Virtumundo.c HJT Log - dslreports.com

Author	All Replies
jhalleau join:2003-03-04 Vancouver, WA	Virtumundo.c HJT Log Hi Folks, I have tried the symantec removal tool, in both normal and safe mode, both times the symantec tool tells me I am not infected, but the popups and MS Antispyware tell me differently. I can not seem to get rid of this thing. Here is my HJT log. I appreciate any help! Logfile of HijackThis v1.99.1 Scan saved at 7:28:10 PM, on 11/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\Explorer.EXE E:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE E:\WINDOWS\system32\ZoneLabs\isafe.exe E:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe E:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\System32\MsPMSPSv.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Compaq\Compaq EAB Software\cpqek.exe E:\Program Files\Microsoft IntelliPoint\point32.exe E:\Program Files\Picasa\PicasaMediaDetector.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Java\jre1.5.0_05\bin\jusched.exe E:\WINDOWS\system32\rundll32.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\QuickTime\qttask.exe E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe E:\WINDOWS\system32\hphmon04.exe E:\Program Files\Microsoft AntiSpyware\gcasServ.exe E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\Program Files\AIM\aim.exe E:\WINDOWS\system32\RUNDLL32.EXE E:\WINDOWS\system32\ctfmon.exe E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe E:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe E:\Program Files\DIRECWAY\BIN\dpcstart.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchIndexer.exe E:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe E:\PROGRA~1\DIRECWAY\bin\dpcnav.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE E:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\HJT\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »red.clientapps.yahoo.com/customi···rch.html R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »red.clientapps.yahoo.com/customi···ahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - E:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing) O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll O2 - BHO: AIMSite Class - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - E:\Program Files\AIM Toolbar\aimhelper.dll (file missing) O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - E:\WINDOWS\system32\ddayx.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll O4 - HKLM\..\Run: [cpqek] E:\Program Files\Compaq\Compaq EAB Software\cpqek.exe O4 - HKLM\..\Run: [Disc Detector] E:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [LifeScape Media Detector] E:\Program Files\Picasa\PicasaMediaDetector.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [HPHmon04] E:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [HPHUPD04] "E:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] E:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - Startup: iPodder.lnk = E:\Program Files\iPodder\iPodder.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Dpcstart.lnk = E:\Program Files\DIRECWAY\BIN\dpcstart.exe O4 - Global Startup: Windows Desktop Search.lnk = E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &MSN Search - res://E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Viewpoint Search - res://E:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://E:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?dfb9c8e6c2f144d2ad7d443c8c5f5d6 O8 - Extra context menu item: Open in new foreground tab - res://E:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?dfb9c8e6c2f144d2ad7d443c8c5f5d6 O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - E:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - E:\Program Files\VisualRoute\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O15 - Trusted Zone: »www.diyonline.com O16 - DPF: HPVC component - »vrm04.win2000.hpe-learning.com/h···1131.cab O16 - DPF: HPVC resources - »vrm04.win2000.hpe-learning.com/h···0147.cab O16 - DPF: HPVC signed - »vrm04.win2000.hpe-learning.com/h···0139.cab O16 - DPF: HPVC support - »vrm04.win2000.hpe-learning.com/h···4016.cab O16 - DPF: HPVC vminfo - »vrm04.win2000.hpe-learning.com/R···info.cab O16 - DPF: Toki Toki Boom - »download.games.yahoo.com/games/c···tm_x.cab O16 - DPF: Yahoo! Bingo - »download.games.yahoo.com/games/c···t0_x.cab O16 - DPF: Yahoo! Checkers - »download.games.yahoo.com/games/c···t3_x.cab O16 - DPF: Yahoo! Dominoes - »download.games.yahoo.com/games/c···t8_x.cab O16 - DPF: Yahoo! Dots - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Literati - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Pinochle - »download.games.yahoo.com/games/c···t2_x.cab O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Spades - »download.games.yahoo.com/games/c···t2_x.cab O16 - DPF: {00000004-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms4 Class) - »https://www.rooms.hp.com/vRoom_Cab/WebHP···all4.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - »https://invoice.microsoft.com/mcsimenu.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »207.188.7.150/06100bb025b4f57a92···E601.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···24896276 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - »216.249.24.140/code/PWActiveXImgCtl.CAB O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - »updates.lifescapeinc.com/install···tall.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2003···an53.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - »transfers.one.microsoft.com/FTM/···Ctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - »toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - file://E:\WINDOWS\Web\TSWeb\msrdp.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - »quickbooks.intuit.com/commerce/a···/IDA.cab O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - »www.flipside.com/cab/WONWebLaunc···trol.cab O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - »66.121.122.195/wg_webeye.cab O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - »www.behere.com/dan/iVideoViewer3_0.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - »us.dl1.yimg.com/download.yahoo.c···lete.cab O16 - DPF: {B931B906-B275-475F-99DE-923596CC9DB6} (PAS6_Forecaster.Forecaster) - »www.bplans.com/common/startcost/···ster.CAB O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - »www.movie-browser.com/tl4000.dll O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/SSC/Shared···absa.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - »https://www-secure.symantec.com/techsupp···Data.dll O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - »phobos.apple.com/detection/ITDetector.cab O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - »vrm08.win2000.hpe-learning.com/R···Drop.CAB O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - »https://www-secure.symantec.com/techsupp···Data.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mshome.net O17 - HKLM\Software\..\Telephony: DomainName = mshome.net O17 - HKLM\System\CCS\Services\Tcpip\..\{31238060-3E8B-4F37-8B48-2F39936CB5A0}: Domain = direcway.com O17 - HKLM\System\CCS\Services\Tcpip\..\{31238060-3E8B-4F37-8B48-2F39936CB5A0}: NameServer = 66.82.4.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A32B2EDD-E5F7-4F5C-9ECF-7E843B56B8CD}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mshome.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mshome.net O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL O20 - Winlogon Notify: ddayx - E:\WINDOWS\system32\ddayx.dll O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - E:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe O23 - Service: Flexlm (lmgrd) - Unknown owner - E:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe Thanks! -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-15 22:29:45 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	Hi jhalleau, You're blessed (not) with the hard to remove one, but this should do it. Make a copy of these instructions so that you have them handy as the next steps require you to be in safe mode and offline. 1. Please download VundoFix by Atribune from here: www.atribune.org/downloads/VundoFix.exe Save it to your desktop Double-click VundoFix.exe to extract the files This will create a folder named VundoFix on your desktop. 2. After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter. 3. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat 4. You will first be presented with a warning. It should look like this quote: VundoFix V2.15 by Atri By using VundoFix you agree that you are doing so at your own risk. Press enter to continue.... 5. At this point press enter one time. Next you will see: quote: Please Type in the filepath as instructed by the forum staff and then press enter: At this point please copy and paste in the following file path (make sure to enter it exactly as below!): E:\WINDOWS\system32\ddayx.dll 6. Press Enterto continue with the fix. 7. Next you will see: quote: Please type in the second file path as instructed by the forum staff then press enter: At this point please copy and paste in the following file path (make sure to enter it exactly as below!): E:\WINDOWS\system32\xyadd.* 8. Press Enter to continue with the fix. The fix will run then HijackThis will open, if it does not open automatically please open it manually. 9. Scan with HijackThis, and place a checkmark next to the following items and click FIX CHECKED button R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »red.clientapps.yahoo.com/customize/ie/.. R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »red.clientapps.yahoo.com/customize/ie/.. O2 - BHO: IeCaptureBho Object - {7c1ce531-09e9-4fc5-9803-1c2956615786} - E:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll (file missing) O2 - BHO: AIMSite Class - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - E:\Program Files\AIM Toolbar\aimhelper.dll (file missing) O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - E:\WINDOWS\system32\ddayx.dll O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - »207.188.7.150/06100bb025b4f57a9220/net.. O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} - »www.movie-browser.com/tl4000.dll O20 - Winlogon Notify: ddayx - E:\WINDOWS\system32\ddayx.dll After you have fixed these items, close Hijackthis. 10. Press enter to exit the program then manually reboot your computer. 11. Once your machine reboots please Scan once more with HijackThis and post a fresh HJTlog. and the vundofix.txt file from the vundofix folder into this topic 12. Go to Panda ActiveScan and do a complete system scan Panda's Active Scan »www.pandasoftware.com/products/a···scan.htm Save the report and copy it back here, along with the Vundo.txt and a fresh HijackThis log -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-15 23:02:34 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau Thanks CalamityJane, my machine already seems better. Here is a new HJT Logfile of HijackThis v1.99.1 Scan saved at 11:15:19 PM, on 11/15/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\WINDOWS\Explorer.EXE E:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE E:\WINDOWS\system32\ZoneLabs\isafe.exe E:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe E:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\System32\MsPMSPSv.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Compaq\Compaq EAB Software\cpqek.exe E:\Program Files\Microsoft IntelliPoint\point32.exe E:\Program Files\Picasa\PicasaMediaDetector.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Java\jre1.5.0_05\bin\jusched.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\WINDOWS\system32\rundll32.exe E:\Program Files\QuickTime\qttask.exe E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe E:\WINDOWS\system32\hphmon04.exe E:\Program Files\Microsoft AntiSpyware\gcasServ.exe E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\Program Files\AIM\aim.exe E:\WINDOWS\system32\RUNDLL32.EXE E:\WINDOWS\system32\ctfmon.exe E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe E:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe E:\Program Files\DIRECWAY\BIN\dpcstart.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe E:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchIndexer.exe E:\PROGRA~1\DIRECWAY\bin\dpcnav.exe E:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll O4 - HKLM\..\Run: [cpqek] E:\Program Files\Compaq\Compaq EAB Software\cpqek.exe O4 - HKLM\..\Run: [Disc Detector] E:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [LifeScape Media Detector] E:\Program Files\Picasa\PicasaMediaDetector.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [HPHmon04] E:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [HPHUPD04] "E:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - Startup: iPodder.lnk = E:\Program Files\iPodder\iPodder.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Dpcstart.lnk = E:\Program Files\DIRECWAY\BIN\dpcstart.exe O4 - Global Startup: Windows Desktop Search.lnk = E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &MSN Search - res://E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Viewpoint Search - res://E:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://E:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?dfb9c8e6c2f144d2ad7d443c8c5f5d6 O8 - Extra context menu item: Open in new foreground tab - res://E:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?dfb9c8e6c2f144d2ad7d443c8c5f5d6 O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - E:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - E:\Program Files\VisualRoute\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O15 - Trusted Zone: »www.diyonline.com O16 - DPF: HPVC component - »vrm04.win2000.hpe-learning.com/h···1131.cab O16 - DPF: HPVC resources - »vrm04.win2000.hpe-learning.com/h···0147.cab O16 - DPF: HPVC signed - »vrm04.win2000.hpe-learning.com/h···0139.cab O16 - DPF: HPVC support - »vrm04.win2000.hpe-learning.com/h···4016.cab O16 - DPF: HPVC vminfo - »vrm04.win2000.hpe-learning.com/R···info.cab O16 - DPF: Toki Toki Boom - »download.games.yahoo.com/games/c···tm_x.cab O16 - DPF: Yahoo! Bingo - »download.games.yahoo.com/games/c···t0_x.cab O16 - DPF: Yahoo! Checkers - »download.games.yahoo.com/games/c···t3_x.cab O16 - DPF: Yahoo! Dominoes - »download.games.yahoo.com/games/c···t8_x.cab O16 - DPF: Yahoo! Dots - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Literati - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Pinochle - »download.games.yahoo.com/games/c···t2_x.cab O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Spades - »download.games.yahoo.com/games/c···t2_x.cab O16 - DPF: {00000004-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms4 Class) - »https://www.rooms.hp.com/vRoom_Cab/WebHP···all4.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - »https://invoice.microsoft.com/mcsimenu.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···24896276 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - »216.249.24.140/code/PWActiveXImgCtl.CAB O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - »updates.lifescapeinc.com/install···tall.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2003···an53.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - »transfers.one.microsoft.com/FTM/···Ctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - »toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - file://E:\WINDOWS\Web\TSWeb\msrdp.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - »quickbooks.intuit.com/commerce/a···/IDA.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »acs.pandasoftware.com/activescan···inst.cab O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - »www.flipside.com/cab/WONWebLaunc···trol.cab O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - »66.121.122.195/wg_webeye.cab O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - »www.behere.com/dan/iVideoViewer3_0.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - »us.dl1.yimg.com/download.yahoo.c···lete.cab O16 - DPF: {B931B906-B275-475F-99DE-923596CC9DB6} (PAS6_Forecaster.Forecaster) - »www.bplans.com/common/startcost/···ster.CAB O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/SSC/Shared···absa.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - »https://www-secure.symantec.com/techsupp···Data.dll O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - »phobos.apple.com/detection/ITDetector.cab O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - »vrm08.win2000.hpe-learning.com/R···Drop.CAB O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - »https://www-secure.symantec.com/techsupp···Data.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mshome.net O17 - HKLM\Software\..\Telephony: DomainName = mshome.net O17 - HKLM\System\CCS\Services\Tcpip\..\{31238060-3E8B-4F37-8B48-2F39936CB5A0}: Domain = direcway.com O17 - HKLM\System\CCS\Services\Tcpip\..\{31238060-3E8B-4F37-8B48-2F39936CB5A0}: NameServer = 66.82.4.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A32B2EDD-E5F7-4F5C-9ECF-7E843B56B8CD}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mshome.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mshome.net O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - E:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe O23 - Service: Flexlm (lmgrd) - Unknown owner - E:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-16 02:17:45 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau and here is the vundo.txt VundoFix V2.15 by Atri ---------------------------------------------------------------------------------- ---- Listing files contained in the vundofix folder. ---------------------------------------------------------------------------------- ---- killvundo.bat process.exe ReadMe.txt vundo.reg vundofix.txt ---------------------------------------------------------------------------------- ---- Filepaths entered ---------------------------------------------------------------------------------- ---- The filepath entered was E:\WINDOWS\system32\ddayx.dll The second filepath entered was E:\WINDOWS\system32\xyadd.* ---------------------------------------------------------------------------------- ---- Log from Process ---------------------------------------------------------------------------------- ---- Killing PID 420 'smss.exe' Killing PID 2516 'explorer.exe' Killing PID 2516 'explorer.exe' Killing PID 2516 'explorer.exe' Killing PID 2516 'explorer.exe' Error 0x5 : Access is denied. Killing PID 2668 'rundll32.exe' Killing PID 2668 'rundll32.exe' Killing PID 2668 'rundll32.exe' Killing PID 2668 'rundll32.exe' Killing PID 3048 'rundll32.exe' Killing PID 612 'winlogon.exe' Killing PID 612 'winlogon.exe' Killing PID 612 'winlogon.exe' Killing PID 612 'winlogon.exe' Killing PID 612 'winlogon.exe' ---------------------------------------------------------------------------------- ---- Could not delete E:\WINDOWS\system32\ddayx.dll. E:\WINDOWS\system32\xyadd.* Deleted sucessfully. Fixing Registry ---------------------------------------------------------------------------------- ---- Off to do a Panda scan now. -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-16 02:19:27 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	Good job so far. We'll see what Panda comes up with. Your log looks pretty good. I'm a little surprised at this one from the VundoFix log: Could not delete E:\WINDOWS\system32\ddayx.dll Would you please search your system to if that file is still on there? E:\WINDOWS\system32\ddayx.dll It could be something else deleted it but I'd like to be sure. And then will wait to see the Panda log - it may find more. -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-16 07:12:14 ·
jhalleau join:2003-03-04 Vancouver, WA	Hi CJ, Yes, that file is still there, should I delete it? I had some issues with my isp, it seems you have to pay the bill or they shut you off , so I had a small problem finishing the panda scan last night I wont be able to get to the Panda scan for a couple hours, but will get that started right away. So far though, today I have not seen one single winfixer popup. Thanks again for your help! -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-16 15:09:04 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	said by jhalleau : Hi CJ, Yes, that file is still there, should I delete it? Yes, though I'd be surprised it that is successful, but it needs to go. If it won't delete try this tool: 1) Please download the free tool called Killbox here www.atribune.org/downloads/KillBox.exe. 2) Select "Delete on Reboot". 3) Copy the text below to clipboard and paste into the box titled "Full Path of File to Delete" E:\WINDOWS\system32\ddayx.dll 4. Press the Red button with the white X on it to delete the file and confirm that yes you do want to delete. 5. It will then ask if you want to reboot. Answer Yes and wait while the computer reboots. Let me know if it's still there. quote: I wont be able to get to the Panda scan for a couple hours, but will get that started right away. So far though, today I have not seen one single winfixer popup. Thanks again for your help! Not a problem. We'll be here - glad we can help -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-16 15:23:30 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau Well... this just sucks some really nasty tasting / smelling stuff.... First off, CJ you and the other regulars who come here and help folks like me, are the bestest on the internet! Without you, the world would be a bunch of zomby and haxored boxes. Thanks for helping us! I thought I was doing good, eating my veggies, using the antispyware, antivirus software, doing the update thing... But Noooooooooooooo, I still get this **** thing... anyway, I thought this was gone, but Panda now tells me its still hanging around for a bit... and it looks like I also have Look2Me?!?! Incident Status Location Spyware:Spyware/Virtumonde No disinfected C:\HJT\backups\backup-20051115-224620-474.dll Adware:Adware/Look2Me No disinfected E:\Program Files\Picasa\pinstall.dll Spyware:Spyware/Virtumonde No disinfected E:\WINDOWS\system32\ddcya.dll Oh, BTW, it did let me delete that file in the previous post. I did that before this panda scan, and without the assistance of killbox... lotta good it did me eh? -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-16 22:03:04 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	You're doing great This is a diffcult infection. Can you scan with HijackThis and post a fresh log, please so I can see where we are at this point?
	to forum · permalink · · 2005-11-16 22:08:56 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau Here you go... Thanks again! Logfile of HijackThis v1.99.1 Scan saved at 9:11:56 PM, on 11/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE E:\WINDOWS\system32\ZoneLabs\isafe.exe E:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe E:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE E:\WINDOWS\system32\nvsvc32.exe E:\WINDOWS\system32\ZoneLabs\vsmon.exe E:\WINDOWS\Explorer.EXE E:\WINDOWS\System32\MsPMSPSv.exe E:\Program Files\Compaq\Compaq EAB Software\cpqek.exe E:\Program Files\Microsoft IntelliPoint\point32.exe E:\Program Files\Picasa\PicasaMediaDetector.exe E:\Program Files\Java\jre1.5.0_05\bin\jusched.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\QuickTime\qttask.exe E:\WINDOWS\system32\rundll32.exe E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe E:\WINDOWS\system32\hphmon04.exe E:\Program Files\Microsoft AntiSpyware\gcasServ.exe E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe E:\Program Files\MSN Messenger\MsnMsgr.Exe E:\Program Files\AIM\aim.exe E:\WINDOWS\system32\RUNDLL32.EXE E:\WINDOWS\system32\ctfmon.exe E:\Program Files\IOGEAR\Bluetooth Software\BTTray.exe E:\Program Files\DIRECWAY\BIN\dpcstart.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchIndexer.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe E:\PROGRA~1\DIRECWAY\bin\dpcnav.exe E:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Internet Explorer\iexplore.exe E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearchFilter.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:83 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll O4 - HKLM\..\Run: [cpqek] E:\Program Files\Compaq\Compaq EAB Software\cpqek.exe O4 - HKLM\..\Run: [Disc Detector] E:\Program Files\Creative\ShareDLL\CtNotify.exe O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [LifeScape Media Detector] E:\Program Files\Picasa\PicasaMediaDetector.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [HPHmon04] E:\WINDOWS\system32\hphmon04.exe O4 - HKLM\..\Run: [HPHUPD04] "E:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKCU\..\Run: [MsnMsgr] "E:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "E:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - Startup: iPodder.lnk = E:\Program Files\iPodder\iPodder.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: BTTray.lnk = ? O4 - Global Startup: Dpcstart.lnk = E:\Program Files\DIRECWAY\BIN\dpcstart.exe O4 - Global Startup: Windows Desktop Search.lnk = E:\Program Files\MSN Toolbar Suite\DS\02.02.0000.1007\en-us\bin\WindowsSearch.exe O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &MSN Search - res://E:\Program Files\MSN Toolbar Suite\TB\02.01.0000.2214\en-us\msntb.dll/search.htm O8 - Extra context menu item: &Viewpoint Search - res://E:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Open in new background tab - res://E:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/229?dfb9c8e6c2f144d2ad7d443c8c5f5d6 O8 - Extra context menu item: Open in new foreground tab - res://E:\Program Files\MSN Toolbar Suite\TAB\02.02.0000.1007\en-us\msntabres.dll/230?dfb9c8e6c2f144d2ad7d443c8c5f5d6 O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://E:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - E:\Program Files\VisualRoute\vrie.dll O9 - Extra 'Tools' menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - E:\Program Files\VisualRoute\vrie.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\IOGEAR\Bluetooth Software\btsendto_ie.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU) O12 - Plugin for .bcf: E:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O15 - Trusted Zone: »www.diyonline.com O16 - DPF: HPVC component - »vrm04.win2000.hpe-learning.com/h···1131.cab O16 - DPF: HPVC resources - »vrm04.win2000.hpe-learning.com/h···0147.cab O16 - DPF: HPVC signed - »vrm04.win2000.hpe-learning.com/h···0139.cab O16 - DPF: HPVC support - »vrm04.win2000.hpe-learning.com/h···4016.cab O16 - DPF: HPVC vminfo - »vrm04.win2000.hpe-learning.com/R···info.cab O16 - DPF: Toki Toki Boom - »download.games.yahoo.com/games/c···tm_x.cab O16 - DPF: Yahoo! Bingo - »download.games.yahoo.com/games/c···t0_x.cab O16 - DPF: Yahoo! Checkers - »download.games.yahoo.com/games/c···t3_x.cab O16 - DPF: Yahoo! Dominoes - »download.games.yahoo.com/games/c···t8_x.cab O16 - DPF: Yahoo! Dots - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Literati - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Pinochle - »download.games.yahoo.com/games/c···t2_x.cab O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···tc_x.cab O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab O16 - DPF: Yahoo! Spades - »download.games.yahoo.com/games/c···t2_x.cab O16 - DPF: {00000004-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms4 Class) - »https://www.rooms.hp.com/vRoom_Cab/WebHP···all4.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - »https://invoice.microsoft.com/mcsimenu.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - »www.cult3d.com/download/cult.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···24896276 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - »216.249.24.140/code/PWActiveXImgCtl.CAB O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - »updates.lifescapeinc.com/install···tall.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - »a840.g.akamai.net/7/840/537/2003···an53.cab O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - »transfers.one.microsoft.com/FTM/···Ctrl.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···ient.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - »toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - file://E:\WINDOWS\Web\TSWeb\msrdp.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - »www.installengine.com/engine/isetup.cab O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - »quickbooks.intuit.com/commerce/a···/IDA.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »acs.pandasoftware.com/activescan···inst.cab O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} - »www.flipside.com/cab/WONWebLaunc···trol.cab O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - »66.121.122.195/wg_webeye.cab O16 - DPF: {AA14C86B-DA22-4811-8186-BB496A299C5F} (Be Here TotalView Player ActiveX Control, Version 3.0) - »www.behere.com/dan/iVideoViewer3_0.cab O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - »us.dl1.yimg.com/download.yahoo.c···lete.cab O16 - DPF: {B931B906-B275-475F-99DE-923596CC9DB6} (PAS6_Forecaster.Forecaster) - »www.bplans.com/common/startcost/···ster.CAB O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - »security.symantec.com/SSC/Shared···absa.cab O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) - O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - »https://www-secure.symantec.com/techsupp···Data.dll O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - »phobos.apple.com/detection/ITDetector.cab O16 - DPF: {DF7B8990-6141-4677-B0B2-977169DB4A7E} (HPPptDropProj.HPPptDrop) - »vrm08.win2000.hpe-learning.com/R···Drop.CAB O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - »https://www-secure.symantec.com/techsupp···Data.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »chat.msn.com/bin/msnchat45.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mshome.net O17 - HKLM\Software\..\Telephony: DomainName = mshome.net O17 - HKLM\System\CCS\Services\Tcpip\..\{31238060-3E8B-4F37-8B48-2F39936CB5A0}: Domain = direcway.com O17 - HKLM\System\CCS\Services\Tcpip\..\{31238060-3E8B-4F37-8B48-2F39936CB5A0}: NameServer = 66.82.4.8 O17 - HKLM\System\CCS\Services\Tcpip\..\{A32B2EDD-E5F7-4F5C-9ECF-7E843B56B8CD}: NameServer = 192.168.0.1 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mshome.net O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mshome.net O18 - Protocol: OWC11.mso-offdap - {32505114-5902-49B2-880A-1F7738E5A384} - E:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - E:\Program Files\IOGEAR\Bluetooth Software\bin\btwdins.exe O23 - Service: C-DillaSrv - C-Dilla Ltd - E:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - E:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) - Hughes Network Systems - E:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe O23 - Service: Flexlm (lmgrd) - Unknown owner - E:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPH11 - HP - E:\WINDOWS\system32\HPHipm11.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINDOWS\system32\ZoneLabs\vsmon.exe -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-17 00:13:19 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	Your log looks good. I think Panda may be false alert on this one: Adware:Adware/Look2Me No disinfected E:\Program Files\Picasa\pinstall.dll Do you have a program, Picasa? I'm showing that is a legitimate program. To be sure, scan the file E:\Program Files\Picasa\pinstall.dll here: Jotti Malware Scan »virusscan.jotti.org/ or here: Virus Total »www.virustotal.com/ Copy the report at the end and post the results back here. -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-17 07:52:53 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau Thanks again CalamityJane! Jotti didn't show this as anything, but VirusScan did show that Panda is showing this as Look2Me, which is odd, because yes, I do have Picasa installed. Here is the virustotal log. This is a report processed by VirusTotal on 11/17/2005 at 17:14:09 (CET) after scanning the file "pinstall.dll" file. Antivirus Version Update Result AntiVir 6.32.0.6 11.17.2005 no virus found Avast 4.6.695.0 11.16.2005 no virus found AVG 718 11.15.2005 no virus found Avira 6.32.0.6 11.17.2005 no virus found BitDefender 7.2 11.17.2005 no virus found CAT-QuickHeal 8.00 11.17.2005 no virus found ClamAV devel-20051108 11.17.2005 no virus found DrWeb 4.33 11.17.2005 no virus found eTrust-Iris 7.1.194.0 11.16.2005 no virus found eTrust-Vet 11.9.1.0 11.17.2005 no virus found Fortinet 2.48.0.0 11.17.2005 no virus found F-Prot 3.16c 11.15.2005 no virus found Ikarus 0.2.59.0 11.17.2005 no virus found Kaspersky 4.0.2.24 11.17.2005 no virus found McAfee 4630 11.17.2005 no virus found NOD32v2 1.1289 11.16.2005 no virus found Norman 5.70.10 11.17.2005 no virus found Panda 8.02.00 11.17.2005 Adware/Look2Me Sophos 3.99.0 11.17.2005 no virus found Symantec 8.0 11.17.2005 no virus found TheHacker 5.9.1.036 11.16.2005 no virus found VBA32 3.10.5 11.16.2005 no virus found VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español -------------------------------------------------------------------------------- www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-17 11:47:31 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	With Panda being the ONLY one, I suspect it's a false alert of some sort.
	to forum · permalink · · 2005-11-17 12:20:32 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	reply to jhalleau One more thing to check now. Please Open HijackThis but instead of Scan, please choose Open Misc Tools Section in the opening screen. In Misc. Tools choose the Open Uninstall Manager tab on the left hand list of tools. HJT will scan and present a list. Press Save List and copy the results back here please -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-17 12:24:42 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau Here you go... Adobe Atmosphere Player for Acrobat and Adobe Reader Adobe Download Manager 2.0 (Remove Only) Adobe PDF IFilter 6.0 Adobe Reader 7.0 Adobe® Photoshop® Album Starter Edition 3.0 AOL Instant Messenger Belarc Advisor 6.0 Bink and Smacker CoffeeCup Firestarter Compaq EAB Software DIRECWAY Empire Earth Google Earth Plus HighMAT Extension to Microsoft Windows XP CD Writing Wizard HijackThis 1.99.1 HP Install Network Printer Wizard HP Virtual Rooms Intel(R) PRO Network Adapters and Drivers InterVideo WinDVD IOGEAR Bluetooth Software IRAS J2SE Runtime Environment 5.0 Update 5 Java 2 Runtime Environment, SE v1.4.2_05 Lernout & Hauspie TruVoice American English TTS Engine Macromedia Shockwave Player Microsoft .NET Framework 1.1 Microsoft AntiSpyware Microsoft Image Composer 1.5 Microsoft Office FrontPage 2003 Microsoft Office Live Meeting 2005 Microsoft Office Professional Edition 2003 Microsoft Office Publisher 2003 Microsoft Office Visio Viewer 2003 (English) Microsoft PhotoDraw 2000 V2 Microsoft Rise Of Nations mIRC MSN Messenger 7.0 MSN Music Assistant MSN Search Toolbar MSXML4 Parser Napster Napster Burn Engine NVIDIA Display Driver NVIDIA Windows 2000/XP Display Drivers Panda ActiveScan Photosmart 130,230,7150,7345,7350,7550 (Remove only) Photovista Panorama 3.0 Picasa point4020 QuickTime Rand McNally StreetFinder Rand McNally TripMaker RealPlayer Rise of Nations Thrones and Patriots Security Update for Windows XP (KB883939) Security Update for Windows XP (KB890046) Security Update for Windows XP (KB893756) Security Update for Windows XP (KB896358) Security Update for Windows XP (KB896422) Security Update for Windows XP (KB896423) Security Update for Windows XP (KB896424) Security Update for Windows XP (KB896428) Security Update for Windows XP (KB896688) Security Update for Windows XP (KB899587) Security Update for Windows XP (KB899588) Security Update for Windows XP (KB899589) Security Update for Windows XP (KB899591) Security Update for Windows XP (KB900725) Security Update for Windows XP (KB901017) Security Update for Windows XP (KB901214) Security Update for Windows XP (KB902400) Security Update for Windows XP (KB903235) Security Update for Windows XP (KB904706) Security Update for Windows XP (KB905414) Security Update for Windows XP (KB905749) Shockwave SimCity 3000 SimTown Spybot - Search & Destroy 1.4 Street Atlas USA 7.0 Tetris Worlds TipTop Deluxe 1.1 Tonka Garage Tonka Raceway TurboTax Basic 2003 TurboTax Basic 2004 Ultimate Ride Disney Coaster Uninstall EarthMate USB to Serial Driver Update for Windows XP (KB894391) Update for Windows XP (KB896727) Update for Windows XP (KB898461) Viewpoint Media Player VisualRoute Windows Installer 3.1 (KB893803) Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows Media Player 10 Windows Media Player 9 Series TweakMP PowerToy Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB885884 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB887742 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB890859 Windows XP Hotfix - KB890923 Windows XP Hotfix - KB891781 Windows XP Hotfix - KB893066 Windows XP Hotfix - KB893086 Windows XP Service Pack 2 WinZip Yahoo! Internet Mail Yahoo! Messenger ZoneAlarm Security Suite Zoo Tycoon Demo -- Host= Cpq D500,P4 1.9ghz, 512mb ram, 40GB HD, 5-6 clients networked 2-3 wireless rest wired.
	to forum · permalink · · 2005-11-17 12:59:03 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	BINGO! Here is how I think you got infected with this. You have two versions of Sun Java installed. One of them is vulnerable to exploits (the older one) J2SE Runtime Environment 5.0 Update 5 Java 2 Runtime Environment, SE v1.4.2_05 You need to remove this one: Java 2 Runtime Environment, SE v1.4.2_05 Use Add/Remove program in the Control Panel. Even though you updated to the latest Sun Java 5.0 update 5, that older version is still vulnerable and malware can still call it up and infect you by exploiting that one. This is a bad move by Sun Java to not remove older versions when users update to the latest version. Leaving that older version on your system leaves you explosed still to the vulnerable version. See my post here about this vulnerability in Sun Java. »Potential Vulnerability with Sun Java auto update -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-17 13:05:04 ·
jhalleau join:2003-03-04 Vancouver, WA	reply to jhalleau Thanks again, I have removed the old version, and all seems well. Thanks again for your help!!
	to forum · permalink · · 2005-11-17 14:04:14 ·
CalamityJane Premium,VIP,MVM join:2002-08-27 Eustis, FL	You're welcome! Glad we could help Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why? One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal. To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account. (winXP) 1. Turn off System Restore. Go to Start > Run, click on My Computer. Click Properties. Click the System Restore tab. Check Turn off System Restore. Click Apply, and then click OK. 2. Reboot. 3. Turn ON System Restore. Go to Start > Run, click on My Computer. Click Properties. Click the System Restore tab. UN-Check Turn off System Restore. Click Apply, and then click OK. How to Turn On and Turn Off System Restore in Windows XP »support.microsoft.com/default.as···s;310405 ............... Some "Prevention" tips. We now have to include...Please remove old versions of Sun Java manually after doing an update! Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help . »Security »How do I prevent browser hijacks and spyware? I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable! Windows Update »v4.windowsupdate.microsoft.com/e···ault.asp And see this link for instructions on how to configure the enhanced security features in SP2: »www.microsoft.com/technet/securi···cxp.mspx I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes. MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here: Microsoft Baseline Security Analyzer »www.microsoft.com/technet/securi···ome.mspx Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you. Microsoft also has a free Antispyware program that offers resident protection to prevent infections as well. I do recommend it as an extra layer of protection for you. »www.microsoft.com/athome/securit···ult.mspx -- It takes a disaster to make a woman out of a female Microsoft MVP/Windows Security 2003-2006 Proud Member of ASAP (Alliance of Security Analysis Professionals)
	to forum · permalink · · 2005-11-17 14:11:39 ·
KayJo join:2005-11-27 Tulsa, OK	I've also been told I have Virtumundo.C on my computer (as noted from my MS Antispyware scan). Do I need to do the exact same as above? Logfile of HijackThis v1.99.1 Scan saved at 2:22:01 PM, on 11/27/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\HPQ\One-Touch\OneTouch.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\2Wire\Gateway\2PortalMon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\AIM\aim.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\HPConfig.exe C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Yahoo!\browser\YBrowser.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »rd.yahoo.com/customize/sbcydsl/d···ahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = »rd.yahoo.com/customize/sbcydsl/d···/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »rd.yahoo.com/customize/sbcydsl/d···ahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »yahoo.sbc.com/dsl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = »channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »my.netzero.net/s/sp?r=al&cf=sp&m···HSEM&O=I O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\efeef.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - »www.ipix.com/viewers/ipixx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - »messenger.msn.com/download/MsnMe···ader.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: efeef - C:\WINDOWS\System32\efeef.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
	to forum · permalink · · 2005-11-27 15:22:50 ·
garys_2k join:2004-05-07 Farmington, MI ·Future Nine Corpor.. ·Vonage	said by KayJo : I've also been told I have Virtumundo.C on my computer (as noted from my MS Antispyware scan). Do I need to do the exact same as above? Best to start your own thread, and you ought to follow the FAQ directions first, too.
	to forum · permalink · · 2005-11-27 15:35:00 ·


Friday, 27-Nov 03:57:41	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF