Author Topic: MGRS and Other junks (Read 1834 times)

Justa · « **on:** July 02, 2007, 10:40:58 AM »

[quote name=\'guestolo\' post=\'348918\' date=\'Jul 2 2007, 09:30 AM\']Hi Justa, you still have problems in your log
But, I'm going to close this topic soon
Can you start your own ~~post~~ topic in this forum please
Keeps it a bit less confusing

We'll take steps from there, thanks[/quote]

guestolo,

I followed your advice on removing mgrs.exe and would very much appreciate your comments on my logs (even if he didn't post back) :P
I appologize for using someone elses thread, but it seems relevent to me

Original Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 10:10:14 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Statbar\StatBar\StatBar.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\mgrs.exe
C:\Documents and Settings\B and G\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [fklivwrk.exe] C:\WINDOWS\system32\fklivwrk.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\wboplxmd.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

SDFix log

SDFix: Version 1.88

Run by Administrator on Mon 07/02/2007 at 10:39 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SdFix\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\Temp\winA3.tmp.exe - Deleted
C:\WINDOWS\Temp\winA3.tmp.exe - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\cookie.dat - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ps.dat - Deleted

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Fixwareout log

Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
Â»Â»Â»Â»Â»Prerun check

Successfully flushed the DNS Resolver Cache.

System was rebooted successfully.

Â»Â»Â»Â»Â» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
Â»Â»Â»Â»Â» Misc files.
....
Â»Â»Â»Â»Â» Checking for older varients.
....
Â»Â»Â»Â»Â» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"Alcmtr"="ALCMTR.EXE"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"Zone Labs Client"="\"C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"fklivwrk.exe"="C:\\WINDOWS\\system32\\fklivwrk.exe"
"SC2"="C:\\WINDOWS\\system32\\scchk32.exe"
"icq.com"="rundll32.exe \"C:\\WINDOWS\\system32\\wboplxmd.dll\",forkonce"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it
Â»Â»Â»Â»Â» End report Â»Â»Â»Â»Â»

Fresh Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 11:17:59 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [fklivwrk.exe] C:\WINDOWS\system32\fklivwrk.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\wboplxmd.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Besides the obvious can I remove the c:/DnsBak.reg file

Thank you so much for your time and effort

guestolo · « **Reply #1 on:** July 02, 2007, 10:47:26 AM »

c:/DnsBak.reg file is a backup file created from Fixwareout
Just leave it for now please

Can you do the following
Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I'll need to see this report from Vundofix later>>C:\Vundofix.txt

Next:
Then, Download this file - Combofix.exe and save it ONLY to your desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back the following
1. Post the log from combofix
2. Post the report from vundofix
3. Post a fresh hijackthis log

Justa · « **Reply #2 on:** July 02, 2007, 11:16:05 AM »

Here we go

ComboFix

"B and G" - 2007-07-02 11:59:43 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\winhdn32.dll
C:\WINDOWS\system32\hgghhhf.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\system32\gyrpsy23.dll

((((((((((((((((((((((((( Files Created from 2007-06-02 to 2007-07-02 )))))))))))))))))))))))))))))))

2007-07-30 12:07 <DIR> d--hs---- C:\RECYCLER
2007-07-30 12:02 1,310,720 --ah----- C:\DOCUME~1\BANDG~1\NTUSER.DAT
2007-07-30 12:00 225,280 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-07-30 12:00 225,280 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-07-30 12:00 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-07-30 12:00 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-30 11:56 225,280 ---h----- C:\DOCUME~1\DEFAUL~1\NTUSER.DAT
2007-07-30 11:56 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2007-07-30 11:56 0 -rahs---- C:\MSDOS.SYS
2007-07-30 11:56 0 -rahs---- C:\IO.SYS
2007-07-30 11:56 0 --a------ C:\CONFIG.SYS
2007-07-30 11:56 0 --a------ C:\AUTOEXEC.BAT
2007-07-30 11:56 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-07-30 11:56 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-07-30 11:55 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2007-07-30 11:55 <DIR> d--hs---- C:\DOCUME~1\ALLUSE~1\DRM
2007-07-30 11:55 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2007-07-30 11:54 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2007-07-30 11:54 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2007-07-30 11:54 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2007-07-30 11:54 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2007-07-30 11:54 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-07-30 11:54 <DIR> d---s---- C:\WINDOWS\Tasks
2007-07-30 11:54 <DIR> d-------- C:\WINDOWS\system32\DirectX
2007-07-30 11:54 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-07-30 11:53 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2007-07-30 11:53 81,920 --a------ C:\WINDOWS\system32\ils.dll
2007-07-30 11:53 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-07-30 11:53 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2007-07-30 11:53 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2007-07-30 11:53 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2007-07-30 11:53 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2007-07-30 11:53 683,520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-07-30 11:53 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2007-07-30 11:53 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2007-07-30 11:53 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2007-07-30 11:53 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:53 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:53 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2007-07-30 11:53 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2007-07-30 11:53 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2007-07-30 11:53 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2007-07-30 11:53 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2007-07-30 11:53 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2007-07-30 11:53 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 11:53 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:53 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-07-30 11:53 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
2007-07-30 11:53 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2007-07-30 11:53 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2007-07-30 11:53 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2007-07-30 11:53 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2007-07-30 11:53 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2007-07-30 11:53 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2007-07-30 11:53 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2007-07-30 11:53 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:53 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2007-07-30 11:53 183,296 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-07-30 11:53 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-07-30 11:53 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2007-07-30 11:53 165,888 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-07-30 11:53 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2007-07-30 11:53 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2007-07-30 11:53 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-07-30 11:53 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2007-07-30 11:53 1,710,936 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:53 <DIR> d-------- C:\WINDOWS\system32\Restore
2007-07-30 11:53 <DIR> d-------- C:\WINDOWS\system32\Macromed
2007-07-30 11:53 <DIR> d-------- C:\WINDOWS\srchasst
2007-07-30 11:53 <DIR> d-------- C:\Program Files\Movie Maker
2007-07-30 11:52 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2007-07-30 11:52 5,632 --a------ C:\WINDOWS\system32\write.exe
2007-07-30 11:52 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2007-07-30 11:52 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2007-07-30 11:52 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2007-07-30 11:52 21,640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-07-30 11:52 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2007-07-30 11:52 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2007-07-30 11:52 <DIR> d-------- C:\WINDOWS\Registration
2007-07-30 11:52 <DIR> d-------- C:\Program Files\Online Services
2007-07-30 11:52 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2007-07-30 11:52 <DIR> d-------- C:\Program Files\Messenger
2007-07-30 11:51 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2007-07-30 11:51 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2007-07-30 11:51 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2007-07-30 11:51 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2007-07-30 11:51 9,728 --a------ C:\WINDOWS\system32\reset.exe
2007-07-30 11:51 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2007-07-30 11:51 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2007-07-30 11:51 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2007-07-30 11:51 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-07-30 11:51 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2007-07-30 11:51 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2007-07-30 11:51 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-07-30 11:51 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2007-07-30 11:51 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2007-07-30 11:51 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2007-07-30 11:51 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-07-30 11:51 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2007-07-30 11:51 58,880 --a------ C:\WINDOWS\system32\licwmi.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A}=C:\WINDOWS\system32\vtsts.dll []
{930D35D2-094D-41B9-8E89-D1B76F2C6E97}=C:\WINDOWS\system32\yayvsrs.dll []
{B1FBF2E1-C164-4ebe-AB04-B839655CC927}=gyrpsy23.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-05 23:44 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 06:04 C:\WINDOWS\SkyTel.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 06:43 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2004-10-12 08:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{930D35D2-094D-41B9-8E89-D1B76F2C6E97}"="C:\WINDOWS\system32\yayvsrs.dll" []
"{8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7}"="C:\WINDOWS\system32\hgghhhf.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghhhf]
hgghhhf.dll

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 12:08:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-02 12:10:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-02 12:10

--- E O F ---

VundoFix

VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 11:51:27 AM 7/2/2007

Listing files found while scanning....

C:\windows\system32\dmxlpobw.ini
C:\WINDOWS\system32\juamhlsr.dll
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\wboplxmd.dll
C:\windows\system32\wvusqpn.dll
C:\windows\system32\xkpjdupw.exe
C:\windows\system32\yayvsrs.dll

Beginning removal...

