Text only | Text with Images

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: Specht15 on March 25, 2007, 05:06:35 PM

Title: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 25, 2007, 05:06:35 PM
If anyone could help me my computer is hardly running with this nasty virus I somehow picked up. I've run the latest versions of Spyware Blaster, XoftSpySE, Ad-Aware SE, and Microsoft Live-One online scan, even the VundoFixers and they've all failed. This one is bad and I'm about to take a freakin bat to this laptop but I really can't reformat my computer and wouldn't like to. If anyone could help me that would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 2:17:57 AM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zune\ZuneNss.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ryan Specht\Desktop\hijackthis\YGakDis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/ml...ex.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0713ECF3-E6FC-0345-D4C2-06F112168C0E} - C:\WINDOWS\system32\mbhjayh.dll
O2 - BHO: (no name) - {1E5F0B86-C768-40D9-BB23-66C31843C8AF} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: (no name) - {74CE80F5-19C4-4DD8-AF14-D9FC304832A8} - C:\WINDOWS\system32\awttqrq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {A6A3E190-E7F3-4EF6-B761-4F05467280D4} - C:\WINDOWS\system32\mlljh.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\vcnfnygn.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tbqgwhj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\tbqgwhj.dll",sixmznb
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151558318093
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: awttqrq - C:\WINDOWS\SYSTEM32\awttqrq.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\system32\mlljh.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Paddy on March 25, 2007, 05:35:25 PM
Hello, Specht15   looks like you've picked up a Trojan!!

Trojan.Win32.VB.aia

Please do a few of these on line scans ..when finished post the results of the scans and a fresh HjT ..Please ..

Please can you try at least two if not more of these  On-line scans
Panda (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)
TrendMicro (http://housecall.trendmicro.com/housecall/start_corp.asp)
Bit Defender (http://www.bitdefender.com/scan/licence.php)
Kaspersky (http://www.kaspersky.com/scanforvirus.html)
Symantec (http://security.symantec.com/ssc/home.asp?j=1&langid=us&venid=sym&plfid=23&pkj=AUVCCVGZBZTVOGXFSTZ)
McAfee (http://us.mcafee.com/root/mfs/default.asp)
CommandonDemand (http://www.commandondemand.com/eval/index.cfm)
Computer Associates (http://www3.ca.com/threatinfo/virusinfo/)
CyberTechHelp (http://www.cybertechhelp.com/html/misc/av.php)
PC Pitstop (http://www.pcpitstop.com/antivirus/default.asp)
Stinger (http://vil.nai.com/vil/stinger/)
Also please use one or both of  these Trojan scanners
a2 (http://www.emsisoft.com/en/software/free/)
or download and try
TrojanHunter (http://www.misec.net/) (Note Trojan Scanner 30 day Trial)

Then once you have done clear out your cache folder again ie: Run
CCleaner (http://www.ccleaner.com/)
(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours"). but see CCleaner Set up (http://www.bbusa.net/ghost1/ccleanersetup.html)


numbnuts..
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 25, 2007, 06:25:37 PM
Hi, Specht15.  Welcome to LandzDown Forum.

You may want to start with the following and then the online scan.  Please post a fresh HijackThis log afterward as well as any log from the online scan.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 25, 2007, 08:08:57 PM
I'm gettin more and more viruses or spyware programs notified every time i reboot, this is gettin ridiculous....

i ran vundofix for the second time...

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:45:23 AM 3/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\honivpkb.dll
C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.bak1
C:\WINDOWS\system32\rqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.bak2
C:\WINDOWS\system32\rqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rqtwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqtwa.tmp
C:\WINDOWS\system32\rqtwa.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.17

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 2:23:10 PM 3/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\vcnfnygn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\hjllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mlljh.dll
C:\WINDOWS\system32\mlljh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vcnfnygn.dll
C:\WINDOWS\system32\vcnfnygn.dll Has been deleted!

Performing Repairs to the registry.
Done!

and a new HJT...

