Problems with the infernal Lop.AS

sax_man_al · Jan 13, 2007

Hi Tech Support Guy,

I have managed to be infected with Lop.AS and so far everything I have tried has failed. AVG antivirus and anti-spyware pick it up but treat the symptoms rather than getting rid of the source. At present every 10 mins or so an AVG antivirus box pops up and I send a file from the temp internet files to quarantine. Sometimes an explorer box appears saying do you wish to try again or work offline, presumably because I have not granted access for 'random' programmes to the internet. The WINNT\system32\autosys.exe file referred to doesn't seem to exist either. I am on the verge of formatting my hard drive, but I only set up this computer a few days ago and it has taken quite a lot of effort to get everything on it. I've seen so many reports about the Lop.AS and have seen that they all put up a hijack.this log so I have done this already in anticipation of your valued advice.

I am using win 2000 sp4 and use firefox and thunderbird, as previously mentioned I have AVG free antivirus and anti spyware, and I also have a ZoneAlarm Firewall as well as a US Robotics router firewall.

Thanks in advance,
sax_man_al

Logfile of HijackThis v1.99.1
Scan saved at 11:11:22, on 13/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINNT\system32\ctfmon.exe
D:\PROGRA~1\MICROS~4\wcescomm.exe
D:\PROGRA~1\MICROS~4\rapimgr.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31DAED02-6425-437E-B976-E0EE0F00F3A5} - D:\WINNT\system32\ljjifdc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpWins] D:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AutoSys] D:\WINNT\system32\autosys.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168188417265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - D:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: ljjifdc - D:\WINNT\SYSTEM32\ljjifdc.dll
O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: winjvd32 - D:\WINNT\SYSTEM32\winjvd32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - D:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINNT\system32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

Cookiegal · Jan 14, 2007

Hi and welcome to TSG,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
Instead of Windows loading as normal, the Advanced Options Menu should appear
Select the first option, to run Windows in Safe Mode, then press Enter
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to the clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

sax_man_al · Jan 15, 2007

Thanks for that, I have tried to run it in safe mode, but no luck, I typed Y and nothing happened. I tried again and it complained that backup files had already been created. So I renamed the backup folders and tried to run the program again, but the same happened.

My system drive is d: so I'm not sure if this will cause a problem or not, winnt folder is on d:.

Cheers for your help.

Ali

Cookiegal · Jan 15, 2007

Let's leave that one and we'll use another tool instead:

Download WinPFind.exe to your desktop and double click on it open it and then select extract to extract the files. This will create a folder named WinPFind on your desktop.

Start in Safe Mode Using the F8 method:

Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
Use the arrow keys to select the Safe Mode menu item.
Press the Enter key.

Double click on the WinPFind folder on your desktop to open it and then double click on the WinPFind.exe file to start the program.

Click Configure scan options
Under Run AdOns select the following:
- Policies.def
- Security.def
Click apply
Click "Start Scan"
It will scan the entire System, so please be patient and let it complete.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log.

sax_man_al · Jan 19, 2007

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 19/01/2007 13:18:32
WinPFind v1.5.0 Folder = D:\Documents and Settings\Claire Eames\Desktop\WinPFind\
Microsoft Windows 2000 Service Pack 4 (Version = 5.0.2195)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 18/03/2005 17:19:58 2337488 D:\WINNT\SYSTEM32\d3dx9_25.dll (Microsoft Corporation)
aspack 26/05/2005 15:34:52 2297552 D:\WINNT\SYSTEM32\d3dx9_26.dll (Microsoft Corporation)
aspack 22/07/2005 19:59:04 2319568 D:\WINNT\SYSTEM32\d3dx9_27.dll (Microsoft Corporation)
aspack 05/12/2005 18:09:18 2323664 D:\WINNT\SYSTEM32\d3dx9_28.dll (Microsoft Corporation)
aspack 03/02/2006 08:43:16 2332368 D:\WINNT\SYSTEM32\d3dx9_29.dll (Microsoft Corporation)
aspack 31/03/2006 12:40:58 2388176 D:\WINNT\SYSTEM32\d3dx9_30.dll (Microsoft Corporation)
aspack 28/09/2006 16:05:20 2414360 D:\WINNT\SYSTEM32\d3dx9_31.dll (Microsoft Corporation)
aspack 29/11/2006 13:06:18 3426072 D:\WINNT\SYSTEM32\d3dx9_32.dll (Microsoft Corporation)
PTech 12/12/2006 10:45:04 1474864 D:\WINNT\SYSTEM32\LegitCheckControl.DLL (Microsoft Corporation)
WSUD 19/06/2003 19:05:04 1011764 D:\WINNT\SYSTEM32\mfc42u.dll (Microsoft Corporation)
PECompact2 02/01/2007 23:19:44 10980776 D:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 02/01/2007 23:19:44 10980776 D:\WINNT\SYSTEM32\MRT.exe (Microsoft Corporation)
Umonitor 12/01/2005 19:39:46 531216 D:\WINNT\SYSTEM32\RASDLG.DLL (Microsoft Corporation)
winsync 07/12/1999 11:00:00 1309184 D:\WINNT\SYSTEM32\wbdbase.deu ()
PEC2 11/01/2007 15:11:04 17920 D:\WINNT\SYSTEM32\winjvd32.dll ()
PECompact2 11/01/2007 15:11:04 17920 D:\WINNT\SYSTEM32\winjvd32.dll ()

Checking %System%\Drivers folder and sub-folders...
UPX! 08/01/2007 17:14:40 816672 D:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
FSG! 08/01/2007 17:14:40 816672 D:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
PEC2 08/01/2007 17:14:40 816672 D:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)
aspack 08/01/2007 17:14:40 816672 D:\WINNT\SYSTEM32\drivers\avg7core.sys (GRISOFT, s.r.o.)

Items found in D:\WINNT\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
07/01/2007 16:18:58 H 271 D:\WINNT\desktop.ini ()
07/01/2007 16:18:56 H 21692 D:\WINNT\folder.htt ()
18/01/2007 01:08:54 H 465852 D:\WINNT\ShellIconCache ()
07/01/2007 19:46:04 H 604 D:\WINNT\STLL Notifier ()
07/01/2007 19:46:04 H 604 D:\WINNT\T3 ()
07/01/2007 19:46:04 H 604 D:\WINNT\T4 ()
19/01/2007 13:12:02 S 64 D:\WINNT\CSC\00000001 ()
10/01/2007 21:01:00 S 64 D:\WINNT\CSC\00000002 ()
07/01/2007 16:23:24 S 64 D:\WINNT\CSC\csc1.tmp ()
07/01/2007 17:31:20 H 65 D:\WINNT\Downloaded Program Files\desktop.ini ()
07/01/2007 16:19:08 HS 67 D:\WINNT\Fonts\desktop.ini ()
07/01/2007 17:16:58 H 0 D:\WINNT\inf\oem1.inf ()
07/01/2007 17:44:50 H 0 D:\WINNT\inf\oem2.inf ()
07/01/2007 17:31:20 H 65 D:\WINNT\Offline Web Pages\desktop.ini ()
07/01/2007 16:19:54 H 122880 D:\WINNT\repair\ntuser.dat ()
07/01/2007 16:18:58 H 271 D:\WINNT\system32\desktop.ini ()
07/01/2007 16:18:58 H 21692 D:\WINNT\system32\folder.htt ()
11/01/2007 15:11:12 HS 22541 D:\WINNT\system32\ljjifdc.dll ()
07/01/2007 19:46:04 H 604 D:\WINNT\system32\T2 ()
19/01/2007 12:18:02 H 35986 D:\WINNT\system32\vsconfig.xml ()
07/01/2007 16:37:30 H 4212 D:\WINNT\system32\zllictbl.dat ()
19/01/2007 12:19:52 H 1024 D:\WINNT\system32\config\default.LOG ()
19/01/2007 13:15:14 H 1024 D:\WINNT\system32\config\SAM.LOG ()
19/01/2007 13:13:20 H 1024 D:\WINNT\system32\config\SECURITY.LOG ()
19/01/2007 13:23:16 H 1024 D:\WINNT\system32\config\software.LOG ()
07/01/2007 16:08:36 H 1024 D:\WINNT\system32\config\system.LOG ()
07/01/2007 16:08:34 H 0 D:\WINNT\system32\config\TempKey.LOG ()
07/01/2007 16:08:36 H 1024 D:\WINNT\system32\config\userdiff.LOG ()
07/01/2007 17:14:02 HS 336 D:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\3e455630-ac19-4ccf-97c7-77e39e9eeaed ()
07/01/2007 17:14:02 HS 24 D:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred ()
13/01/2007 12:51:06 H 8628 D:\WINNT\system32\spool\drivers\w32x86\3\HPW8DRV.GID ()
19/01/2007 13:12:04 H 6 D:\WINNT\Tasks\SA.DAT ()
11/01/2007 18:41:50 HS 12935 D:\WINNT\Temp\$_2341233.TMP ()
11/01/2007 18:35:16 HS 8 D:\WINNT\Temp\$_2341235.TMP ()
07/01/2007 16:18:58 H 842 D:\WINNT\Web\bullet.gif ()
07/01/2007 16:18:58 H 90056 D:\WINNT\Web\classic.bmp ()
07/01/2007 16:18:58 H 634 D:\WINNT\Web\classic.htt ()
07/01/2007 16:18:58 H 4659 D:\WINNT\Web\controlp.htt ()
07/01/2007 16:18:58 H 5296 D:\WINNT\Web\default.htt ()
07/01/2007 16:18:58 H 830 D:\WINNT\Web\deskmovr.htt ()
07/01/2007 16:18:58 H 8898 D:\WINNT\Web\dialup.htt ()
07/01/2007 16:18:58 H 2642 D:\WINNT\Web\exclam.gif ()
07/01/2007 16:18:58 H 31080 D:\WINNT\Web\folder.bmp ()
07/01/2007 16:18:58 H 3210 D:\WINNT\Web\folder.htt ()
07/01/2007 16:18:58 H 19355 D:\WINNT\Web\fsresult.htt ()
07/01/2007 17:31:22 H 11083 D:\WINNT\Web\ftp.htt ()
07/01/2007 16:18:58 H 56 D:\WINNT\Web\mincold.gif ()
07/01/2007 16:18:58 H 77 D:\WINNT\Web\minhot.gif ()
07/01/2007 16:18:58 H 59 D:\WINNT\Web\pluscold.gif ()
07/01/2007 16:18:58 H 80 D:\WINNT\Web\plushot.gif ()
07/01/2007 16:18:58 H 31080 D:\WINNT\Web\preview.bmp ()
07/01/2007 16:18:58 H 11149 D:\WINNT\Web\recycle.htt ()
07/01/2007 16:18:58 H 2913 D:\WINNT\Web\safemode.htt ()
07/01/2007 16:18:58 H 6489 D:\WINNT\Web\schedule.htt ()
07/01/2007 16:18:58 H 28565 D:\WINNT\Web\standard.htt ()
07/01/2007 16:18:58 H 31080 D:\WINNT\Web\starter.bmp ()
07/01/2007 16:18:58 H 1024 D:\WINNT\Web\starter.htt ()
07/01/2007 16:18:58 H 1316 D:\WINNT\Web\webview.css ()
07/01/2007 16:18:58 H 31438 D:\WINNT\Web\webview.js ()
07/01/2007 16:18:58 H 12403 D:\WINNT\Web\wvnet.gif ()

Checking for CPL files...
07/12/1999 11:00:00 67344 D:\WINNT\SYSTEM32\access.cpl (Microsoft Corporation)
19/06/2003 19:05:04 301328 D:\WINNT\SYSTEM32\appwiz.cpl (Microsoft Corporation)
19/06/2003 19:05:04 237328 D:\WINNT\SYSTEM32\DESK.CPL (Microsoft Corporation)
07/12/1999 11:00:00 128272 D:\WINNT\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
29/08/2002 07:14:40 292352 D:\WINNT\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
12/08/2004 14:48:30 109568 D:\WINNT\SYSTEM32\INPUT.CPL (Microsoft Corporation)
07/12/1999 11:00:00 118032 D:\WINNT\SYSTEM32\intl.cpl (Microsoft Corporation)
07/12/1999 11:00:00 36112 D:\WINNT\SYSTEM32\irprops.cpl (Microsoft Corporation)
30/10/2001 08:10:00 326144 D:\WINNT\SYSTEM32\joy.cpl (Microsoft Corporation)
07/12/1999 11:00:00 122128 D:\WINNT\SYSTEM32\main.cpl (Microsoft Corporation)
07/12/1999 11:00:00 303888 D:\WINNT\SYSTEM32\mmsys.cpl (Microsoft Corporation)
07/12/1999 11:00:00 17168 D:\WINNT\SYSTEM32\ncpa.cpl (Microsoft Corporation)
07/12/1999 11:00:00 41232 D:\WINNT\SYSTEM32\nwc.cpl (Microsoft Corporation)
19/06/2003 19:05:04 41232 D:\WINNT\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
19/06/2003 19:05:04 90896 D:\WINNT\SYSTEM32\powercfg.cpl (Microsoft Corporation)
19/06/2003 19:05:04 83216 D:\WINNT\SYSTEM32\sticpl.cpl (Microsoft Corporation)
19/06/2003 19:05:04 125712 D:\WINNT\SYSTEM32\SYSDM.CPL (Microsoft Corporation)
07/12/1999 11:00:00 5904 D:\WINNT\SYSTEM32\telephon.cpl (Microsoft Corporation)
07/12/1999 11:00:00 61200 D:\WINNT\SYSTEM32\timedate.cpl (Microsoft Corporation)
26/05/2005 04:16:30 174360 D:\WINNT\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
29/08/2002 07:14:40 292352 D:\WINNT\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
12/01/2005 19:40:00 64784 D:\WINNT\SYSTEM32\dllcache\msmq.cpl (Microsoft Corporation)
23/09/1999 18:44:36 94208 D:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl (IBM Corporation)
07/12/1999 11:00:00 41232 D:\WINNT\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
26/05/2005 04:16:30 174360 D:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{17492023-C23A-453E-A040-C7C580BBF700} - Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204
{6414512B-B978-451D-A0D8-FCFDF33E833C} - WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168188417265
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
{C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc4.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://D:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://D:\WINNT\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08/01/2007 21:34:00 1565 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk ()
08/01/2007 21:34:02 1601 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk ()
08/01/2007 21:34:04 1572 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk ()
07/01/2007 16:45:00 754 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Wireless USB Adapter.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
08/01/2007 21:34:12 801 D:\Documents and Settings\Claire Eames\Start Menu\Programs\Startup\Adobe Gamma.lnk ()

Checking files in %USERPROFILE%\Application Data folder...
11/01/2007 14:46:00 2508 D:\Documents and Settings\Claire Eames\Application Data\$_hpcst$.hpc ()
18/01/2007 20:21:20 21032 D:\Documents and Settings\Claire Eames\Application Data\GDIPFONTCACHEV1.DAT ()

sax_man_al · Jan 19, 2007

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - c:\secure32.html
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - c:\secure32.html
\\Default_Search_URL - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Local Page - c:\secure32.html

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - c:\secure32.html
\\Search Page - http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
\\Default_Page_URL - c:\secure32.html
\\Local Page - c:\secure32.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - = ()
\{31DAED02-6425-437E-B976-E0EE0F00F3A5} - = D:\WINNT\system32\ljjifdc.dll ()

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = %SystemRoot%\system32\shdocvw.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1} - File and Folders Search ActiveX Control = D:\WINNT\system32\shell32.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{8E718888-423F-11D2-876E-00A0C9082467} - &Radio = D:\WINNT\system32\msdxm.ocx ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} - 8192 =
\\NEXTID - 8195
\\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - 8193 =
\\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - 8194 = Create Mobile Favorite...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - ButtonText: Create Mobile Favorite =
\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - MenuText: Create Mobile Favorite... = D:\PROGRA~1\MICROS~4\INetRepl.dll (Microsoft Corporation)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = D:\WINNT\System32\hticons.dll (Hilgraeve, Inc.)
\\{950FF917-7A57-46BC-8017-59D9BF474000} - Shell Extension for CDRW = D:\Program Files\Ahead\InCD\incdshx.dll (Ahead Software, Karlsbad, Germany)
\\{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} - AVG7 Shell Extension = D:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} - AVG7 Find Extension = D:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = D:\Program Files\WinRAR\rarext.dll ()
\\{E0D79304-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79305-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.)
\\{E0D79306-84BE-11CE-9641-444553540000} - WinZip = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = D:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\AVG Anti-Spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\AVG7 Shell Extension - {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = D:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Program Files\WinRAR\rarext.dll ()
\WinZip - {E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRA~1\WinZip\WZSHLSTB.DLL (WinZip Computing, Inc.)

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
\{F9DB5320-233E-11D1-9F84-707F02C10627} - PDF Column Info = D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (Adobe Systems, Inc.)

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager - D:\WINNT\SYSTEM32\mobsync.exe (Microsoft Corporation)
Zone Labs Client - D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Zone Labs, LLC)
PRISMSVR.EXE - D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE (Conexant Systems, Inc.)
NeroCheck - D:\WINNT\system32\NeroCheck.exe (Ahead Software Gmbh)
InCD - D:\Program Files\Ahead\InCD\InCD.exe (Ahead Software AG)
RemoteControl - D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe (Cyberlink Corp.)
AVG7_CC - D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe (GRISOFT, s.r.o.)
IpWins - D:\Program Files\Ipwindows\ipwins.exe ()
!AVG Anti-Spyware - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr - D:\Program Files\MSN Messenger\MsnMsgr.Exe (Microsoft Corporation)
ctfmon.exe - D:\WINNT\SYSTEM32\ctfmon.exe (Microsoft Corporation)
H/PC Connection Agent - D:\PROGRA~1\MICROS~4\wcescomm.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk - D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk - D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe ()
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk - D:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
D:\Documents and Settings\All Users\Start Menu\Programs\Startup\U.S. Robotics Wireless USB Adapter.lnk - D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe ()

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
D:\Documents and Settings\Claire Eames\Start Menu\Programs\Startup\Adobe Gamma.lnk - D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\Network.ConnectionTray - {7007ACCF-3202-11D1-AAD2-00805FC1270E} = D:\WINNT\system32\NETSHELL.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{31DAED02-6425-437E-B976-E0EE0F00F3A5} - = D:\WINNT\system32\ljjifdc.dll ()
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
\\{438755C2-A8BA-11D1-B96B-00A0C90312E1} - Browseui preloader = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)
\\{8C7461EF-2B13-11d2-BE35-3078302C2030} - Component Categories cache daemon = %SystemRoot%\system32\browseui.dll (Microsoft Corporation)

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = D:\WINNT\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\ActiveSync - WcesWlgn.dll = (Microsoft Corporation)
\AtiExtEvent - Ati2evxx.dll = (ATI Technologies Inc.)
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ljjifdc - ljjifdc.dll = ()
\partnershipreg - D:\Documents and Settings\All Users\Documents\Settings\partnership.dll = ()
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\winjvd32 - winjvd32.dll = ()
\wzcnotif - wzcdlg.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{AFEB420D-24E0-49D6-B468-115002000F50} - (U.S. Robotics Wireless USB Adapter)
{E9937066-9C4B-4460-8BD8-1AE1EDDE2DAA} - (VIA Rhine II Fast Ethernet Adapter)

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\rnr20.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\msafd.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\skype4com - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL (Skype Technologies)
\vnd.ms.radio - D:\WINNT\system32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<

>>>>Output for AddOn file Policies.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
policies\Explorer\\NoDriveTypeAutoRun - 149
policies\System\\DisableRegistryTools - 0

>>>>Output for AddOn file Security.def<<<<
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - Include SUBKEYS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center - not found.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
BITS\\DependOnGroup -
BITS\\DependOnService - Rpcss;SENS;Wmi;
BITS\\Description - Transfers files in the background using idle network bandwidth. If the service is disabled, then any functions that depend on BITS, such as Windows Update or MSN Explorer will be unable to automatically download programs and other information.
BITS\\DisplayName - Background Intelligent Transfer Service
BITS\\ErrorControl - 1
BITS\\ImagePath - %SystemRoot%\System32\svchost.exe -k BITSgroup
BITS\\ObjectName - LocalSystem
BITS\\Start - 3
BITS\\Type - 32
BITS\Parameters\\ServiceDll - %SystemRoot%\System32\qmgr.dll
BITS\Security\\Security - 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 72 00 73 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 72 00 73 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
BITS\Enum\\0 - Root\LEGACY_BITS\0000
BITS\Enum\\Count - 1
BITS\Enum\\NextInstance - 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
SharedAccess\\Type - 288
SharedAccess\\Start - 3
SharedAccess\\ErrorControl - 1
SharedAccess\\ImagePath - %SystemRoot%\System32\svchost.exe -k netsvcs
SharedAccess\\DisplayName - Internet Connection Sharing
SharedAccess\\DependOnService - RasMan;
SharedAccess\\DependOnGroup -
SharedAccess\\ObjectName - LocalSystem
SharedAccess\\Description - Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
SharedAccess\Parameters\\ServiceDll - %SystemRoot%\System32\ipnathlp.dll
SharedAccess\Security\\Security - 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 20 02 00 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 00 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv - Include SUBKEYS
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
wuauserv\\Description - Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
wuauserv\\DisplayName - Automatic Updates
wuauserv\\ErrorControl - 1
wuauserv\\ImagePath - %systemroot%\system32\svchost.exe -k wugroup
wuauserv\\ObjectName - LocalSystem
wuauserv\\Start - 2
wuauserv\\Type - 32
wuauserv\Parameters\\ServiceDll - D:\WINNT\system32\wuauserv.dll
wuauserv\Security\\Security - 01 00 14 80 A0 00 00 00 AC 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 70 00 04 00 00 00 00 00 18 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 00 00 00 00 1C 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 34 00 00 00 18 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 20 02 00 00 00 00 1C 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 00 00 34 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
wuauserv\Enum\\0 - Root\LEGACY_WUAUSERV\0000
wuauserv\Enum\\Count - 1
wuauserv\Enum\\NextInstance - 1

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

sax_man_al · Jan 19, 2007

Logfile of HijackThis v1.99.1
Scan saved at 13:29:14, on 19/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\WINNT\system32\ctfmon.exe
D:\PROGRA~1\MICROS~4\wcescomm.exe
D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
D:\PROGRA~1\MICROS~4\rapimgr.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31DAED02-6425-437E-B976-E0EE0F00F3A5} - D:\WINNT\system32\ljjifdc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpWins] D:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168188417265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - D:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: ljjifdc - D:\WINNT\SYSTEM32\ljjifdc.dll
O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: winjvd32 - D:\WINNT\SYSTEM32\winjvd32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - D:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINNT\system32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

sax_man_al · Jan 19, 2007

The WPFind log was carried out as instructed in Safe Mode, but the Hijack this log was in a normal boot up (hope this is OK) If not I can run it in safe too and post that aswell.

Thanks for your help,
Ali

Cookiegal · Jan 19, 2007

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

sax_man_al · Jan 19, 2007

Logfile of HijackThis v1.99.1
Scan saved at 19:04:05, on 19/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\ctfmon.exe
D:\PROGRA~1\MICROS~4\wcescomm.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
D:\PROGRA~1\MICROS~4\rapimgr.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31DAED02-6425-437E-B976-E0EE0F00F3A5} - D:\WINNT\system32\ljjifdc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpWins] D:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168188417265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - D:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: winjvd32 - D:\WINNT\SYSTEM32\winjvd32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - D:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINNT\system32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

sax_man_al · Jan 19, 2007

VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 18:40:12 19/01/2007

Listing files found while scanning....

D:\WINNT\system32\ljjifdc.dll

Beginning removal...

Attempting to delete D:\WINNT\system32\ljjifdc.dll
D:\WINNT\system32\ljjifdc.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.2

Checking Java version...

Sun Java not detected
Scan started at 18:57:38 19/01/2007

Listing files found while scanning....

No infected files were found.

Cookiegal · Jan 19, 2007

Since you already have AVG-AS please do this:

Open AVG-AS
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
Launch AVG Anti-Spyware by double clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG will now begin the scanning process. Please be patient as this may take a little time.
Once the scan is complete, do the following:
If you have any infections you will be prompted. Then select "Apply all actions."
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower lef- hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.

Please go HERE to run Panda's ActiveScan

You need to use IE to run this scan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.

sax_man_al · Jan 20, 2007

Logfile of HijackThis v1.99.1
Scan saved at 21:46:57, on 20/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\ctfmon.exe
D:\PROGRA~1\MICROS~4\wcescomm.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
D:\PROGRA~1\MICROS~4\rapimgr.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31DAED02-6425-437E-B976-E0EE0F00F3A5} - D:\WINNT\system32\ljjifdc.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpWins] D:\Program Files\Ipwindows\ipwins.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168188417265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - D:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O20 - Winlogon Notify: winjvd32 - D:\WINNT\SYSTEM32\winjvd32.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - D:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINNT\system32\msasvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

sax_man_al · Jan 20, 2007

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected D:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Tucows Not disinfected D:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt[.tucows.com/]
Potentially unwanted tool:Application/Processor Not disinfected D:\Documents and Settings\Claire Eames\My Documents\downloads\programs\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/Yazzle Not disinfected D:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
Virus:trj/torpig.a Disinfected D:\WINNT\Temp\$_2341233.TMP

sax_man_al · Jan 20, 2007

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:53:03 20/01/2007

+ Scan result:

:mozilla.89

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.247realmedia : No action taken.
:mozilla.130

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.131

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.132

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.169

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.170

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.171

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.172

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.173

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.68

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.69

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.71

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.72

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.73

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.74

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.168

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Adviva : No action taken.
:mozilla.25

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
D:\Documents and Settings\Claire Eames\Cookies\claire [email protected][2].txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.153

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.154

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.155

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.212

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.213

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.214

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.44

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
D:\Documents and Settings\Claire Eames\Cookies\claire [email protected][1].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.280

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.108

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.109

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.110

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.111

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.112

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.227

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.228

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.242

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.246

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.247

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.256

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.260

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.310

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Googleadservices : No action taken.
:mozilla.315

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.316

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.63

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.64

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.65

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.66

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.67

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.174

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
D:\Documents and Settings\Claire Eames\Cookies\claire [email protected][1].txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.149

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.264

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.175

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.176

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.177

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.121

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.122

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.123

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.124

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.125

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.126

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.115

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.116

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Sitestat : No action taken.
:mozilla.239

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.150

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.151

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.152

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.133

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.134

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
D:\Documents and Settings\Claire Eames\Cookies\claire [email protected][1].txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.179

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.
:mozilla.308

:\Documents and Settings\Claire Eames\Application Data\Mozilla\Firefox\Profiles\qle09hal.default\cookies.txt -> TrackingCookie.Webtrendslive : No action taken.

::Report end

Cookiegal · Jan 21, 2007

Go to Start- Run type in CMD and click OK. The MSDOS window will be displayed. At the prompt type the following:

SC Stop "COM+ Messages"

Then press Enter

Type:

SC Delete "COM+ Messages"

Then press Enter

Type:

SC Stop MsaSvc

Press enter

Type:

SC Delete MsaSvc

Press Enter

Type:

Exit

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O2 - BHO: (no name) - {31DAED02-6425-437E-B976-E0EE0F00F3A5} - D:\WINNT\system32\ljjifdc.dll (file missing)

O4 - HKLM\..\Run: [IpWins] D:\Program Files\Ipwindows\ipwins.exe

O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)

O20 - Winlogon Notify: winjvd32 - D:\WINNT\SYSTEM32\winjvd32.dll

O23 - Service: COM+ Messages - Unknown owner - D:\WINNT\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - D:\WINNT\system32\msasvc.exe (file missing)

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
D:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
D:\WINNT\SYSTEM32\winjvd32.dll
D:\WINNT\system32\ljjifdc.dll
D:\WINNT\system32\svchosts.exe
D:\WINNT\system32\msasvc.exe

Folders to delete:
D:\Program Files\Ipwindows

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HijackThis log.

Also, please do this:

Please download SmitfraudFix (by S!Ri)

Extract (unzip) the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Warning: Do not run Option #2 until you are instructed to do so. Running option #2 on a non infected computer will remove your Desktop background.

sax_man_al · Jan 21, 2007

At the prompt when I've typed the above it gives the following:

'SC' is not recognized as an internal or external command, operable program or batch file.

Thanks.

Actually, I've just got sc.exe off the microsoft website, and it runs OK now.

sax_man_al · Jan 21, 2007

I had to do this twice, and it made a log second time round.
Ali

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ttmwfqua

*******************

Script file located at: \??\D:\hvwafica.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at D:\Avenger

*******************

Beginning to process script file:

File D:\Program Files\Common Files\Yazzle1162OinUninstaller.exe deleted successfully.

File D:\WINNT\SYSTEM32\winjvd32.dll not found!
Deletion of file D:\WINNT\SYSTEM32\winjvd32.dll failed!

Could not process line:
D:\WINNT\SYSTEM32\winjvd32.dll
Status: 0xc0000034

File D:\WINNT\system32\ljjifdc.dll not found!
Deletion of file D:\WINNT\system32\ljjifdc.dll failed!

Could not process line:
D:\WINNT\system32\ljjifdc.dll
Status: 0xc0000034

File D:\WINNT\system32\svchosts.exe not found!
Deletion of file D:\WINNT\system32\svchosts.exe failed!

Could not process line:
D:\WINNT\system32\svchosts.exe
Status: 0xc0000034

File D:\WINNT\system32\msasvc.exe not found!
Deletion of file D:\WINNT\system32\msasvc.exe failed!

Could not process line:
D:\WINNT\system32\msasvc.exe
Status: 0xc0000034

Folder D:\Program Files\Ipwindows deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

sax_man_al · Jan 21, 2007

Logfile of HijackThis v1.99.1
Scan saved at 19:18:08, on 21/01/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\ZoneLabs\vsmon.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\system32\ctfmon.exe
D:\PROGRA~1\MICROS~4\wcescomm.exe
D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
D:\PROGRA~1\MICROS~4\rapimgr.exe
D:\hijackthis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "D:\Program Files\U.S. Robotics\Wireless USB Manager\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~4\wcescomm.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: U.S. Robotics Wireless USB Adapter.lnk = D:\Program Files\U.S. Robotics\Wireless USB Manager\USR11G.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168188417265
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ActiveSync - D:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINNT\system32\ZoneLabs\vsmon.exe

sax_man_al · Jan 21, 2007

SmitFraudFix v2.133

Scan done at 19:21:48.73, Sun 21/01/2007
Run from D:\Documents and Settings\Claire Eames\Desktop\SmitFraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» D:\

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» D:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Claire Eames

»»»»»»»»»»»»»»»»»»»»»»»» D:\Documents and Settings\Claire Eames\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» D:\DOCUME~1\CLAIRE~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» D:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Problems with the infernal Lop.AS

Top Contributors this Month