Klone Virus

Computing.Net > Forums > Security and Virus > Klone Virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Click here to start participating now! Also, check out the New User Guide.

Klone Virus

Name: annah
Date: April 6, 2007 at 09:06:48 Pacific
OS: Windows XP Ver 2002 SP2
CPU/Ram: Intel Pentium(R) 4 CPU 3.
Product: HP Pavilion ZD7168cl

Comment:

I have a Klone virus and cannot get rid of it. I have AVG Anti-Virus and Anti-Spyware. They clean but it just respawns. It is on both of my laptop on a wireless network.. could it have spread through the network? My laptops started spawning IE pages simultaneously last night pointing to some network address with a port, username and authentication id. I have HTJ logs and Smitfraud logs but was told not to post unless an expert reqested it.. Any help would be really appreciated!!
Anna

Google Ads

Response Number 1

Name: jabuck
Date: April 6, 2007 at 09:09:46 Pacific

Reply:

Please post the Hijack This log and the Smitfraudfix log please.

Response Number 2

Name: annah
Date: April 6, 2007 at 09:35:55 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 11:53:08 AM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/C...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishAc...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Nactem Restore Service (sachtats) - Unknown owner - C:\WINDOWS\system32\sachtats.exe (file missing)
O23 - Service: Svctem Restore Service (srservicoac) - Unknown owner - C:\WINDOWS\system32\svchtats.exe (file missing)

SmitFraudFix v2.164
Scan done at 11:55:37.14, Fri 04/06/2007
Run from C:\Documents and Settings\Anna\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Anna

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Anna\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Anna\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
DNS Server Search Order: 65.24.7.3
DNS Server Search Order: 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\..\{69A5ADCB-3C25-45D7-8CC1-2B272EAE4745}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\..\{69A5ADCB-3C25-45D7-8CC1-2B272EAE4745}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS3\Services\Tcpip\..\{69A5ADCB-3C25-45D7-8CC1-2B272EAE4745}: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=65.24.7.3 65.24.7.6

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Thanks,
Anna

Response Number 3

Name: jabuck
Date: April 6, 2007 at 10:09:11 Pacific

Reply:

Please download SDFix by AndyManchesta and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following:
Restart your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
Instead of Windows loading as normal, a menu with options should appear.
Select the first option, to run Windows in "Safe Mode", then press "Enter".
Choose your usual account.

Once in Safe Mode, please do the following:
In Safe Mode, right-click the SDFix.zip folder and choose Extract All.
Open the extracted folder and double-click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 4

Name: annah
Date: April 6, 2007 at 10:40:07 Pacific

Reply:

It is in progress on one. Should I also run this same program in the same manner on my other laptop or do you want HJT amd Smitfraud logs for that one too?

***********************
Report log for laptop #1

SDFix: Version 1.77
Run by Anna - Fri 04/06/2007 - 13:35:43.18
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found...

ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files:
---------------

Checking For Files with Hidden Attributes:
C:\Documents and Settings\Anna\Local Settings\Application Data\Microsoft\Visio\SGCache\CRB1081.tmp
C:\Documents and Settings\Anna\My Documents\Anna\My Documents\My Pictures\Kodak Pictures\2007-02-10\CRB2B6D.tmp
Finished

Response Number 5

Name: jabuck
Date: April 6, 2007 at 11:16:04 Pacific

Reply:

I think I see the problem but need a little more info.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

ebay postage vendors broadcom bcm4311 IEEE 802.11b PRISM3 USB kodak easyshare dx7630 driver ieee 802.11b g driver download corel draw demo invalid sibling link SUN stop key tput cup disable ctrl+c	hex 92 Please name this partition type before saving it samba disable cups broadcom bcm4306kfb linux zip folder broadcom wlan fedora avg 2003 DNS Suffix Search List system restarts automatically deterministic network enhancer miniport
See More

Response Number 6

Name: annah
Date: April 6, 2007 at 11:29:37 Pacific

Reply:

"Anna" - 07-04-06 14:23:21 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Anna\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))

2007-04-06 11:55 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-06 11:55 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-06 11:55 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-06 11:55 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-06 11:55 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-06 11:55 2,214 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-06 11:55 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-06 09:34 <DIR> d-------- C:\Program Files\IObit
2007-04-05 23:41 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-05 23:16 <DIR> d-------- C:\WINDOWS\pss
2007-04-05 23:01 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-04-05 23:01 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-04-05 23:01 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2007-04-05 23:01 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-04-05 23:01 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2007-03-17 17:23 56,912 --a------ C:\DOCUME~1\Anna\g2mdlhlpx.exe
2007-03-17 17:23 <DIR> d-------- C:\Program Files\Citrix

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-03-29 20:06 -------- d-------- C:\Program Files\microsoft works
2007-03-26 20:56 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\wholesecurity
2007-03-25 14:05 -------- d--h----- C:\Program Files\installshield installation information
2007-03-25 14:05 -------- d-------- C:\Program Files\paypal
2007-03-09 12:05 -------- d-------- C:\Program Files\stamps.com internet postage
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-02 16:07 -------- d-------- C:\Program Files\wizards of the coast
2007-03-02 10:01 -------- d-------- C:\Program Files\kodak
2007-03-02 09:56 -------- d-------- C:\Program Files\Common Files\kodak
2007-02-28 15:09 -------- d-------- C:\Program Files\ebay
2007-02-28 15:06 -------- d-------- C:\Program Files\Common Files\installshield
2007-02-27 15:42 -------- d-------- C:\Program Files\microsoft money 2007
2007-02-26 16:16 -------- dr-h----- C:\DOCUME~1\Anna\APPLIC~1\yahoo!
2007-02-26 16:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\talkback
2007-02-26 16:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\symantec
2007-02-26 16:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\smartdraw
2007-02-26 16:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\roxio
2007-02-26 16:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\real
2007-02-26 16:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\my games
2007-02-26 16:13 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\lavasoft
2007-02-26 16:13 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\juniper networks
2007-02-26 16:13 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\installshield installation information
2007-02-26 14:30 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\firaxis games
2007-02-26 14:30 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\download manager
2007-02-26 14:30 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\corel
2007-02-26 14:30 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\alien skin
2007-02-26 14:30 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\adobeum
2007-02-26 09:52 -------- d-------- C:\Program Files\irfanview
2007-02-23 16:58 -------- d-------- C:\Program Files\Common Files\l&h
2007-02-21 17:06 -------- d-------- C:\Program Files\the classified connection demo
2007-02-21 16:57 -------- d-------- C:\Program Files\myfree classifieds demo
2007-02-21 15:36 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\help
2007-02-21 11:50 -------- d-------- C:\Program Files\flock
2007-02-21 11:50 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\flock
2007-02-21 11:16 12 --a------ C:\WINDOWS\system32\vcklib.sys
2007-02-21 10:17 12 --a------ C:\WINDOWS\system32\vchklib.sys
2007-02-21 10:17 -------- d-------- C:\Program Files\dominant ad creator
2007-02-18 10:40 -------- d-------- C:\Program Files\overstock
2007-02-17 22:00 -------- d-------- C:\Program Files\msxml 4.0
2007-02-16 07:22 -------- d-------- C:\Program Files\google
2007-02-15 15:23 -------- d-------- C:\Program Files\yahoo!
2007-02-15 15:20 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\google
2007-02-15 10:16 -------- d-------- C:\DOCUME~1\Anna\APPLIC~1\hewlett-packard
2007-02-15 10:12 20454 --------- C:\WINDOWS\hpoins01.dat
2007-02-15 10:12 -------- d-------- C:\Program Files\hewlett-packard
2007-02-15 09:54 -------- d-------- C:\Program Files\java
2007-01-30 17:15 49152 -ra------ C:\WINDOWS\system32\inetwh32.dll
2007-01-30 17:15 1044480 -ra------ C:\WINDOWS\system32\roboex32.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-02 14:05 17107 --a------ C:\DOCUME~1\Anna\APPLIC~1\.googlewebacchosts

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"Carbonite Backup"="C:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteUI.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\READER~1.exe "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Synchronizer.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Synchronizer.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\READER~1.0\\Reader\\ADOBEC~1.exe "
"item"="Adobe Reader Synchronizer"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\hpoddt01.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\hpoddt01.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hpotdd01.exe "
"item"="hpoddt01.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.exe -hx"
"item"="Kodak EasyShare software"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\KODAK Software Updater.lnk"
"backup"="C:\\WINDOWS\\pss\\KODAK Software Updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.exe "
"item"="KODAK Software Updater"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\officejet 6100.lnk"
"backup"="C:\\WINDOWS\\pss\\officejet 6100.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\DIGITA~1\\bin\\hposol08.exe "
"item"="officejet 6100"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /installquiet"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PayPal Virtual Debit Card]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OToolbar"
"hkey"="HKLM"
"command"="rundll32.exe C:\\PROGRA~1\\PayPal\\PAYPAL~1\\OToolbar.dll,StartUp /dontopenmycards"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\EasyShare Registration Task.job
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 6100 series#1171548899.job

********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-06 14:25:40
C:\ComboFix-quarantined-files.txt ... 07-04-06 14:25

Response Number 7

Name: jabuck
Date: April 6, 2007 at 11:56:52 Pacific

Reply:

Got to start> control panel> administartive tools> services> scroll down to "Nactem Restore Service (sachtats)"> click stop (if stop does not respond just continue)> on the far right of "startup type" click the drop down arrow> click disable>apply ok.
Next do the same for "Svctem Restore Service (srservicoac)".
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Download and install AVG Anti-Spyware We will need this later in safe mode
Be sure to update AVG Anti- Spyware
Download Killbox to your desktop from this link Killbox by Option^Explicit. If you already have "Killbox" update to this newer version. We will need it later in safe mode
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run Hijack This from safe mode, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: Nactem Restore Service (sachtats) - Unknown owner - C:\WINDOWS\system32\sachtats.exe (file missing)
O23 - Service: Svctem Restore Service (srservicoac) - Unknown owner - C:\WINDOWS\system32\svchtats.exe (file missing)
Exit Hijack This but remain in safe mode.
Run Killbox from safe mode. Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\svchtats.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let us know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click Here to download and run missingfilesetup.exe. Then try Killbox again.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

In Safe Mode, run AVG Anti-spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Please post the AVG report and a new Hijack This log.
You java is out of date and should be updated as soon as possible. Download the latest version of http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
. Then from your desktop double-click on jre-1_6_0-windowsi586-p.exe to install the newest version.

Response Number 8

Name: annah
Date: April 6, 2007 at 17:44:21 Pacific

Reply:

Ok.. when I ran HTJ in Safe Mode neither the O4 nor the two O23 items were present on the list, so I could not click on them to be fixed.
When I did Killbox I got this warning: PendingFileRenameOperations Registry Data has been removed by External Process!
Logs requested are below:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:41:50 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Anna\Desktop\HiJackThis_v2.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Microsoft Office Outlook 2003.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/C...
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gm...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishAc...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6157 bytes
AVG Anti-Spyware - Scan Report

+ Created at: 7:28:39 PM 4/6/2007
+ Scan result:
:mozilla.754:C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\wxuh1di2.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.754:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Mozilla\Firefox\Profiles\wxuh1di2.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.61:C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\gfppcrr9.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.63:C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\gfppcrr9.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.512:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.512:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.678:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.678:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.750:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.750:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.752:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.752:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
:mozilla.268:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.268:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.372:C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\wxuh1di2.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.372:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Mozilla\Firefox\Profiles\wxuh1di2.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.73:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.73:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.74:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.74:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.75:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.90:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.90:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.91:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.91:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.92:C:\Documents and Settings\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.92:C:\Documents and Settings\Anna\My Documents\Anna\Application Data\Flock\Browser\Profiles\js3xnqpn.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.25:C:\Documents and Settings\Anna\Application Data\Mozilla\Firefox\Profiles\gfppcrr9.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.

::Report end

Response Number 9

Name: jabuck
Date: April 6, 2007 at 19:49:19 Pacific

Reply:

Looks much better.
Run Hijack This and remove the following item unless you set it:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Everything else in the Hijack This log is clean.
How is the computer operating?

Response Number 10

Name: annah
Date: April 7, 2007 at 07:32:36 Pacific

Reply:

Everything seems to be running fine. I followed pretty much the same steps on my other laptop and all seems good. AVG-AS ran on both laptops this morning and came up with nothing.
Thank you for your help! Seems to have take care of the issue. :)

Response Number 11

Name: jabuck
Date: April 8, 2007 at 17:50:07 Pacific

Reply:

Glad we could help.

Google Ads

Internet Explorer Shuts D...

URGENT HELP NEEDED.. adwa...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Google Ads

Results for: Klone Virus

Klone virus malware check

Summary

www.computing.net/answers/security/klone-virus-malware-check/19689.html

Klone virus

Summary

www.computing.net/answers/security/klone-virus/19715.html

I also need help with Klone virus

Summary

www.computing.net/answers/security/i-also-need-help-with-klone-virus/19701.html

Explore Similar Topics

what is g2mdlhlpx.exe?

Ask a Question!

From the Geek Dictionary
overclock - the action of taking a processor and making run faster than what it's stock...

Weekly Poll
Would you play for PlayStation Network?

Poll Finishes In 4 Days.
Discuss in The Lounge
Poll History

Recent Posts
Excel is killing me!!!!

parser message

need audio driver

Excel macro help

LAN Setup

All Awaiting Reply

Tom's News
VIDEO: An HD Tour of the Space Station

Samsung Launching AMOLED Phone Next Week?

Man Fined $1.5M for Leaked Mario Game Upload

Toyota Issues Recall Over Prius Braking Problems

Mario Creator Mentions New Nintendo Hardware

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE