with this process.
In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change. As TeaTimer is always running in the background, it takes some resources of about 5 MB.
Why does Resident TeaTimer terminate the application before asking?
Because threats like toll dialers are time critical - they cost from the first second they've connected. In order to protect you, these have to be terminated at the moment they appear before they can connect at all.
Why is the TeaTimer called "TeaTimer"?
As we used to forget our tea, when we let it brew, we built a small tool with a system tray icon to remind us. We called this tool "TeaTimer". When we started to develop the Resident tool for Spybot-S&D, we also needed a system tray icon for this. As we do not like having too many icons in the system tray, we decided to put both tools together and kept the name "TeaTimer". The next version of the Resident tool will also have the functions of the original "TeaTimer".
You can find the Resident TeaTimer in the tools section.
I hope that helps
Post by: Justa on July 02, 2007, 05:11:07 PM
Post by: guestolo on July 02, 2007, 06:08:13 PM
I'll lock this topic as your problems appear resolved
Take care Justa
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />