bushy Posted July 15, 2007 ID:6335 Share Posted July 15, 2007 Please advise on the how to remove a program causing popups advertising AV System Care and other adverts including wixawin mobile trivia game.The AV System Care ads are in the form of dialogues telling you you need AV System Care. If you close the dialogue a window opens with another dialogue. This carries on as you successively close the dialogues over four or five times.Can provide screen captures of these windows if it is of any help.There was a program called Servic~1.exe running as a process - not visible in Applications in Task Manager but this seems to have disappeared after running the pre-post scans.Ran all the scans advised in pre-post instructions but used AVG internet security, as well as escan, which flagged dialer.ux in a0059378.dll in System Restore.HJT Log:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 18:26:55, on 15/07/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\1XConfig.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\system32\HPZinw12.exeC:\Install\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...pandaonline.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123967771117O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cabO16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.msngamecentre.co.uk/online2/MSN...gamesplayer.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...outLauncher.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnuk.oberon-media.com/online2/MSN_...aploader_v6.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe--End of file - 8773 bytesThank you in anticipationBushy Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2007 ID:6342 Share Posted July 16, 2007 Hi Bushy and welcome to Malwarebytes. Please get RogueRemover from here http://www.malwarebytes.org/rogueremoverpro.php install and update it, then run a scan and remove everything it finds. Post a new log in this thread. Link to post Share on other sites More sharing options...
bushy Posted July 16, 2007 Author ID:6354 Share Posted July 16, 2007 JeanShould have said that I have run RogueRemoverBushyHi Bushy and welcome to Malwarebytes. Please get RogueRemover from here http://www.malwarebytes.org/rogueremoverpro.php install and update it, then run a scan and remove everything it finds. Post a new log in this thread. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2007 ID:6355 Share Posted July 16, 2007 OK let's do this.Print these instructions or save to a notepad file as you need to have all browsers closed and be off line.Download SDFix and save it to your Desktop.http://downloads.andymanchesta.com/RemovalTools/SDFix.exeDouble click SDFix.exe and it will extract the files to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Please then reboot your computer in Safe Mode by doing the following :* Restart your computer* After hearing your computer beep once during startup, but before theWindows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, the Advanced Options Menu shouldappear;* Select the first option, to run Windows in Safe Mode, then pressEnter.* Choose your usual account.* Open the extracted SDFix folder and double click RunThis.bat to startthe script.* Type Y to begin the cleanup process.* It will remove any Trojan Services and Registry Entries that it findsthen prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* When the PC restarts the Fixtool will run again and complete theremoval process then display Finished, press any key to end the script andload your desktop icons.* Once the desktop icons load the SDFix report will open on screen andalso save into the SDFix folder as Report.txt(Report.txt will also be copied to Clipboard ready for posting back onthe forum).* Finally paste the contents of the Report.txt back on the forum. Now update AVG Antispyware and run a full system scan, post anything it finds here.Next uninstall your Java from Add/Remove programs and delete the program file. Go here choose Java Runtime Environment (JRE) 6u2 offline installation.Post a new HJT log and we will see how we are doing. Link to post Share on other sites More sharing options...
bushy Posted July 16, 2007 Author ID:6365 Share Posted July 16, 2007 All completed. AVG found some tracking cookies but nothing else seems to have been foundSDFix Log:SDFix: Version 1.92Run by jean on 16/07/2007 at 20:43Microsoft Windows XP [Version 5.1.2600]Running From: C:\SDFixSafe Mode:Checking Services: Restoring Windows Registry ValuesRestoring Windows Default Hosts File Rebooting...Normal Mode:Checking Files: No Trojan Files FoundRemoving Temp Files...ADS Check:C:\WINDOWSNo streams found. C:\WINDOWS\system32No streams found. C:\WINDOWS\system32\svchost.exeNo streams found.C:\WINDOWS\system32\ntoskrnl.exeNo streams found. Final Check:Remaining Services:------------------Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\SYSTEM32\\MMC.EXE"="C:\\WINDOWS\\SYSTEM32\\MMC.EXE:*:Enabled:Microsoft Management Console""C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe""C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe""C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe""C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer""D:\\setup\\HPZNET01.EXE"="D:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe""D:\\setup\\HPONICIFS01.EXE"="D:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe""C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe""C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe""C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"Remaining Files:---------------Files with Hidden Attributes:C:\Program Files\McAfee.com\Personal Firewall\data\summary\Thumbs.db Finished AVG Log:---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 21:23:09 16/07/2007 + Scan result: C:\Documents and Settings\jean\Cookies\jean@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.C:\Documents and Settings\jean\Cookies\jean@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.C:\Documents and Settings\jean\Cookies\jean@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.C:\Documents and Settings\jean\Cookies\jean@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned.::Report endHJT Log:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 21:33:51, on 16/07/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\1XConfig.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\system32\msiexec.exeC:\Install\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...pandaonline.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123967771117O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cabO16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.msngamecentre.co.uk/online2/MSN...gamesplayer.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...outLauncher.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnuk.oberon-media.com/online2/MSN_...aploader_v6.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe--End of file - 9050 bytesBushyOK let's do this. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2007 ID:6372 Share Posted July 16, 2007 Your still getting the popups? Or no? Did you download or install anything from wixawin? Link to post Share on other sites More sharing options...
bushy Posted July 17, 2007 Author ID:6406 Share Posted July 17, 2007 Yes, still getting popups and no, didn't install anything from wixawin.The adverts other than AV Systemcare seem to be for a variety of different providers - not just WixawinYour still getting the popups? Or no? Did you download or install anything from wixawin? Link to post Share on other sites More sharing options...
JeanInMontana Posted July 17, 2007 ID:6408 Share Posted July 17, 2007 Ok, please go here, http://www.pandasoftware.com/products/activescan.htm and run the scan, save the log and post it here. You will need to use IE and allow the active x to install. Link to post Share on other sites More sharing options...
bushy Posted July 17, 2007 Author ID:6421 Share Posted July 17, 2007 JeanThought Activescan had found something but turns out to be SDFixActivescan log:Incident Status Location Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\jean\Cookies\jean@2o7[2].txt Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\jean\Cookies\jean@adtech[2].txt Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\jean\Cookies\jean@adviva[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\jean\Cookies\jean@doubleclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\jean\Cookies\jean@mediaplex[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\jean\Desktop\Spyware Tools\SDFix.exe[sDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe Ok, please go here, http://www.pandasoftware.com/products/activescan.htm and run the scan, save the log and post it here. You will need to use IE and allow the active x to install. Link to post Share on other sites More sharing options...
bushy Posted July 17, 2007 Author ID:6422 Share Posted July 17, 2007 A little bit more information:I have had a look at the html for some of the popups and a couple of them refer to the site: http://static.itrack.it/clients/ Link to post Share on other sites More sharing options...
JeanInMontana Posted July 17, 2007 ID:6423 Share Posted July 17, 2007 My protection blocks the site, but McAfee SiteAdviser rates it red. Have you installed any new games? One of the links from that site is to a poker site, titanpoker.com. Nothing is showing up in your log. We will do this, you must have got a new version, because RogueRemover has worked on this for quite a while.Please download SmitfraudFix (by S!Ri) http://siri.urz.free.fr/Fix/SmitfraudFix.zipExtract the contents (it will create a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htm This is not a virus. It is a trusted tool.Let me know how things work after this and please post the log. Link to post Share on other sites More sharing options...
bushy Posted July 18, 2007 Author ID:6440 Share Posted July 18, 2007 The owner of the machine installed Sudoplanet - Sudoplanet.com.The site gets a risky rating from McAfee although they give the download the all clear.It does report:The following programs were set to run everytime our system is started:c:\windows\system32\nmkdbujq.exe nmkdbujqThe program has been removed. I'll check the registry for entries reported by McAfee and run SmitFraudFixProbably be a couple of days before I can do it. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 18, 2007 ID:6441 Share Posted July 18, 2007 The owner of the machine installed Sudoplanet - Sudoplanet.com.The site gets a risky rating from McAfee although they give the download the all clear.It does report:The following programs were set to run everytime our system is started:c:\windows\system32\nmkdbujq.exe nmkdbujqThe program has been removed. I'll check the registry for entries reported by McAfee and run SmitFraudFixProbably be a couple of days before I can do it.You should have run SmitFraud when you were given the instructions. It would be done. AVSystem Care is a SmitFraud infection.It does report:The following programs were set to run everytime our system is started:c:\windows\system32\nmkdbujq.exe nmkdbujqWhat reports that? What was the program? It is important that you follow the instructions given and not take action on your own. That is how things get damaged when two people are making major changes and a lack of communication. Link to post Share on other sites More sharing options...
bushy Posted July 18, 2007 Author ID:6445 Share Posted July 18, 2007 I was referring to the information on McAfee's site advisor website about sudoplanet - I had not done anything on the machine.Managed to find 15 mins to download and run SmitfraudFix - report follows:SmitFraudFix v2.204Scan done at 19:21:04.93, 18/07/2007Run from C:\Documents and Settings\jean\Desktop\Spyware Tools\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode Link to post Share on other sites More sharing options...
JeanInMontana Posted July 18, 2007 ID:6446 Share Posted July 18, 2007 Boy this is a pain. Can you upload this file C:\windows\system32\gohgfhaaya.exe to here http://www.virustotal.com/ and have it scanned. Unless you know what it is. Google gives nothing. That is sometimes a sign it is a new infection.Post back what VirusTotal says and a new HJT log please. Link to post Share on other sites More sharing options...
bushy Posted July 18, 2007 Author ID:6452 Share Posted July 18, 2007 We may be getting somewhere, some of the virustotal scanners don't like this fileLog:File gohgfhaaya.exe_ received on 07.19.2007 00:05:19 (CET)Antivirus Version Last Update Result AhnLab-V3 2007.7.18.0 2007.07.18 no virus found AntiVir 7.4.0.44 2007.07.18 ADSPY/Navipromo.LH.4 Authentium 4.93.8 2007.07.18 no virus found Avast 4.7.997.0 2007.07.18 no virus found AVG 7.5.0.476 2007.07.18 no virus found BitDefender 7.2 2007.07.18 no virus found CAT-QuickHeal 9.00 2007.07.18 (Suspicious) - DNAScan ClamAV devel-20070416 2007.07.18 no virus found DrWeb 4.33 2007.07.18 no virus found eSafe 7.0.15.0 2007.07.17 no virus found eTrust-Vet 30.8.3793 2007.07.18 no virus found Ewido 4.0 2007.07.18 no virus found FileAdvisor 1 2007.07.19 no virus found Fortinet 2.91.0.0 2007.07.18 no virus found F-Prot 4.3.2.48 2007.07.17 no virus found F-Secure 6.70.13030.0 2007.07.18 no virus found Ikarus T3.1.1.8 2007.07.18 no virus found Kaspersky 4.0.2.24 2007.07.19 no virus found McAfee 5077 2007.07.18 no virus found Microsoft 1.2704 2007.07.18 no virus found NOD32v2 2405 2007.07.18 no virus found Norman 5.80.02 2007.07.18 no virus found Panda 9.0.0.4 2007.07.18 no virus found Sophos 4.19.0 2007.07.17 no virus found Sunbelt 2.2.907.0 2007.07.18 no virus found Symantec 10 2007.07.19 Trojan.Skintrim TheHacker 6.1.7.149 2007.07.18 no virus found VBA32 3.12.2.1 2007.07.18 no virus found VirusBuster 4.3.23:9 2007.07.18 no virus found Webwasher-Gateway 6.0.1 2007.07.18 Ad-Spyware.Navipromo.LH.4 Aditional information File size: 263168 bytes MD5: 1e7b7a689d5afb47150cd19262bdd49d SHA1: 3bfca47deb2cfe84a48710054ba648e0a6686de5 and hjt log:Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 23:21:53, on 18/07/2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\1XConfig.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Apoint\Apoint.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Apoint\Apntex.exeC:\WINDOWS\system32\igfxsrvc.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\HPZinw12.exeC:\WINDOWS\SYSTEM32\NOTEPAD.EXEC:\Install\HiJackThis_v2.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...pandaonline.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123967771117O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cabO16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.msngamecentre.co.uk/online2/MSN...gamesplayer.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...outLauncher.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnuk.oberon-media.com/online2/MSN_...aploader_v6.cabO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dllO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dllO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe--End of file - 9397 bytes Link to post Share on other sites More sharing options...
JeanInMontana Posted July 19, 2007 ID:6454 Share Posted July 19, 2007 Hey, looks like my hunch might be right. I'm going to PM you my email address so you can send me a copy of that file and I will get it to all those companies not detecting it now. We still need to find everything running with it. To get all our tools in the best shape possible I would like you to uninstall that version of HJT and get the non beta one. Install it and then go here and print the instructions for this scanner and install it http://www.geekstogo.com/forum/index.php?a...amp;showfile=19 and run a scan. Post that here and we will see what shows up. Also in HJT under Misc. tools use the startup list feature and post that log for me, it will be very long and you may need to make it a separate post, that might help to just do that. Please. Link to post Share on other sites More sharing options...
bushy Posted July 19, 2007 Author ID:6482 Share Posted July 19, 2007 JeanProblem with sending the file, it is invisible to Windows explorer even though I have 'show hidden files' enabled and 'hide system files' disabled. I also tried Command Prompt 'dir' command and that returned 'file not found'.WinRAR and WinZip can't see it either. Just to check I have uploaded it to Virustotal again and it is still there.Have run DSS, logs follow, and HJT startup list.Did you want the DSS extra log?Deckard's System Scanner v20070711.54Run by jean on 2007-07-19 at 22:09:22Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --76: 2007-07-19 21:09:27 UTC - RP542 - Deckard's System Scanner Restore Point75: 2007-07-19 21:02:21 UTC - RP541 - Installed WinZip 11.174: 2007-07-19 14:37:07 UTC - RP540 - System Checkpoint73: 2007-07-18 08:53:51 UTC - RP539 - System Checkpoint72: 2007-07-16 20:31:43 UTC - RP538 - Installed Java 6 Update 2-- First Restore Point -- 1: 2007-04-21 17:53:34 UTC - RP467 - System CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as jean.exe) ------------------------------------------------Unable to find log (file not found); running clone.-- HijackThis Clone ------------------------------------------------------------Emulating logfile of HijackThis v1.99.1Scan saved at 2007-07-19 22:14:38Platform: Windows XP Service Pack 2 (5.01.2600)MSIE: Internet Explorer (7.00.6000.16473)Running processes:C:\WINDOWS\SYSTEM32\SMSS.EXEC:\WINDOWS\SYSTEM32\WINLOGON.EXEC:\WINDOWS\SYSTEM32\SERVICES.EXEC:\WINDOWS\SYSTEM32\LSASS.EXEC:\WINDOWS\SYSTEM32\SVCHOST.EXEC:\WINDOWS\SYSTEM32\SVCHOST.EXEC:\WINDOWS\SYSTEM32\S24EvMon.exeC:\Program Files\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\SYSTEM32\ZCfgSvc.exeC:\WINDOWS\SYSTEM32\1XConfig.exeC:\WINDOWS\SYSTEM32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Grisoft\AVG7\avgamsvr.exeC:\Program Files\Grisoft\AVG7\avgupsvc.exeC:\Program Files\Grisoft\AVG7\avgrssvc.exeC:\Program Files\Grisoft\AVG7\avgemc.exeC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\SYSTEM32\HPZipm12.exeC:\WINDOWS\SYSTEM32\RegSrvc.exeC:\WINDOWS\SYSTEM32\SVCHOST.EXEC:\Program Files\Grisoft\AVG7\avgfwsrv.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\SYSTEM32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\realplay.exeC:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\WINDOWS\SYSTEM32\RUNDLL32.EXEC:\WINDOWS\SYSTEM32\hkcmd.exeC:\WINDOWS\SYSTEM32\igfxpers.exeC:\WINDOWS\SYSTEM32\igfxsrvc.exeC:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exeC:\Program Files\Grisoft\AVG7\avgcc.exeC:\Program Files\HP\HP Software Update\hpwuSchd2.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\WINDOWS\SYSTEM32\CTFMON.EXEC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Apoint\ApntEx.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\HP\Digital Imaging\bin\hpqste08.exeC:\WINDOWS\SYSTEM32\HPZinw12.exeC:\Documents and Settings\jean\Desktop\Spyware Tools\dss.exeC:\Program Files\Trend Micro\HijackThis\jean.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexploreR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/mywayR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\SYSTEM32\dla\tfswshx.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ReminderApp] C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exeO4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exeO4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)O9 - Extra 'Tools' menuitem: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)O9 - Extra 'Tools' menuitem: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shock...director/sw.cabO16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...pandaonline.cabO16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc2.cabO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} () - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1123967771117O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} () - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cabO16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://www.msngamecentre.co.uk/online2/MSN...gamesplayer.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cabO16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.msngamecentre.co.uk/online2/MSN...outLauncher.cabO16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://msnuk.oberon-media.com/online2/MSN_...aploader_v6.cabO18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLLO18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLLO18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLLO20 - Winlogon Notify: avgwlntf - C:\WINDOWS\system32\avgwlntf.dllO20 - Winlogon Notify: Sebring - C:\WINDOWS\SYSTEM32\LgNotify.dllO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exeO23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgrssvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exeO23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe /srvfsysO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\SYSTEM32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\SYSTEM32\S24EvMon.exe-- File Associations -----------------------------------------------------------All associations okay.-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel® Wireless LAN Packet Driver>R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>S3 NAL (Nal Service ) - c:\windows\system32\drivers\iqvw32.sys <Not Verified; Intel Corporation; Intel® iQVW32.SYS>S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------R2 RegSrvc - c:\windows\system32\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module>-- Scheduled Tasks -------------------------------------------------------------2007-07-19 20:00:00 364 --a------ C:\WINDOWS\Tasks\HPpromotions journeysoftware.job-- Files created between 2007-06-19 and 2007-07-19 -----------------------------2007-07-19 22:11:30 0 d-------- C:\Program Files\Trend Micro2007-07-19 22:02:32 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip2007-07-18 19:21:11 4134 --a------ C:\WINDOWS\system32\tmp.reg2007-07-17 21:36:20 8576 --a------ C:\WINDOWS\system32\drivers\txipllxvqbvd.sys <Not Verified; Panda Software International; RKPavProc Driver>2007-07-17 21:02:04 8576 --a------ C:\WINDOWS\system32\drivers\onltgcqnqudj.sys <Not Verified; Panda Software International; RKPavProc Driver>2007-07-17 19:54:46 0 d-------- C:\WINDOWS\system32\ActiveScan2007-07-16 21:31:48 0 d-------- C:\Program Files\Java2007-07-16 21:31:46 0 d-------- C:\Program Files\Common Files\Java2007-07-16 20:42:36 0 d-------- C:\WINDOWS\ERUNT2007-07-16 20:34:54 0 d-------- C:\Documents and Settings\jean\Application Data\Grisoft2007-07-15 13:26:47 0 d-------- C:\Downloads2007-07-15 13:26:47 0 d-------- C:\Bases2007-07-15 13:21:03 0 d-------- C:\Kaspersky2007-07-14 12:28:58 0 d-------- C:\Program Files\RogueRemover2007-07-14 11:05:22 0 dr-h----- C:\$VAULT$.AVG2007-07-01 08:28:57 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.22007-06-30 17:12:54 0 d-------- C:\Documents and Settings\All Users\Application Data\HP2007-06-30 17:09:57 0 d-------- C:\Program Files\Common Files\Sonic Shared2007-06-30 17:09:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Sonic2007-06-30 17:08:59 0 d-------- C:\Program Files\Common Files\HP2007-06-30 17:06:54 0 d-------- C:\Program Files\Hewlett-Packard2007-06-30 17:05:39 0 d-------- C:\Program Files\Common Files\Hewlett-Packard2007-06-30 17:00:37 0 d-------- C:\Program Files\HP2007-06-30 16:59:32 5389 -----n--- C:\WINDOWS\hpomdl06.dat2007-06-30 16:59:32 89668 --a------ C:\WINDOWS\hpoins06.dat2007-06-30 16:59:23 0 d-------- C:\Documents and Settings\jean\Application Data\HP-- Find3M Report ---------------------------------------------------------------2007-07-19 08:00:05 0 d-------- C:\Documents and Settings\jean\Application Data\AVG72007-07-17 22:59:31 0 d-------- C:\Program Files\Digital Line Detect2007-07-17 22:57:03 0 d-------- C:\Program Files\Apoint2007-07-14 12:37:38 0 d--h----- C:\Program Files\InstallShield Installation Information2007-07-14 12:36:51 0 d-------- C:\Program Files\Newspaper Puzzle Challenge demo2007-07-14 12:35:57 0 d-------- C:\Program Files\Great Wall of Words demo2007-06-30 17:30:39 2814 --a------ C:\Documents and Settings\jean\Application Data\PatchUpdate_InstantShareJPG.log2007-06-30 17:30:22 3596 --a------ C:\Documents and Settings\jean\Application Data\PatchUpdate_IZClosingDiscError.log2007-06-30 17:27:01 35442 --a------ C:\Documents and Settings\jean\Application Data\Update_HP_RedboxHprblog_HPSU.log2007-06-30 17:22:06 2051 --a------ C:\Documents and Settings\jean\Application Data\HPSU_48BitScanUpdate.log2007-06-30 17:19:25 349 --a------ C:\Documents and Settings\jean\Application Data\HelpFilesUpdatePatch_PRINTHELPWRAPPER.log2007-06-30 17:19:22 0 --a------ C:\Documents and Settings\jean\Application Data\HelpFilesUpdatePatch_HELPFILEREPLACE.log2007-06-30 17:17:08 139264 --a------ C:\WINDOWS\system32\hpzjrd01.dll <Not Verified; Hewlett Packard; Hewlett Packard Rediscovery Library>-- Registry Dump ---------------------------------------------------------------[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\system32\dla\tfswshx.dll{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe""Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe""dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe""UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r""PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\"""DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\"""RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER""QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime""ReminderApp"="C:\\Program Files\\Nova Development\\Greeting Card Factory Deluxe\\ReminderApp.exe""ZCfgSvc.exe"="C:\\WINDOWS\\system32\\ZCfgSvc.exe""PRONoMgr.exe"="C:\\Program Files\\Intel\\NCS\\PROSet\\PRONoMgr.exe""BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent""igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe""igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe""igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe""EEventManager"="C:\\Program Files\\EPSON\\Creativity Suite\\Event Manager\\EEventManager.exe""AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP""HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe""gohgfhaaya"="c:\\windows\\system32\\gohgfhaaya.exe gohgfhaaya""!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized""SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]"DisableRegistryTools"=dword:00000000[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntfHKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SebringHKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0 Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest Notification Packages REG_MULTI_SZ scecliHKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware DriverHKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]HTTPFilter REG_MULTI_SZ HTTPFilterLocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRVNetworkService REG_MULTI_SZ DnsCacheDcomLaunch REG_MULTI_SZ DcomLaunchTermServicerpcss REG_MULTI_SZ RpcSsimgsvc REG_MULTI_SZ StiSvctermsvcs REG_MULTI_SZ TermServicebthsvcs REG_MULTI_SZ BthServ-- End of Deckard's System Scanner: finished at 2007-07-19 at 22:15:13 ---------StartupList report, 19/07/2007, 22:21:44StartupList version: 1.52.2Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXEDetected: Windows XP SP2 (WinNT 5.01.2600)Detected: Internet Explorer v7.00 (7.00.6000.16473)* Using default options==================================================Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\1XConfig.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgrssvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\system32\igfxpers.exeC:\WINDOWS\system32\igfxsrvc.exeC:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\WINDOWS\system32\HPZinw12.exeC:\PROGRA~1\TRENDM~1\HIJACK~1\jean.exeC:\WINDOWS\notepad.exeC:\WINDOWS\notepad.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exe--------------------------------------------------Listing of startup folders:Shell folders Common Startup:[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeDigital Line Detect.lnk = ?HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeHP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe--------------------------------------------------Checking Windows NT UserInit:[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]UserInit = C:\WINDOWS\system32\userinit.exe,--------------------------------------------------Autorun entries from Registry:HKLM\Software\Microsoft\Windows\CurrentVersion\RunApoint = C:\Program Files\Apoint\Apoint.exeDell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exedla = C:\WINDOWS\system32\dla\tfswctrl.exeUpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rPCMService = "C:\Program Files\Dell\Media Experience\PCMService.exe"DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYERQuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottimeReminderApp = C:\Program Files\Nova Development\Greeting Card Factory Deluxe\ReminderApp.exeZCfgSvc.exe = C:\WINDOWS\system32\ZCfgSvc.exePRONoMgr.exe = C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeBluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentigfxtray = C:\WINDOWS\system32\igfxtray.exeigfxhkcmd = C:\WINDOWS\system32\hkcmd.exeigfxpers = C:\WINDOWS\system32\igfxpers.exeEEventManager = C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exeAVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUPHP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedSunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"--------------------------------------------------Autorun entries from Registry:HKCU\Software\Microsoft\Windows\CurrentVersion\Runctfmon.exe = C:\WINDOWS\system32\ctfmon.exe--------------------------------------------------Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:Shell=*INI section not found*SCRNSAVE.EXE=*INI section not found*drivers=*INI section not found*Shell & screensaver key from Registry:Shell=Explorer.exeSCRNSAVE.EXE=C:\WINDOWS\system32\SSMYPICS.SCRdrivers=*Registry value not found*Policies Shell key:HKCU\..\Policies: Shell=*Registry value not found*HKLM\..\Policies: Shell=*Registry value not found*--------------------------------------------------Enumerating Browser Helper Objects:(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(no name) - C:\WINDOWS\system32\dla\tfswshx.dll - {5CA3D70E-1895-11CF-8E15-001234567890}(no name) - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}--------------------------------------------------Enumerating Task Scheduler jobs:HPpromotions journeysoftware.job--------------------------------------------------Enumerating Download Program Files:[shockwave ActiveX Control]InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dllCODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab[Windows Genuine Advantage Validation Tool]InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dllCODEBASE = http://go.microsoft.com/fwlink/?linkid=39204[shockwave ActiveX Control]InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dllCODEBASE = http://fpdownload.macromedia.com/pub/shock...director/sw.cab[TGOnlineCtrl Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\pandaonline.dllCODEBASE = http://www.msngamecentre.co.uk/online2/MSN...pandaonline.cab[Office Update Installation Engine]InProcServer32 = C:\WINDOWS\opuc.dllCODEBASE = http://office.microsoft.com/officeupdate/content/opuc2.cab[{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}]CODEBASE = http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab[MUWebControl Class]InProcServer32 = C:\WINDOWS\system32\muweb.dllCODEBASE = http://update.microsoft.com/microsoftupdat...b?1123967771117[ActiveScan Installer Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dllCODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab[{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}]CODEBASE = http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab[Zylom Games Player]InProcServer32 = C:\WINDOWS\Downloaded Program Files\zylomgamesplayer.dllCODEBASE = http://www.msngamecentre.co.uk/online2/MSN...gamesplayer.cab[shockwave Flash Object]InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocxCODEBASE = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab[sproutLauncherCtrl Class]InProcServer32 = C:\WINDOWS\Downloaded Program Files\SproutWebLauncher.dllCODEBASE = http://www.msngamecentre.co.uk/online2/MSN...outLauncher.cab[TikGames Online Control]InProcServer32 = C:\WINDOWS\Downloaded Program Files\gpcontrol.dllCODEBASE = http://www.msngamecentre.co.uk/online2/MSN...shapo/shapo.cab[PopCapLoader Object]InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dllCODEBASE = http://msnuk.oberon-media.com/online2/MSN_...aploader_v6.cab--------------------------------------------------Enumerating Winsock LSP files:NameSpace #4: C:\WINDOWS\system32\wshbth.dllProtocol #1: C:\WINDOWS\system32\avgfwafu.dllProtocol #2: C:\WINDOWS\system32\avgfwafu.dllProtocol #3: C:\WINDOWS\system32\avgfwafu.dllProtocol #4: C:\WINDOWS\system32\avgfwafu.dllProtocol #5: C:\WINDOWS\system32\avgfwafu.dll--------------------------------------------------Enumerating ShellServiceObjectDelayLoad items:PostBootReminder: C:\WINDOWS\system32\SHELL32.dllCDBurn: C:\WINDOWS\system32\SHELL32.dllWebCheck: C:\WINDOWS\system32\webcheck.dllSysTray: C:\WINDOWS\system32\stobject.dll--------------------------------------------------End of report, 9,769 bytesReport generated in 0.050 seconds Link to post Share on other sites More sharing options...
JeanInMontana Posted July 19, 2007 ID:6483 Share Posted July 19, 2007 OK how can you upload it if it's not there? That doesn't make sense you have to go to the file to upload it to VT. I don't know what you mean by extra log, please post all logs generated. Link to post Share on other sites More sharing options...
bushy Posted July 20, 2007 Author ID:6505 Share Posted July 20, 2007 JeanI don't know how or why but the file is definitely not visible to windows explorer and dir/a gohgfhaaya.exe from c:\windows\system32> returns file not found.I've attached the file created by dir/a>dir.txtWhen I uploaded the file I pasted the full path into the upload file box on the VT site.I have also selected it for upload using a webmail interface by pasting the full path into the dialogue successfully, but didn't want to send an e-mail with a bare infected file.I tried pasting the path into the add file dialogue in Winzip but it couldn't find the file.DSS extra log below:Deckard's System Scanner v20070711.54Extra logfile - please post this as an attachment with your post.---------------------------------------------------------------------------------- System Information ----------------------------------------------------------Microsoft Windows XP Home Edition (build 2600) SP 2.0Architecture: X86; Language: EnglishCPU 0: Intel® Pentium® M processor 1.60GHzPercentage of Memory in Use: 65%Physical Memory (total/avail): 510.21 MiB / 176.89 MiBPagefile Memory (total/avail): 1247.55 MiB / 767.64 MiBVirtual Memory (total/avail): 2047.88 MiB / 1930.06 MiBC: is Fixed (NTFS) - 33.69 GiB total, 18.52 GiB free. D: is CDROM (No Media)E: is Removable (FAT)Z: is Network (No Media)-- Security Center -------------------------------------------------------------AUOptions is scheduled to auto-install.Windows Internal Firewall is disabled.FirstRunDisabled is set.FW: AVG Firewall 7.5.475 v7.5.475 (GRISOFT)AV: AVG 7.5.476 v7.5.476 (GRISOFT)[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\WINDOWS\\SYSTEM32\\MMC.EXE"="C:\\WINDOWS\\SYSTEM32\\MMC.EXE:*:Enabled:Microsoft Management Console""C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe""C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe""C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe""C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer""D:\\setup\\HPZNET01.EXE"="D:\\setup\\HPZNET01.EXE:*:Enabled:hpznet01.exe""D:\\setup\\HPONICIFS01.EXE"="D:\\setup\\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe""C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe""C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe""C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe""C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"-- Environment Variables -------------------------------------------------------ALLUSERSPROFILE=C:\Documents and Settings\All UsersAPPDATA=C:\Documents and Settings\jean\Application DataCLIENTNAME=ConsoleCommonProgramFiles=C:\Program Files\Common FilesCOMPUTERNAME=DF8D2D1JComSpec=C:\WINDOWS\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Documents and Settings\jeanLOGONSERVER=\\DF8D2D1JNUMBER_OF_PROCESSORS=1OS=Windows_NTPath=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\WbemPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSHPROCESSOR_ARCHITECTURE=x86PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=0d06ProgramFiles=C:\Program FilesPROMPT=$P$GSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WINDOWSTEMP=C:\DOCUME~1\jean\LOCALS~1\TempTMP=C:\DOCUME~1\jean\LOCALS~1\TempUSERDOMAIN=DF8D2D1JUSERNAME=jeanUSERPROFILE=C:\Documents and Settings\jeanwindir=C:\WINDOWS-- User Profiles ---------------------------------------------------------------jean (admin)Administrator (admin)-- Add/Remove Programs --------------------------------------------------------- --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu --> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6} --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19} --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.infAdobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDeleteAdobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}Adobe Shockwave Player --> C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\SYSTEM32\Macromed\SHOCKW~1\Install.logALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVEArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D433ABC3-0CD8-4BB0-B6A9-84501B4B47B7}\SETUP.EXE" -l0x9 AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALLAVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exeCarol Vorderman's Sudoku --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4A52D12F-6065-40E3-B3B5-90FB4AC61A87}\setup.exe" -l0x9 Conexant D480 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.infCroner's Interactive Safety Trainer 2.0 --> "C:\WINDOWS\UNISTB32.EXE" /U "C:\Program Files\Croner Training\Safety Trainer\UNINST0.000" "C:\Program Files\Croner Training\Safety Trainer\UNINST1.000"Dell Driver Reset Tool --> MsiExec.exe /I{5905F42D-3F5F-4916-ADA6-94A3646AEE76}Dell Media Experience --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstallDigital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyTextDiMAGE Viewer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{976EA7B1-7562-483D-88DA-4323D263B7CD}\Setup.exe" -l0x9 anythingEPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLGEPSON Copy Utility 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstallEPSON Event Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -uEPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINSTEPSON Image Clip Palette --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{314F6D08-A8B7-11D8-8446-0050BA1D384D}\Setup.exe" -l0x9 -uEPSON Scan --> C:\Program Files\epson\escndv\setup\setup.exe /rEPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -uFamily Historian 2.3 --> "C:\Program Files\Family Historian\unins000.exe"Greeting Card Factory Deluxe --> MsiExec.exe /X{49CC328B-AEB4-4B57-8E7E-4B437AC40B3B}HijackThis 2.0.0 --> "C:\Install\HijackThis.exe" /uninstallHP Document Viewer 5.3 --> C:\Program Files\HP\Digital Imaging\DocumentViewer\hpzscr01.exe -datfile hpqbud04.datHP Image Zone 5.3 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.datHP Imaging Device Functions 5.3 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.datHP PSC & OfficeJet 5.3.A --> "C:\Program Files\HP\Digital Imaging\{3E386744-10FA-44b2-98C9-DF7A270DECB3}\setup\hpzscr01.exe" -datfile hposcr06.datHP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}HP Solution Center & Imaging Support Tools 5.3 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.datHP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582Intel® PRO Network Adapters and Drivers --> Prounstl.exeIntel® PROSet --> MsiExec.exe /I{b697396d-4bff-430d-9578-8aa5a549777a}Internet Explorer Default Page --> MsiExec.exe /I{35BDEFF1-A610-4956-A00D-15453C116395}Jasc Paint Shop Photo Album --> MsiExec.exe /I{CC000127-5E5D-4A1C-90CB-EEAAAC1E3AC0}Jasc Paint Shop Pro 8 Dell Edition --> MsiExec.exe /I{81A34902-9D0B-4920-A25C-4CDC5D14B328}Java 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}Jigsaw Mania --> C:\WINDOWS\unvise32.exe C:\Program Files\Inertia Software\Jigsaw Mania\uninstal.logLearn2 Player (Uninstall Only) --> C:\Program Files\Learn2.com\StRunner\stuninst.exeMicrosoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}Microsoft Works 7.0 --> MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelNetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyTextPanda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScanPerf3490P_3590P User's Guide --> C:\Program Files\EPSON\TPMANUAL\Perf3490P_3590P\USE_G\DOCUNINS.EXEPowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstallQuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALLQuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.logRealPlayer Basic --> C:\Program Files\Common Files\Real\Update\\rnuninst.exe RealNetworks|RealPlayer|6.0RogueRemover 1.20 --> C:\Program Files\RogueRemover\uninst.exeSecurity Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}SYBEX Power Kakuro --> "C:\Program Files\SYBEX\SYBEX Power Kakuro\unins000.exe"Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /uWinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}-- End of Deckard's System Scanner: finished at 2007-07-19 at 22:15:13 ---------dir.txtdir.txt Link to post Share on other sites More sharing options...
JeanInMontana Posted July 20, 2007 ID:6506 Share Posted July 20, 2007 I'm at a loss. I'm not giving up....just need to get some second opinions. There is a new version of your infection, that is why none of the fixes are working yet. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 21, 2007 ID:6512 Share Posted July 21, 2007 This program updated today and is including navipromo let's give it a try http://www.lavasoftusa.com/products/ad_aware_free.php Run a full system scan and remove anything it finds. Let me know how it goes. I've been searching all over for a fix. We will get this Jean, heh two Jeans can't be beat. Link to post Share on other sites More sharing options...
bushy Posted July 22, 2007 Author ID:6531 Share Posted July 22, 2007 Hi JeanI have installed Ad-aware but it keeps crashing. I've posted a help request on the Ad-aware forum. I will let you know if I get a response. Should have thought of it before, but I have stopped the repeated windows for the AV Systemcare ads by blocking the AV Systemcare site using the firewall on our router - we still get the first popup, it now gives the firewall blocked site message. I've blocked all of the sites which the popups link to which should prevent anybody unintentionally clicking on a link.Jean's other half This program updated today and is including navipromo let's give it a try http://www.lavasoftusa.com/products/ad_aware_free.php Run a full system scan and remove anything it finds. Let me know how it goes. I've been searching all over for a fix. We will get this Jean, heh two Jeans can't be beat. Link to post Share on other sites More sharing options...
JeanInMontana Posted July 22, 2007 ID:6532 Share Posted July 22, 2007 I'm willing to bet Ad-Aware is crashing because of the malware or the malware is crashing it. The miscreants behind this infection have obviously gotten much more determined.I can't remember if we tried this, so forgive me if you did but boot into safe mode and try to find the following files.gohgfhaaya.datgohgfhaaya.exegohgfhaaya_nav.datgohgfhaaya_navps.datIf you want to try and zip them and send to me fine, otherwise (and I don't blame you) just delete them and run CCleaner immediately. http://www.ccleaner.com/ So get the program install, update ect and be ready. If the safe mode delete won't work or we already tried it, I woke up with this idea. (This is driving me nutty ) Get this program Author: Option^Explicit Download Location License: Freeware KillBox Download Link Operating System: Windows File Description:Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.Usage Information:Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. You will need to run it for every instance of the files listed above.Sorry I didn't get to this sooner. Good luck and let me know. Link to post Share on other sites More sharing options...
bushy Posted July 22, 2007 Author ID:6536 Share Posted July 22, 2007 JeanA success to some extentFour files gohgfhaaya*.* showed up in safe mode and deleted with no problem.I have sent them in a zip file.We'll see whether that cures the popupsI'll post again to confirm.Jean's other half I'm willing to bet Ad-Aware is crashing because of the malware or the malware is crashing it. The miscreants behind this infection have obviously gotten much more determined.I can't remember if we tried this, so forgive me if you did but boot into safe mode and try to find the following files.gohgfhaaya.datgohgfhaaya.exegohgfhaaya_nav.datgohgfhaaya_navps.datIf you want to try and zip them and send to me fine, otherwise (and I don't blame you) just delete them and run CCleaner immediately. http://www.ccleaner.com/ So get the program install, update ect and be ready. If the safe mode delete won't work or we already tried it, I woke up with this idea. (This is driving me nutty ) Get this program Author: Option^Explicit Download Location License: Freeware KillBox Download Link Operating System: Windows File Description:Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.Usage Information:Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. You will need to run it for every instance of the files listed above.Sorry I didn't get to this sooner. Good luck and let me know. Link to post Share on other sites More sharing options...
Recommended Posts