Attempting to delete C:\windows\system32\dmxlpobw.ini
C:\windows\system32\dmxlpobw.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\juamhlsr.dll
C:\WINDOWS\system32\juamhlsr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\ststv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\vtsts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wboplxmd.dll
C:\WINDOWS\system32\wboplxmd.dll Has been deleted!

Attempting to delete C:\windows\system32\wvusqpn.dll
C:\windows\system32\wvusqpn.dll Has been deleted!

Attempting to delete C:\windows\system32\xkpjdupw.exe
C:\windows\system32\xkpjdupw.exe Has been deleted!

Attempting to delete C:\windows\system32\yayvsrs.dll
C:\windows\system32\yayvsrs.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\yayvsrs.dll
C:\windows\system32\yayvsrs.dll Has been deleted!

Performing Repairs to the registry.
Done!

Fresh Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 12:12:09 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\yayvsrs.dll (file missing)
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O20 - Winlogon Notify: hgghhhf - hgghhhf.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #3 on:** July 02, 2007, 12:06:41 PM »

Can you do the following please
If these 2 files are still around, delete them
Exact file names
C:\WINDOWS\system32\fklivwrk.exe
C:\WINDOWS\system32\scchk32.exe

EDIT>>>DO THIS PART ONLY AGAIN PLEASE
==========================================================
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930D35D2-094D-41B9-8E89-D1B76F2C6E97}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B1FBF2E1-C164-4ebe-AB04-B839655CC927}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghhhf]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{930D35D2-094D-41B9-8E89-D1B76F2C6E97}"=-
"{8BF884A4-CF81-4E00-B7C1-076FCE6CFDD7}"=-

Close all open windows, including your browser
Double click on fix.reg and allow to add/merge to the registry at the prompt

Reboot your computer
============================================================

Back in Windows, I suggest that you run a spyware scanner on your computer
Download and Install Spybot 1.4 from
HERE

Install with default settings
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates (Or right click the results pane and SELECT ALL)
Ensure all updates are successful, a [color=\"#00FF00\"]GREEN[/color] check will indicate this
If you have an error updating, search for updates again and retry the download until all updates are successfully installed
After update is complete

Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

RESTART the computer to finish any cleaning process

Back in Windows

Can you post back with a fresh hijackthis log please
Let me know how things are running, just some final recommendations

Justa · « **Reply #4 on:** July 02, 2007, 12:53:29 PM »

Fresh Hijack this Log

Logfile of HijackThis v1.99.1
Scan saved at 1:43:53 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Uniblue\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\yayvsrs.dll (file missing)
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

When I ran SpyBot S&D besides the normal cookies it came up with
AppWindowsFirewallBypass located in
HKEY_LOCAL............System32\usmt\Migwiz.exe
Then on restart it hung with the desktop image but no icons or windows bar for 10 min until I manually restarted again and it was fine. I don't know if this should concern me.

Also this Spybot SD Resident - tea timer thing, it should be left running at startup?

Thank you

guestolo · « **Reply #5 on:** July 02, 2007, 03:07:33 PM »

What I meant by when installing Spybot and use the default settings, was not to check any additional options
eg... TeaTimer
I didn't want it to interfere with any fixes

Can you now do the following
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon.
Uncheck Teatimer box.
Click Allow Change box if prompted
Close Spybot

Reboot the computer

Back in Windows
Double click on fix.reg again and allow to add/merge at the prompt

Reboot the computer again, post a fresh hijackthis log

Justa · « **Reply #6 on:** July 02, 2007, 04:13:24 PM »

Fresh Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 5:09:44 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Uniblue\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7D62FCC0-2EC8-4B19-B4B5-D6EE2822C19A} - C:\WINDOWS\system32\vtsts.dll (file missing)
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\yayvsrs.dll (file missing)
O2 - BHO: H - {B1FBF2E1-C164-4ebe-AB04-B839655CC927} - gyrpsy23.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #7 on:** July 02, 2007, 04:34:29 PM »

No wonder those 3 entries in hijackthis are still there
Those 3 values don't exist, but the keys do
I don't know what I was thinking

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/huh.gif\' class=\'bbc_emoticon\' alt=\':huh:\' />
Sorry about that

Can you delete fix.reg
Then go back up to my thread where I had you create it>>I edited it
and save and run it again>>Just fix.reg

Reboot one last time, post one last hijackthis log please

Justa · « **Reply #8 on:** July 02, 2007, 04:44:45 PM »

More Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 5:43:42 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Uniblue\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

guestolo · « **Reply #9 on:** July 02, 2007, 04:56:52 PM »

That looks better

If everything is running well
Can you do the following:

Go to START>>All Programs>>Accessories>>System Tools>>System Restore
Create a New restore point
Give it a name(any name) and click Create, let it finish
When that's done>>Exit

Go to START>>RUN>>type the following
cleanmgr
Hit OK
Let if finish calculating

Select the More Options tab
and click Cleanup.. under 'System Restore'
This will clear all later restore points except for the one you just made

Ok the prompts, it may take a few seconds to remove old restore points
Ok again after it's ready and let it finish cleaning

You should give your computer a bit more protection
Install
SpywareBlaster 3.5.1 by JavaCool
This tool does not need to run in the background to help protect your computer

After installation, Check for updates
After updating, select "Protection" on the Left
Then select "Enable all Protection"
"Check for updates every couple of weeks"
after every update just simply click the "enable protection on all unprotected items"

In addition:Hold onto Spybot 1.4 and do the following
Open Spybot 1.4
Click on the Immunize button>>OK>>Click on Immunize at the top green cross
Do that after every update
NOTE: Later, If there are other users on this computer
Log into their account also and enable protection with Spywareblaster and Immunize with Spybot

Removal of tools that we used or you previously used:
You can manually delete fix.reg and c:/DnsBak.reg if you have no Internet connection problems

Can you also download this tool:
[color=\"blue\"]OTMoveIt[/color] by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click the Cleanup! button
A list will be downloaded>>Allow it Internet access if prompted by your Firewall
Select Yes at the prompt
Wait for the confirmation box to open to reboot the computer
Either select Yes to reboot Now or you can choose No to reboot later if preferred

After reboot you can empty your recycle bin

By the way, you may want to continue using TeaTimer, this is up to you, totally optional
What is the Resident TeaTimer?
As Noted in Spybot's Help section

Quote

The Resident TeaTimer is a new tool of Spybot-S&D which perpetually monitors the processes called/initiated. It immediately detects known malicious processes wanting to start and terminates them giving you some options how to deal with this process in the future: You can set TeaTimer to:

- be informed, when the process tries to start again
- automatically kill the process
- or generally allow the process to run There is also an option to delete the file associated with this process.

In addition, TeaTimer detects, when something wants to change some critical registry keys. TeaTimer can protect you against such changes again giving you an option: You can either "Allow" or "Deny" the change. As TeaTimer is always running in the background, it takes some resources of about 5 MB.

Why does Resident TeaTimer terminate the application before asking?

Because threats like toll dialers are time critical - they cost from the first second they've connected. In order to protect you, these have to be terminated at the moment they appear before they can connect at all.

Why is the TeaTimer called "TeaTimer"?

As we used to forget our tea, when we let it brew, we built a small tool with a system tray icon to remind us. We called this tool "TeaTimer". When we started to develop the Resident tool for Spybot-S&D, we also needed a system tray icon for this. As we do not like having too many icons in the system tray, we decided to put both tools together and kept the name "TeaTimer". The next version of the Resident tool will also have the functions of the original "TeaTimer".

You can find the Resident TeaTimer in the tools section.

I hope that helps

Justa · « **Reply #10 on:** July 02, 2007, 05:11:07 PM »

Thank you so much, I'm sure your more clear on how screwed I would have been without your help than I am

guestolo · « **Reply #11 on:** July 02, 2007, 06:08:13 PM »

Your welcome, glad to help
I'll lock this topic as your problems appear resolved
Take care Justa

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: MGRS and Other junks (Read 1834 times)

Justa

MGRS and Other junks

guestolo

MGRS and Other junks

Justa

MGRS and Other junks

guestolo

MGRS and Other junks

Justa

MGRS and Other junks

guestolo

MGRS and Other junks

Justa

MGRS and Other junks

guestolo

MGRS and Other junks

Justa

MGRS and Other junks

guestolo

MGRS and Other junks

Justa

MGRS and Other junks

guestolo

MGRS and Other junks