|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
Btiein (Grrrrrrr ...)
Hello. I've found myself infected with several things, including Swizzor. I've downloaded and run Ewido, Spybot and Ad-Aware and they've each cleaned different things off. Except Btiein. I've tried run BitDefender's online scan, but it hangs. I downloaded and ran HijackThis and here's the log:
Logfile of HijackThis v1.99.1 Scan saved at 4:07:52 PM, on 9/11/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\My Downloads\Anti-malware\Ewido\guard.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Windows NT\Accessories\wordpad.exe C:\My Downloads\Anti-malware\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f812.mail.yahoo.com/ym/log...=d7rpn6gaur4u9 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {498AE566-E41E-8A4F-442E-F0BA60F44651} - blank (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\My Downloads\Anti-malware\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MS Security Hotfix] spoolsrv32.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [!ewido] "C:\My Downloads\Anti-malware\Ewido\ewido.exe" /minimized O4 - HKLM\..\RunServices: [MS Security Hotfix] spoolsrv32.exe O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\My Downloads\Anti-malware\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O4 - Global Startup: SmartUI.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.familysearch.org O15 - Trusted Zone: *.familysearch.org O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://jobs.spb.ca.gov/Codebase/FormCtl.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://jobs.spb.ca.gov/codebase/fontinstaller.cab O20 - Winlogon Notify: GuardianPJCST - ðì/ (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_state.exe (file missing) O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\My Downloads\Anti-malware\Ewido\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Would someone please advise me? |
#2
|
||||
|
||||
Howdy Jfobian,
Welcome to CTH. You've got some serious infection showing there yet, including an unknown logon that we'll just have to get to know better here. Please do the following. Download and click to run FxGaobot.exe. Then once that has completed download and click to run FxWebsch.exe. These tools are a bit dated but may bring some immediate repairs here. Then reboot, and Download combofix.exe. Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix. When the scan completes it will open a text window. Please save this log in case needed later. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporaily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Then open and update Ewido (but don't scan just yet). ================================================== ===== Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). Make sure all windows are closed and run Ewido. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again. Reboot after and run a new ComboFix scan again. Save this log to post back here. Then go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with the Ewdio log, combofix.txt log and a new HijackThis scan please. You can use separate posts here if needed. |
#3
|
|||
|
|||
Hi, Tom. Sorry it took me so long to respond. Here's the Combofix log:
Joann Fobian - 06-09-18 0:05:27.59 Service Pack 2 ComboFix 06.09.14 - Running from: C:\Documents and Settings\Joann Fobian\Desktop ((((((((((((((((((((((((((((((( Files Created from 2006-08-18 to 2006-09-18 )))))))))))))))))))))))))))))))))) 2006-09-17 19:50 294,912 C:\WINDOWSWalgreens PhotoShow.scr 2006-09-05 08:57 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2006-09-17 23:58 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-17 19:50 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Walgreens 2006-09-17 19:50 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Simple Star 2006-09-17 19:47 -------- d-------- C:\Program Files\Walgreens 2006-09-12 00:42 -------- d-------- C:\Program Files\Mahjong Escape 2006-09-11 23:15 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Macromedia 2006-09-11 20:38 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Mozilla 2006-09-11 17:59 -------- d-------- C:\Program Files\Opera 2006-09-11 12:39 -------- d-------- C:\Program Files\Free Offers from Freeze.com 2006-09-11 11:00 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Lavasoft 2006-09-07 20:44 -------- d-------- C:\Program Files\Yahoo! 2006-09-07 19:17 -------- d-a------ C:\Program Files\Common Files 2006-09-07 19:17 -------- d-------- C:\Program Files\Network Associates 2006-09-07 19:17 -------- d-------- C:\Program Files\Common Files\Network Associates 2006-09-07 19:17 -------- d-------- C:\Program Files\Common Files\Cisco Systems 2006-09-07 09:22 -------- d-------- C:\Program Files\HoldemPoker 2006-09-06 18:00 -------- d-------- C:\Program Files\Trend Micro 2006-09-05 10:33 -------- d-------- C:\Program Files\Zone Labs 2006-09-05 10:27 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys 2006-09-05 10:26 74864 --a------ C:\WINDOWS\system32\VetRedir.dll 2006-09-05 10:26 590190 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys 2006-09-05 10:26 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys 2006-09-05 10:26 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys 2006-09-05 10:26 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys 2006-09-05 10:26 111728 --a------ C:\WINDOWS\AVShlExt.dll 2006-09-05 10:26 102398 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys 2006-09-05 10:19 -------- d-------- C:\Program Files\Common Files\Scanner 2006-09-04 22:34 -------- d-------- C:\Program Files\Java 2006-09-04 22:33 -------- d-------- C:\Program Files\Common Files\Java 2006-09-04 22:14 -------- d-------- C:\Program Files\Internet Explorer 2006-09-04 21:54 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Weather Studio 2006-08-25 17:11 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-25 17:11 -------- d-------- C:\Program Files\QuickTime 2006-08-25 17:10 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-08-12 15:18 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Real 2006-08-12 15:17 -------- d-------- C:\Program Files\Common Files\xing shared 2006-08-12 15:17 -------- d-------- C:\Program Files\Common Files\Real 2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-24 15:45 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\WeatherStudio Desktop 2006-07-24 15:04 27896 --a------ C:\Documents and Settings\Joann Fobian\Application Data\GDIPFONTCACHEV1.DAT 2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll 2006-07-11 19:58 1726 --a------ C:\Documents and Settings\Joann Fobian\Application Data\AdobeDLM.log 2006-07-11 19:58 0 --a------ C:\Documents and Settings\Joann Fobian\Application Data\dm.ini (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "MS Security Hotfix"="spoolsrv32.exe" "Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\Mo tiveSB.exe" "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "PaperPort PTD"="C:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe" "IPInSightLAN 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l" "IPInSightMonitor 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\"" "IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\"" "ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE" "McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey" "Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\"" "!ewido"="\"C:\\My Downloads\\Anti-malware\\Ewido\\ewido.exe\" /minimized" "Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices] "MS Security Hotfix"="spoolsrv32.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00 ,34,03,00,00,e4,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader \\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.E XE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="apdproxy" "hkey"="HKLM" "command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CaAvTray] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="CAVTray" "hkey"="HKLM" "command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\cakebowsdoescorn] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="Teambird" "hkey"="HKLM" "command"="C:\\Documents and Settings\\All Users\\Application Data\\Log Else Cake Bows\\Teambird.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAVRID] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="CAVRID" "hkey"="HKLM" "command"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\eanth_system_patcher] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="sys_alert" "hkey"="HKLM" "command"="C:\\PROGRA~1\\ACCELE~1\\SYSTEM~1\\sys_a lert.exe /Startup" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Frag deaf debug 01] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="ItchOnline" "hkey"="HKLM" "command"="C:\\Documents and Settings\\All Users\\Application Data\\Bolt bore frag deaf\\ItchOnline.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IndexSearch] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="IndexSearch" "hkey"="HKLM" "command"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Load] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="??? ?" "hkey"="HKCU" "command"="??? ?" "inimapping"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\New.net Startup] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="NEWDOT~2" "hkey"="HKLM" "command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,NewDotNetStar tup -s" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RegistryMechanic] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="RegMech" "hkey"="HKLM" "command"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="??? ?" "hkey"="HKCU" "command"="??? ?" "inimapping"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\USRpdA] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="3cpipe-USRpdA" "hkey"="HKLM" "command"="C:\\WINDOWS\\SYSTEM32\\USRmlnkA.exe RunServices \\Device\\3cpipe-USRpdA" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\YBrowser] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="ybrwicon" "hkey"="HKLM" "command"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\YOP] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersio n\\Run" "item"="yop" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart" "inimapping"="0" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GuardianPJCST HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\A33402BC9187B9EC.job C:\WINDOWS\tasks\A414DF6991875965.job C:\WINDOWS\tasks\Scheduled Checkpoint.job Completion time: Mon 09/18/2006 0:08:04.84 ComboFix.txt ComboFix2.txt ComboFix3.txt |
#4
|
|||
|
|||
Here's the Silent Runners script:
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found] "updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7" ["Adobe Systems Incorporated"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "MS Security Hotfix" = "spoolsrv32.exe" [file not found] "Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."] "BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."] "PaperPort PTD" = "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."] "IPInSightLAN 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l" ["Visual Networks"] "IPInSightMonitor 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"" ["Visual Networks"] "IPInSightMonitor 01" = ""C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"" ["Visual Networks"] "ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."] "McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."] "Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."] "!ewido" = ""C:\My Downloads\Anti-malware\Ewido\ewido.exe" /minimized" ["Anti-Malware Development a.s."] "Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {498AE566-E41E-8A4F-442E-F0BA60F44651}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "blank" [file not found] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus" -> {HKLM...CLSID} = "CA_AntiVirus" \InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\My Downloads\Anti-malware\Ewido\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! GuardianPJCST\DLLName = "ðì/" [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}" -> {HKLM...CLSID} = "CA_AntiVirus" \InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."] ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\My Downloads\Anti-malware\Ewido\context.dll" ["Anti-Malware Development a.s."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\My Downloads\Anti-malware\Ewido\context.dll" ["Anti-Malware Development a.s."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}" -> {HKLM...CLSID} = "CA_AntiVirus" \InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Joann Fobian\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Joann Fobian" & "All Users" startup folders: -------------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."] "SmartUI" -> shortcut to: "C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe" ["Scansoft, Inc."] Enabled Scheduled Tasks: ------------------------ "A33402BC9187B9EC" -> launches: "c:\progra~1\idlese~1\Blah city default.exe" [file not found] "A414DF6991875965" -> launches: "c:\progra~1\idlese~1\Blah city default.exe" [file not found] "Scheduled Checkpoint" -> launches: "C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -SNAP" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 23 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2499216C-4BA5-11D5-BD9C-000103C116D5}\ "ButtonText" = "Yahoo! Login" "MenuText" = "Yahoo! Login" "CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\My Downloads\Anti-malware\Ewido\guard.exe" ["Anti-Malware Development a.s."] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."] Network Associates McShield, McShield, ""C:\Program Files\Network Associates\VirusScan\Mcshield.exe"" ["Network Associates, Inc."] Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Brother MFL Port\Driver = "brmfpmon.dll" ["Brother Industries,Ltd."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "No" at the first message box. ---------- (total run time: 30 seconds, including 7 seconds for message boxes) |
#5
|
|||
|
|||
Here's the Ewido log:
--------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 11:50:32 PM 9/17/2006 + Scan result: :mozilla.45:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken. :mozilla.46:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken. :mozilla.47:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken. :mozilla.48:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken. :mozilla.49:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken. :mozilla.50:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Adrevolver : No action taken. :mozilla.25:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.26:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.27:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.28:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.29:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Casalemedia : No action taken. :mozilla.30:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Com : No action taken. :mozilla.20:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.21:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.22:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.23:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Euroclick : No action taken. :mozilla.24:C:\Documents and Settings\Joann Fobian\Application Data\Mozilla\Firefox\Profiles\6pxzhn97.default\coo kies.txt -> TrackingCookie.Euroclick : No action taken. ::Report end |
#6
|
|||
|
|||
And, last but certainly not least, here's the log of HijackThis:
Logfile of HijackThis v1.99.1 Scan saved at 12:30:43 AM, on 9/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\My Downloads\Anti-malware\Ewido\guard.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\My Downloads\Anti-malware\Ewido\ewido.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\My Downloads\Anti-malware\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f812.mail.yahoo.com/ym/log...=d7rpn6gaur4u9 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {498AE566-E41E-8A4F-442E-F0BA60F44651} - blank (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MS Security Hotfix] spoolsrv32.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [!ewido] "C:\My Downloads\Anti-malware\Ewido\ewido.exe" /minimized O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [MS Security Hotfix] spoolsrv32.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O4 - Global Startup: SmartUI.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.familysearch.org O15 - Trusted Zone: *.familysearch.org O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://jobs.spb.ca.gov/Codebase/FormCtl.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://jobs.spb.ca.gov/codebase/fontinstaller.cab O20 - Winlogon Notify: GuardianPJCST - ðì/ (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_state.exe (file missing) O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\My Downloads\Anti-malware\Ewido\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe |
#7
|
||||
|
||||
Darn - you've got some tough infection, but all disabled from startup, so not loading/not being cleaned or repaired. Assuming you did this through msconfig, please do the following:
Please download SDFix from here and save it to your desktop. Go to Start - Run, type msconfig (and Enter). Under the Startup tab, check/enable all items on the list. then Apply/OK and allow the reboot. You may receive errors on reboot ad items now with active files missing attempt to run. After the reboot, please boot into Safe Mode (tap F8 at startup and select Safe Mode - see here for more help if you need it). Rightclick on the SDFix.zip folder and choose Extract All. Open the extracted folder and doubleclick on RunThis.bat to start the script. Type Y to begin the script. It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. When you hit any key, your computer will reboot. Your system will take longer that normal to restart as the fixtool will be running and removing files. When your desktop loads, the utility will complete the removal and display Finished. Press any key again to end the script and load your desktop icons. Finally open the SDFix folder on your desktop and copy and paste the contents of Report.txt back in this thread with a new HijackThis log and a new Silent Runners log please. Also run a new ComboFix and post that back here. |
#8
|
|||
|
|||
Actually, Tom, this isn't my computer. It belongs to my best friend and her having a computer with access to the Internet was like a little kid being dropped off in the Bois du Bologne or Central Park at night. She wasn't taught the most basic things about security. Anyway, here's the log from SDFix, though it doesn't seem all that informative:
SDFix: Version 1.24 ------------------- Tue 09/19/2006 01:16 AM Microsoft Windows XP [Version 5.1.2600] Running from: C:\Documents and Settings\Joann Fobian\Desktop\SDFix\SDFix Stage One... Checking Services... Name: ----- Path: ---- Repairing Registry... Restoring Default Hosts File... Stage One Complete Rebooting! Stage Two... Registry Cleaning Finished... Checking For Malware Files: -------------------------- Backing Up and Removing any Files Found... Final Check: Remaining Services: ------------------ Remaining Files: -------------- *If Malware was detected, the files are stored in the SDFix\Backup Folder ! *FINISHED* |
#9
|
|||
|
|||
Here's the HijackThis log:
Logfile of HijackThis v1.99.1 Scan saved at 2:03:00 AM, on 9/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\My Downloads\Anti-malware\Ewido\guard.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\BRMFRSMG.EXE C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Yahoo!\YOP\yop.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\WINDOWS\SYSTEM32\USRshutA.exe C:\WINDOWS\SYSTEM32\USRmlnkA.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\My Downloads\Anti-malware\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f812.mail.yahoo.com/ym/log...=d7rpn6gaur4u9 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) F3 - REG:win.ini: load=??? ? O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {498AE566-E41E-8A4F-442E-F0BA60F44651} - blank (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MS Security Hotfix] spoolsrv32.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [Frag deaf debug 01] C:\Documents and Settings\All Users\Application Data\Bolt bore frag deaf\ItchOnline.exe O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [cakebowsdoescorn] C:\Documents and Settings\All Users\Application Data\Log Else Cake Bows\Teambird.exe O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\RunServices: [MS Security Hotfix] spoolsrv32.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe O4 - Global Startup: SmartUI.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.familysearch.org O15 - Trusted Zone: *.familysearch.org O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - http://jobs.spb.ca.gov/Codebase/FormCtl.cab O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab? O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (FormFlow Soft Font Installer) - http://jobs.spb.ca.gov/codebase/fontinstaller.cab O20 - Winlogon Notify: GuardianPJCST - ðì/ (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspne t_state.exe (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: CAISafe - Unknown owner - C:\Program Files\Yahoo!\Antivirus\ISafe.exe (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\My Downloads\Anti-malware\Ewido\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe (file missing) |
#10
|
|||
|
|||
Here's the Silent Runners log:
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [file not found] "updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7" ["Adobe Systems Incorporated"] "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++} "MS Security Hotfix" = "spoolsrv32.exe" [file not found] "Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."] "BJCFD" = "C:\Program Files\BroadJump\Client Foundation\CFD.exe" ["BroadJump, Inc."] "PaperPort PTD" = "C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."] "IPInSightLAN 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l" ["Visual Networks"] "IPInSightMonitor 02" = ""C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"" ["Visual Networks"] "IPInSightMonitor 01" = ""C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"" ["Visual Networks"] "ShStatEXE" = ""C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."] "McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey" ["Network Associates, Inc."] "Network Associates Error Reporting Service" = ""C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"" ["Network Associates, Inc."] "avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data] "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."] "YOP" = "C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart" ["Yahoo! Inc."] "YBrowser" = "C:\Program Files\Yahoo!\browser\ybrwicon.exe" ["Yahoo!, Inc."] "USRpdA" = "C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" ["U.S. Robotics Corporation"] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "RegistryMechanic" = "C:\Program Files\Registry Mechanic\RegMech.exe /QS" [file not found] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "New.net Startup" = "rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s" [MS] "IndexSearch" = "C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [null data] "Frag deaf debug 01" = "C:\Documents and Settings\All Users\Application Data\Bolt bore frag deaf\ItchOnline.exe" [file not found] "eanth_system_patcher" = "C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup" [file not found] "CAVRID" = ""C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"" [file not found] "cakebowsdoescorn" = "C:\Documents and Settings\All Users\Application Data\Log Else Cake Bows\Teambird.exe" [file not found] "CaAvTray" = ""C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"" [file not found] "Adobe Photo Downloader" = ""C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {498AE566-E41E-8A4F-442E-F0BA60F44651}\(Default) = (no title provided) -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "blank" [file not found] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\ "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices" -> {HKLM...CLSID} = "Portable Media Devices" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{1CE2AA40-1317-11D3-9922-00104B0AD431}" = "CA_AntiVirus" -> {HKLM...CLSID} = "CA_AntiVirus" \InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] "{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band" -> {HKLM...CLSID} = "Shell Search Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {HKLM...CLSID} = "AVG7 Find Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\ INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "C:\My Downloads\Anti-malware\Ewido\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "load" = (value not set) HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ "AppInit_DLLs" = (value not set) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! GuardianPJCST\DLLName = "ðì/" [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandler s\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandler s\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}" -> {HKLM...CLSID} = "CA_AntiVirus" \InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."] ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\My Downloads\Anti-malware\Ewido\context.dll" ["Anti-Malware Development a.s."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}" -> {HKLM...CLSID} = "YMailShellExt Class" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."] HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\ ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "C:\My Downloads\Anti-malware\Ewido\context.dll" ["Anti-Malware Development a.s."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {HKLM...CLSID} = "AVG7 Shell Extension Class" \InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] CA_AntiVirus\(Default) = "{1CE2AA40-1317-11D3-9922-00104B0AD431}" -> {HKLM...CLSID} = "CA_AntiVirus" \InProcServer32\(Default) = "C:\WINDOWS\avshlext.dll" ["Computer Associates International, Inc."] VirusScan\(Default) = "{cda2863e-2497-4c49-9b89-06840e070a87}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Network Associates\VirusScan\shext.dll" ["Network Associates, Inc."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Joann Fobian\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "Joann Fobian" & "All Users" startup folders: -------------------------------------------------------------- C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS] "SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."] "SmartUI" -> shortcut to: "C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe" ["Scansoft, Inc."] Enabled Scheduled Tasks: ------------------------ "A33402BC9187B9EC" -> launches: "c:\progra~1\idlese~1\Blah city default.exe" [file not found] "A414DF6991875965" -> launches: "c:\progra~1\idlese~1\Blah city default.exe" [file not found] "Scheduled Checkpoint" -> launches: "C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -SNAP" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\VetRedir.dll ["Computer Associates International, Inc."], 01 - 03, 23 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided) -> {HKLM...CLSID} = "&Yahoo! Messenger" \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2499216C-4BA5-11D5-BD9C-000103C116D5}\ "ButtonText" = "Yahoo! Login" "MenuText" = "Yahoo! Login" "CLSIDExtension" = "{2499216C-4BA5-11D5-BD9C-000103C116D5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\ylogin.dll" ["Yahoo! Inc."] {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ "ButtonText" = "Messenger" "MenuText" = "Yahoo! Messenger" "CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" ["Yahoo! Inc."] {85D1F590-48F4-11D9-9669-0800200C9A66}\ "MenuText" = "Uninstall BitDefender Online Scanner v8" "Exec" = "%windir%\bdoscandel.exe" [null data] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data] avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data] avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."] AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."] AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\My Downloads\Anti-malware\Ewido\guard.exe" ["Anti-Malware Development a.s."] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."] Network Associates Task Manager, McTaskManager, ""C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe"" ["Network Associates, Inc."] Sunbelt Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe"" ["Sunbelt Software"] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monito rs\ Brother MFL Port\Driver = "brmfpmon.dll" ["Brother Industries,Ltd."] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 30 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 32 seconds. ---------- (total run time: 96 seconds) |
#11
|
|||
|
|||
Here's the ComboFix log:
Joann Fobian - 06-09-19 2:17:33.05 Service Pack 2 ComboFix 06.09.14 - Running from: C:\Documents and Settings\Joann Fobian\Desktop ((((((((((((((((((((((((((((((( Files Created from 2006-08-19 to 2006-09-19 )))))))))))))))))))))))))))))))))) 2006-09-18 01:45 90,112 --a------ C:\WINDOWS\system32\AVASTSS.scr 2006-09-18 01:45 635,520 --a------ C:\WINDOWS\system32\aswBoot.exe 2006-09-18 01:45 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll 2006-09-17 19:50 294,912 C:\WINDOWSWalgreens PhotoShow.scr 2006-09-05 08:57 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2006-09-19 01:51 -------- d-------- C:\Program Files\Mozilla Firefox 2006-09-18 23:11 -------- d-------- C:\Program Files\Sunbelt Software 2006-09-18 22:16 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2006-09-18 22:15 4992 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys 2006-09-18 22:15 4288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2006-09-18 22:15 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2006-09-18 22:15 23424 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys 2006-09-18 22:15 -------- d-------- C:\Program Files\Grisoft 2006-09-18 19:19 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\AVG7 2006-09-18 11:47 -------- d-------- C:\Program Files\ProcessExplorer9x 2006-09-18 02:46 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Lavasoft 2006-09-18 01:45 -------- d-------- C:\Program Files\Alwil Software 2006-09-17 19:50 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Walgreens 2006-09-17 19:50 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Simple Star 2006-09-17 19:47 -------- d-------- C:\Program Files\Walgreens 2006-09-11 23:15 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Macromedia 2006-09-11 20:38 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Mozilla 2006-09-11 17:59 -------- d-------- C:\Program Files\Opera 2006-09-11 12:39 -------- d-------- C:\Program Files\Free Offers from Freeze.com 2006-09-07 20:44 -------- d-------- C:\Program Files\Yahoo! 2006-09-07 19:17 -------- d-a------ C:\Program Files\Common Files 2006-09-07 19:17 -------- d-------- C:\Program Files\Network Associates 2006-09-07 19:17 -------- d-------- C:\Program Files\Common Files\Network Associates 2006-09-07 19:17 -------- d-------- C:\Program Files\Common Files\Cisco Systems 2006-09-07 09:22 -------- d-------- C:\Program Files\HoldemPoker 2006-09-06 18:00 -------- d-------- C:\Program Files\Trend Micro 2006-09-05 10:33 -------- d-------- C:\Program Files\Zone Labs 2006-09-05 10:27 26787 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys 2006-09-05 10:26 74864 --a------ C:\WINDOWS\system32\VetRedir.dll 2006-09-05 10:26 590190 --a------ C:\WINDOWS\system32\drivers\VetEFile.sys 2006-09-05 10:26 21031 --a------ C:\WINDOWS\system32\drivers\Vet-Filt.sys 2006-09-05 10:26 15735 --a------ C:\WINDOWS\system32\drivers\VetFDDNT.sys 2006-09-05 10:26 15478 --a------ C:\WINDOWS\system32\drivers\Vet-Rec.sys 2006-09-05 10:26 111728 --a------ C:\WINDOWS\AVShlExt.dll 2006-09-05 10:26 102398 --a------ C:\WINDOWS\system32\drivers\VetEBoot.sys 2006-09-05 10:19 -------- d-------- C:\Program Files\Common Files\Scanner 2006-09-04 22:34 -------- d-------- C:\Program Files\Java 2006-09-04 22:33 -------- d-------- C:\Program Files\Common Files\Java 2006-09-04 22:14 -------- d-------- C:\Program Files\Internet Explorer 2006-09-04 21:54 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Weather Studio 2006-08-25 17:11 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-08-25 17:11 -------- d-------- C:\Program Files\QuickTime 2006-08-25 17:10 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll 2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe 2006-08-21 02:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys 2006-08-12 15:18 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\Real 2006-08-12 15:17 -------- d-------- C:\Program Files\Common Files\xing shared 2006-08-12 15:17 -------- d-------- C:\Program Files\Common Files\Real 2006-08-05 08:25 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys 2006-08-05 08:25 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys 2006-08-05 08:24 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys 2006-08-05 08:22 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys 2006-08-05 08:20 24304 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys 2006-07-27 06:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-07-24 15:45 -------- d-------- C:\Documents and Settings\Joann Fobian\Application Data\WeatherStudio Desktop 2006-07-24 15:04 27896 --a------ C:\Documents and Settings\Joann Fobian\Application Data\GDIPFONTCACHEV1.DAT 2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll 2006-07-11 19:58 1726 --a------ C:\Documents and Settings\Joann Fobian\Application Data\AdobeDLM.log 2006-07-11 19:58 0 --a------ C:\Documents and Settings\Joann Fobian\Application Data\dm.ini 2006-06-21 22:06 69120 --a------ C:\WINDOWS\system32\ciodm.dll 2006-06-21 22:06 1435648 --a------ C:\WINDOWS\system32\query.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background" "updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7" "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "MS Security Hotfix"="spoolsrv32.exe" "Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\Mo tiveSB.exe" "BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe" "PaperPort PTD"="C:\\Program Files\\Scansoft\\PaperPort\\pptd40nt.exe" "IPInSightLAN 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPClient.exe\" -l" "IPInSightMonitor 02"="\"C:\\Program Files\\Visual Networks\\Visual IP InSight\\SBC\\IPMon32.exe\"" "IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\"" "ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE" "McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey" "Network Associates Error Reporting Service"="\"C:\\Program Files\\Common Files\\Network Associates\\TalkBack\\TBMon.exe\"" "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp. exe" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc. exe /STARTUP" "YOP"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart" "YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe" "USRpdA"="C:\\WINDOWS\\SYSTEM32\\USRmlnkA.exe RunServices \\Device\\3cpipe-USRpdA" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" "RegistryMechanic"="C:\\Program Files\\Registry Mechanic\\RegMech.exe /QS" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,NewDotNetStar tup -s" "IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe" "Frag deaf debug 01"="C:\\Documents and Settings\\All Users\\Application Data\\Bolt bore frag deaf\\ItchOnline.exe" "eanth_system_patcher"="C:\\PROGRA~1\\ACCELE~1\\SY STEM~1\\sys_alert.exe /Startup" "CAVRID"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVRID.exe\"" "cakebowsdoescorn"="C:\\Documents and Settings\\All Users\\Application Data\\Log Else Cake Bows\\Teambird.exe" "CaAvTray"="\"C:\\Program Files\\Yahoo!\\Antivirus\\CAVTray.exe\"" "Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\"" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS] "Installed"="1" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices] "MS Security Hotfix"="spoolsrv32.exe" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00 ,34,03,00,00,e4,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00 ,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff ,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23 ,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE" [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw. exe /RUNONCE" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0" [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\polic ies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Run] "key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows" "item"="??? ?" "hkey"="HKCU" "command"="??? ?" "inimapping"="1" I'm posting this in the wee hours of the morning here. I hope this all makes sense. I'm too tired to read through it all. |
#12
|
||||
|
||||
Good that you help clean that computer for your friend. The system has McAfee, Avast4 and AVG, which is two too many. One will need to be chosen and the other two removed.
One item of infection normally removed by Ewido is still active. Let's see if we can get more done now. Download the Microsoft Task Scheduler Command Line Utility from here, unzip it and save it to your Windows folder. Copy all the text contained in the code box below by highlighting it and right clicking and selecting "Copy". Rightclick on your Desktop and click on New > Text Document. Open the new text document, position your mouse inside the blank, rightclick and choose Paste. Code:
@echo off jt /sd A33402BC9187B9EC.job jt /sd A414DF6991875965.job Doubleclick on remove.bat. This will complete it's task next reboot. Then Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types" Do a search ( Start - Search/Find - Files or Folders) for the following hilighted files/folders (shown in Bold), and if found, delete them. C:\Program Files\Free Offers from Freeze.com (the entire folder) Close Internet Explorer and all open windows and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com F3 - REG:win.ini: load=??? ? O2 - BHO: (no name) - {498AE566-E41E-8A4F-442E-F0BA60F44651} - blank (file missing) O4 - HKLM\..\Run: [MS Security Hotfix] spoolsrv32.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s O4 - HKLM\..\Run: [Frag deaf debug 01] C:\Documents and Settings\All Users\Application Data\Bolt bore frag deaf\ItchOnline.exe O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" O4 - HKLM\..\Run: [cakebowsdoescorn] C:\Documents and Settings\All Users\Application Data\Log Else Cake Bows\Teambird.exe O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" O4 - HKLM\..\RunServices: [MS Security Hotfix] spoolsrv32.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O20 - Winlogon Notify: GuardianPJCST - ðì/ (file missing) Open and update Ewido (but don't scan just yet). Also run ATF Cleaner again. ================================================== === Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). Make sure all windows are closed and run Ewido. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again. Then reboot back to Normal Mode. Post back the Ewido log, along with a new HijackThis and Silent Runners log please. |
#13
|
|||
|
|||
JoAnn is grateful for your help, Tom, but we have a bit of a problem now.
I printed out the list of things to remove with HijackThis, then I wrote down each step you instructed me to follow after that. (I had never run ATF Cleaner before, so I downloaded the latest version I could find -- 2.0.0.2 -- and ran that.) I followed each step carefully, taking especial care in HijackThis. But now I can't boot in Normal Mode, even if I try to revert to the last known good configuration. The boot halts at the Windows XP boot screen. I am only able to be here by booting into Safe Mode with Networking. I'll log onto the Internet and check back here often to hear back from you. |
#14
|
|||
|
|||
Here's the contents of JoAnn's boot.ini file:
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn |
#15
|
|||
|
|||
I have a current bootlog, but it's rather long. Would it be appropriate to post that here?
|
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Grrrrrrr *UK Car Owners* | dammit | Open Discussion | 9 | December 16th, 2006 11:38 PM |
Hotbar,btiein and ibis | Allenv | Malware Removal | 12 | June 24th, 2004 07:50 PM |
hunt bar and btiein | lneilson | Malware Removal | 0 | May 27th, 2004 11:37 PM |
All times are GMT +1. The time now is 11:47 PM.