Logfile of HijackThis v1.99.1
Scan saved at 3:05:12 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\YGakDis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0713ECF3-E6FC-0345-D4C2-06F112168C0E} - C:\WINDOWS\system32\mbhjayh.dll
O2 - BHO: (no name) - {1E5F0B86-C768-40D9-BB23-66C31843C8AF} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F98D516-4305-9517-DFA3-02B1ED3E3BE3} - C:\WINDOWS\system32\wmhwefk.dll
O2 - BHO: (no name) - {74CE80F5-19C4-4DD8-AF14-D9FC304832A8} - C:\WINDOWS\system32\awttqrq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {DC42533B-CE9E-4E45-959E-67654B2AD669} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tbqgwhj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\tbqgwhj.dll",sixmznb
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvlib.dll,startup
O4 - HKLM\..\Run: [wbztyck.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wbztyck.dll,ssmnobb
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\system32\MCROSO~1.NET\dexplore.exe" -vt yazb
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: awttqrq - awttqrq.dll (file missing)
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)


I then ran the online scan at PCPitstop and it somehow found no viruses and the other scans I'm in are on pace to take close to 4 more hours from Panda and McAfee
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 25, 2007, 08:23:47 PM
I tried running a2 Security Center and it said the Free Trial Expired
and Trojan Hunter Quick Scan found

Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100)    (Regedit Jump)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTDrive (matches Hoax.Renos.201)    (Regedit Jump)

I was wondering if a simple subscription to Norton or any other certain antivirus
program would solve this trojan or whatever it is for sure??
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: GR@PH;<'S on March 25, 2007, 09:29:11 PM
Specht15,
I am no HJT expert but some times it has been known that some nasties are either hidden or they rename them selves.
So can you give HijackThis it's our folder Go into C:\Program Files and make a new folder called HijackThis. Cut the HijackThis.exe file from its current location and paste it into your newly made folder, C:\Program Files\HijackThis.

This is important because if you fix stuff with HJT, it makes backups of the fixes.
But if you have HJT in a temp folder, it will put the fixes there too, and they then run the risk of being deleted.

Now rename the hijackthis.exe file to ?? HjT.exe

Once you've followed these instructions exactly, run HjT from its new location at C:\Program Files\HijackThis, and post a New HjT  logfile please.

GR@PH;<'S   :Hammys pint:
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 25, 2007, 09:57:15 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:56:20 PM, on 3/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Zune\ZuneNss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0713ECF3-E6FC-0345-D4C2-06F112168C0E} - C:\WINDOWS\system32\mbhjayh.dll
O2 - BHO: (no name) - {1478E61F-7FEA-4B9B-BACB-3B09B0F7CC11} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {1E5F0B86-C768-40D9-BB23-66C31843C8AF} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F98D516-4305-9517-DFA3-02B1ED3E3BE3} - C:\WINDOWS\system32\wmhwefk.dll
O2 - BHO: (no name) - {70E0B90F-2810-499B-BC8E-6B96FF0DA137} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {74CE80F5-19C4-4DD8-AF14-D9FC304832A8} - C:\WINDOWS\system32\awttqrq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B8B843C0-8296-44B5-9D77-31FCC3CEE619} - C:\WINDOWS\system32\hgggedb.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\spgupgbc.dll
O2 - BHO: (no name) - {DC42533B-CE9E-4E45-959E-67654B2AD669} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [tbqgwhj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\tbqgwhj.dll",sixmznb
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [wbztyck.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wbztyck.dll,ssmnobb
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\system32\MCROSO~1.NET\dexplore.exe" -vt yazb
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: awttqrq - awttqrq.dll (file missing)
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Thank you all very much for your time
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 25, 2007, 10:35:16 PM
Hi, Specht15.  I've just started looking at your log.  The first analysis of Vundo was obvious.  It may take me a bit to research the rest though.

In the meantime, what do you mean by the statement about Norton?  You show Symantec in your logfile.

QuoteI was wondering if a simple subscription to Norton or any other certain antivirus
program would solve this trojan or whatever it is for sure??

While I'm analyzing, did you note the following in the VundoFix log:

QuoteChecking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

While I'm busy researching, how about if you take care of the vulnerable versions of Sun Java.  You can stay with the current version of Java, but it would be better to update that as well.  Please see the illustrated instructions in my blog post:  http://securitygarden.blogspot.com/2006/09/sunflowers-and-sunjava-update.html

Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 25, 2007, 10:51:17 PM
Well I mean my Norton subscription ran out a while ago and I was just wondering if there are certain high-caliber Antivirus like McAfee, Norton or any other programs out there that I could subscribe to that would take care of this problem? Thanks again for everything, I'll try to remove and update Java
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 25, 2007, 11:09:47 PM
Ah, well, an expired subscription does explain a bit doesn't it. Right now you have your hands full.  Let's get you through these steps and I'll put together some information for you on free antivirus software and free firewalls.

FYI, re SpyNoMore from http://www.spywarewarrior.com/rogue_anti-spyware.htm#snm_note :

QuoteNote on SpyNoMore:  SpyNoMore was listed on this page because of concerns with false positives. Testing with the latest version of the program  indicates that the problems with earlier versions have been satisfactorily resolved. Thus, we can no longer consider SpyNoMore to be "rogue/suspect" anti-spyware.

Let's see if we can do this the "easy way".  Please follow the instructions carefully.

A. Please download and install the following files: B. Run ATF CleanerC.  Restart your computer in Safe Mode.If you need further assistance with Safe Mode, see Symantec (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)

D.  Scanning and system cleaning with AVG Anti-Spyware.  Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

E. Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following, if found, and press "Fix Checked":


O2 - BHO: (no name) - {0713ECF3-E6FC-0345-D4C2-06F112168C0E} - C:\WINDOWS\system32\mbhjayh.dll
O2 - BHO: (no name) - {1478E61F-7FEA-4B9B-BACB-3B09B0F7CC11} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {1E5F0B86-C768-40D9-BB23-66C31843C8AF} - C:\WINDOWS\system32\awtqr.dll (file missing)
O2 - BHO: (no name) - {46A4E9D9-B30E-452A-8157-DBBEC8573B03} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O2 - BHO: (no name) - {6F98D516-4305-9517-DFA3-02B1ED3E3BE3} - C:\WINDOWS\system32\wmhwefk.dll
O2 - BHO: (no name) - {70E0B90F-2810-499B-BC8E-6B96FF0DA137} - C:\WINDOWS\system32\mljjj.dll (file missing)
O2 - BHO: (no name) - {74CE80F5-19C4-4DD8-AF14-D9FC304832A8} - C:\WINDOWS\system32\awttqrq.dll (file missing)
O2 - BHO: (no name) - {B8B843C0-8296-44B5-9D77-31FCC3CEE619} - C:\WINDOWS\system32\hgggedb.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINDOWS\system32\spgupgbc.dll
O2 - BHO: (no name) - {DC42533B-CE9E-4E45-959E-67654B2AD669} - C:\WINDOWS\system32\mlljh.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll
O4 - HKLM\..\Run: [tbqgwhj.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\tbqgwhj.dll",sixmznb
O4 - HKLM\..\Run: [wbztyck.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\wbztyck.dll,ssmnobb
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\system32\MCROSO~1.NET\dexplore.exe" -vt yazb
O20 - Winlogon Notify: awttqrq - awttqrq.dll (file missing)
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: mljjj - C:\WINDOWS\system32\mljjj.dll (file missing)
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll

F.  Restart in Normal Mode and double-click the HijackThis icon on your desktop.  Choose "Do a system scan and save logfile". 

G.  Post a reply with the following logs and let us know how your PC is doing:Thank you.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: GR@PH;<'S on March 25, 2007, 11:10:48 PM
Specht15,
Quotemy Norton subscription ran out a while ago
:blink:  :smash:
I recommend that you go download AVG's (http://free.grisoft.com/doc/2/lng/us/tpl/v5) Anti virus program or even avast-home-edition (http://www.vnunet.com/vnunet/downloads/2128339/avast-home-edition) (Both are free programs)

GR@PH;<'S   :Hammys pint:
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: GR@PH;<'S on March 25, 2007, 11:16:31 PM
Specht15,
QuoteI tried AVG and it can't seem to fix it. I'll look at Avast-Home-Edition though thank you.
But do as Corrine has said first then go download or you more likey to get infected more.

GR@PH;<'S   :Hammys pint:
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 25, 2007, 11:37:05 PM
Ok, this will keep you busy after you follow the above instructions, particularly since I may not have time to look at your logs until tomorrow night. For a free software, AVG is a good antivirus software, as are the others listed below.  There are also some excellent subscription programs, including NOD32 by ESET, Kaspersky and F-PROT by FRISK.  Note:  The instructions I gave above for cleaning your computer are for AVG antispyware, not the antivirus software.  I doubt any antivirus software would have been able to remove the infection on the computer, which is why the security community is indebted to the developers of programs like VundoFix.

Adobe

You have a vulnerable version of Adobe on your computer.  There is a serious cross-site scripting (XSS) vulnerability in Adobe Reader 7.0.8 and earlier. You can either update to version 7.0.9 or you can install version 8, which no longer includes the vulnerability. Another option is to uninstall Adobe Reader and install an alternative such as Foxit Reader.

Version 7.0.9: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3576
Version 8: http://www.adobe.com/products/acrobat/readstep2.html
Foxit Reader: http://www.foxitsoftware.com/pdf/rd_intro.php

Free Firewalls:

Agnitum Outpost Firewall (http://www.agnitum.com/products/outpostfree/index.php)
Kerio Personal Firewall (http://www.kerio.com/kpf_download.html)
ZoneAlarm (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp)

Free Antivirus Software:

avast! 4 Home Edition (http://www.avast.com/eng/download-avast-home.html)
AVG Free (http://free.grisoft.com/freeweb.php/doc/2/)
Avira AntiVir PersonalEdition Classic (http://www.free-av.com/)
BitDefender 8 (http://www.bitdefender.com/site/Main/view/Download-Free-Products.html?menu_id=21)

It wouldn't be a bad idea to take a run with Secunia Software Inspector, described here:  http://securitygarden.blogspot.com/2006/12/secunia-software-inspector.html

Note:  In the event you decide not to renew your subscription with Norton, it can be a bit tricky removing the software.  I suggest that you start here http://service1.symantec.com/SUPPORT/nav.nsf/docid/2001092114452606?OpenDocument&seg=hm
and scroll down to the bottom; there you will find links to remove newer versions of the antivirus program.

Also see commonly used Symantec tools:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005103109480139

Here's another page that may be of interest:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2001011116210048?OpenDocument&seg=hm

Finally, see MVP Brian Bascon's pages:
http://basconotw.mvps.org/SymRem.htm (NIS/NSW/NAV 2006 and earlier-specific page)
http://basconotw.mvps.org/SymRem2.htm (NIS/NSW/NAV 2007-specific page)
http://basconotw.mvps.org/ (home)
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 26, 2007, 01:21:18 AM
Ok, I lost you after installing AVG Anti-Spyware. About midway through step A of your instructions you said to "change state to inactivate Resident Shield and Automatic Updates." The closest I came to something like that was clicking Control Center from The AVG Test Center window then right-clicking Resident Shield to turn it off through properties, but there was no Automatic Updates in that list. Then after running services.msc there was no "AVG Anti-Spyware guard" anywhere on the Extended tab. Lastly I ran the ATF cleaner anyway and rebooted to safe mode then I don't see the "scanner" button to click that you referred to right after the reboot. I'm really sorry, this things make me feel more and more helpless. Thank you for all the effort.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 26, 2007, 01:31:08 AM
wow...i dl somehow dl regular AVG not AVG spyware....sorry nvm last post I'll try it again
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 26, 2007, 01:51:30 AM
Ok.  See you tomorrow evening then as I will be at work during the day (Eastern time). 
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 26, 2007, 11:59:56 AM
Well it's still got some big problems Webcry and Netster are still popping up and it's still very slow, I think it may be getting a little better I don't know. Here's the scans...

Logfile of HijackThis v1.99.1
Scan saved at 6:56:11 AM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\?racle\l?ass.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\HJT\hijackthis\HJT.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E3AC45-6B85-3655-F04E-19E3379DADEC} - C:\WINDOWS\system32\lpxxnfdz.dll
O2 - BHO: (no name) - {207981A2-602B-4D20-A49D-FA2E2ED22862} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} - C:\WINDOWS\system32\vgttnm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {B8B843C0-8296-44B5-9D77-31FCC3CEE619} - C:\WINDOWS\system32\hgggedb.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [hoajyhc.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\hoajyhc.dll",ibeqwid
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Eyxafs] "C:\Program Files\?racle\l?ass.exe"
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at:   6:29:01 AM 3/26/2007

+ Scan result:   



C:\Program Files\Common Files\{106919D9-07CA-1033-0403-060503310001}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{106919D9-07CA-1033-0403-060503310001}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0053229.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057040.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057010.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0052177.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0052178.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\system32\svchosts.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win121.tmp.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057059.exe -> Downloader.Agent.bdr : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370\A0053235.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370\A0053233.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058726.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP371\A0054455.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370\A0053236.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win14B.tmp.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369\A0053225.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057061.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058728.exe -> Hijacker.Agent.jb : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win11F.tmp.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\Program Files\Common Files\svchost.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP371\A0054263.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057058.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0057709.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058709.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058823.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\WINDOWS\svchost.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057131.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP382\A0057542.dll -> Trojan.Agent.acl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058727.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvlib.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\drvpih.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Desktop\SDFix\backups\backups.zip/backups/win129.tmp.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378\A0057060.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP371\A0054262.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wcpsu.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP358\A0050245.exe/zgo.exe -> Worm.Agent.v : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP358\A0050245.exe/run.exe -> Worm.VB.njc : Cleaned with backup (quarantined).


::Report end

Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 26, 2007, 11:15:23 PM
Hi, Specht15.  You still have some work ahead of you because the Vundo installer is still on your computer.  Let's  try a different tool.  I suggest you print these instructions or save them to your desktop as you will be working from safe mode much of the time and will not be connected to the internet.

A  Please download VirtumundoBeGone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe and save it on your desktop.

B.  Please reboot your computer in SafeMode by doing the following: C.  Double-click VirtumundoBeGone and follow the instructions. Exit when it has finished.

D. While still in Safe Mode, launch HijackThis and do the following:E.  Still leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {15E3AC45-6B85-3655-F04E-19E3379DADEC} - C:\WINDOWS\system32\lpxxnfdz.dll
O2 - BHO: (no name) - {207981A2-602B-4D20-A49D-FA2E2ED22862} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} - C:\WINDOWS\system32\vgttnm.dll
O2 - BHO: (no name) - {B8B843C0-8296-44B5-9D77-31FCC3CEE619} - C:\WINDOWS\system32\hgggedb.dll
O4 - HKLM\..\Run: [hoajyhc.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\hoajyhc.dll",ibeqwid
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKCU\..\Run: [Eyxafs] "C:\Program Files\?racle\l?ass.exe"
O20 - Winlogon Notify: hgggedb - C:\WINDOWS\SYSTEM32\hgggedb.dll
O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\SYSTEM32\winhdn32.dll
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)

Click on Fix Checked when finished and exit HijackThis.

F. Using Windows Explorer, locate the following files, and delete them:

C:\Program Files\?racle\l?ass.exe
C:\WINDOWS\system32\lpxxnfdz.dll
C:\WINDOWS\system32\vtuts.dll
C:\WINDOWS\system32\vgttnm.dll
C:\WINDOWS\system32\hgggedb.dll
C:\Documents and Settings\Ryan Specht\Local Settings\Application Data\hoajyhc.dll, ibeqwid
C:\WINDOWS\system32\v6.exe
C:\WINDOWS\SYSTEM32\winhdn32.dll
C:\WINDOWS\system32\svchosts.exe  [Note: NOT singular svchost.exe)

Exit Explorer, and reboot as normal afterwards.

G.  Note:  If you were unable to find any of the files in Step F. above, please follow these additional instructions:

Download Pocket Killbox (http://www.bleepingcomputer.com/files/killbox.php) and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot.  For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

H.  Post the log created by VirtumondoBeGone as a reply along with a new HijackThis log.  Please let me know the status of your computer.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 27, 2007, 01:04:50 AM
I ran the scans and followed the instructions but it still feels slow though I'm pretty sure we've eliminated the pop-ups so that's good. Whenever I login from a reboot a little window pops up titled "Security" with an exclamation mark in a yellow circle or box saying something short about security or a program being shut down and it just has one box to click titled OK. I don't know if that matters. I can't thank you enough for all the help you're givin me. You're a lot of help!

[03/26/2007, 18:52:44] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ryan Specht\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 18:52:54] - Detected System Information:
[03/26/2007, 18:52:54] -  Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 18:52:54] -  Current Username: Ryan Specht (Admin)
[03/26/2007, 18:52:54] -  Windows is in SAFE mode with Networking.
[03/26/2007, 18:52:54] - Searching for Browser Helper Objects:
[03/26/2007, 18:52:54] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:54] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:54] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:54] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:54] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:54] -  BHO 7: {8F689B60-8058-47F5-9697-51AC8855C50E} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vtuts
[03/26/2007, 18:52:54] -  Found: HKLM\...\Winlogon\Notify\vtuts - This is probably Virtumundo.
[03/26/2007, 18:52:54] -  Assigning {8F689B60-8058-47F5-9697-51AC8855C50E} MSEvents Object
[03/26/2007, 18:52:54] - BHO list has been changed! Starting over...
[03/26/2007, 18:52:54] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:54] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:54] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:54] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:54] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:54] -  BHO 7: {8F689B60-8058-47F5-9697-51AC8855C50E} (MSEvents Object)
[03/26/2007, 18:52:54] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:54] -  BHO 8: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:54] -  BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 10: {B8B843C0-8296-44B5-9D77-31FCC3CEE619} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\hgggedb
[03/26/2007, 18:52:54] -  Found: HKLM\...\Winlogon\Notify\hgggedb - This is probably Virtumundo.
[03/26/2007, 18:52:54] -  Assigning {B8B843C0-8296-44B5-9D77-31FCC3CEE619} MSEvents Object
[03/26/2007, 18:52:54] - BHO list has been changed! Starting over...
[03/26/2007, 18:52:54] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:54] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:54] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:54] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:54] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:54] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:54] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:54] -  BHO 7: {8F689B60-8058-47F5-9697-51AC8855C50E} (MSEvents Object)
[03/26/2007, 18:52:54] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:54] -  BHO 8: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:54] -  BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:54] -  BHO 10: {B8B843C0-8296-44B5-9D77-31FCC3CEE619} (MSEvents Object)
[03/26/2007, 18:52:54] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:54] - Finished Searching Browser Helper Objects
[03/26/2007, 18:52:54] - *** Detected MSEvents Object
[03/26/2007, 18:52:54] - Trying to remove MSEvents Object...
[03/26/2007, 18:52:55] -    Terminating Process: IEXPLORE.EXE
[03/26/2007, 18:52:56] -    Terminating Process: RUNDLL32.EXE
[03/26/2007, 18:52:56] -    Disabling Automatic Shell Restart
[03/26/2007, 18:52:56] -    Terminating Process: EXPLORER.EXE
[03/26/2007, 18:52:56] -    Suspending the NT Session Manager System Service
[03/26/2007, 18:52:56] -    Terminating Windows NT Logon/Logoff Manager
[03/26/2007, 18:52:56] -    Re-enabling Automatic Shell Restart
[03/26/2007, 18:52:56] -   File to disable: C:\WINDOWS\system32\vtuts.dll
[03/26/2007, 18:52:56] -  Renaming C:\WINDOWS\system32\vtuts.dll -> C:\WINDOWS\system32\vtuts.dll.vir
[03/26/2007, 18:52:56] -  File successfully renamed!
[03/26/2007, 18:52:56] -   Removing HKLM\...\Browser Helper Objects\{8F689B60-8058-47F5-9697-51AC8855C50E}
[03/26/2007, 18:52:56] -   Removing HKCR\CLSID\{8F689B60-8058-47F5-9697-51AC8855C50E}
[03/26/2007, 18:52:56] -   Adding Kill Bit for ActiveX for GUID: {8F689B60-8058-47F5-9697-51AC8855C50E}
[03/26/2007, 18:52:56] -   Deleting ATLEvents/MSEvents Registry entries
[03/26/2007, 18:52:56] -   Removing HKLM\...\Winlogon\Notify\vtuts
[03/26/2007, 18:52:56] - Searching for Browser Helper Objects:
[03/26/2007, 18:52:56] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:57] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:57] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:57] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:57] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:57] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:57] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:57] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:57] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:57] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:57] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:57] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:57] -  BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:57] -  BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:57] -  BHO 9: {B8B843C0-8296-44B5-9D77-31FCC3CEE619} (MSEvents Object)
[03/26/2007, 18:52:57] - ALERT: Found MSEvents Object!
[03/26/2007, 18:52:57] - Finished Searching Browser Helper Objects
[03/26/2007, 18:52:57] - *** Detected MSEvents Object
[03/26/2007, 18:52:57] - Trying to remove MSEvents Object...
[03/26/2007, 18:52:58] -    Terminating Process: IEXPLORE.EXE
[03/26/2007, 18:52:58] -    Terminating Process: RUNDLL32.EXE
[03/26/2007, 18:52:58] -    Disabling Automatic Shell Restart
[03/26/2007, 18:52:58] -    Terminating Process: EXPLORER.EXE
[03/26/2007, 18:52:58] -    Suspending the NT Session Manager System Service
[03/26/2007, 18:52:58] -    Terminating Windows NT Logon/Logoff Manager
[03/26/2007, 18:52:58] -    Re-enabling Automatic Shell Restart
[03/26/2007, 18:52:58] -   File to disable: C:\WINDOWS\system32\hgggedb.dll
[03/26/2007, 18:52:58] -  Renaming C:\WINDOWS\system32\hgggedb.dll -> C:\WINDOWS\system32\hgggedb.dll.vir
[03/26/2007, 18:52:58] -  File successfully renamed!
[03/26/2007, 18:52:58] -   Removing HKLM\...\Browser Helper Objects\{B8B843C0-8296-44B5-9D77-31FCC3CEE619}
[03/26/2007, 18:52:58] -   Removing HKCR\CLSID\{B8B843C0-8296-44B5-9D77-31FCC3CEE619}
[03/26/2007, 18:52:58] -   Adding Kill Bit for ActiveX for GUID: {B8B843C0-8296-44B5-9D77-31FCC3CEE619}
[03/26/2007, 18:52:58] -   Deleting ATLEvents/MSEvents Registry entries
[03/26/2007, 18:52:58] -   Removing HKLM\...\Winlogon\Notify\hgggedb
[03/26/2007, 18:52:58] - Searching for Browser Helper Objects:
[03/26/2007, 18:52:58] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:52:58] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:52:58] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:52:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:58] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:52:58] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:52:58] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:52:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:58] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:52:58] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:52:58] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:52:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:52:58] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:52:58] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:52:58] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:52:58] -  BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:52:58] -  BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:52:58] - Finished Searching Browser Helper Objects
[03/26/2007, 18:52:58] - Finishing up...
[03/26/2007, 18:52:58] - A restart is needed.
[03/26/2007, 18:53:14] - Attempting to Restart via STOP error (Blue Screen!)

[03/26/2007, 18:57:03] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ryan Specht\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 18:57:08] - Detected System Information:
[03/26/2007, 18:57:08] -  Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 18:57:08] -  Current Username: Ryan Specht (Admin)
[03/26/2007, 18:57:08] -  Windows is in SAFE mode with Networking.
[03/26/2007, 18:57:08] - Searching for Browser Helper Objects:
[03/26/2007, 18:57:08] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 18:57:08] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 18:57:08] -  BHO 3: {15E3AC45-6B85-3655-F04E-19E3379DADEC} ()
[03/26/2007, 18:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:57:08] -  Checking for HKLM\...\Winlogon\Notify\lpxxnfdz
[03/26/2007, 18:57:08] -  Key not found: HKLM\...\Winlogon\Notify\lpxxnfdz, continuing.
[03/26/2007, 18:57:08] -  BHO 4: {4DD0DEA4-0A98-A28A-1581-06CB0CCB9C87} ()
[03/26/2007, 18:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:57:08] -  Checking for HKLM\...\Winlogon\Notify\vgttnm
[03/26/2007, 18:57:08] -  Key not found: HKLM\...\Winlogon\Notify\vgttnm, continuing.
[03/26/2007, 18:57:08] -  BHO 5: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 18:57:08] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 18:57:08] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 18:57:08] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 18:57:08] -  BHO 6: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 18:57:08] -  BHO 7: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 18:57:08] -  BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 18:57:08] - Finished Searching Browser Helper Objects
[03/26/2007, 18:57:08] - Finishing up...
[03/26/2007, 18:57:08] - Nothing found! Exiting...

[03/26/2007, 19:28:48] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ryan Specht\Desktop\VirtumundoBeGone.exe" )
[03/26/2007, 19:28:49] - Detected System Information:
[03/26/2007, 19:28:49] -  Windows Version: 5.1.2600, Service Pack 2
[03/26/2007, 19:28:49] -  Current Username: Ryan Specht (Admin)
[03/26/2007, 19:28:49] -  Windows is in SAFE mode with Networking.
[03/26/2007, 19:28:49] - Searching for Browser Helper Objects:
[03/26/2007, 19:28:49] -  BHO 1: {02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
[03/26/2007, 19:28:49] -  BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/26/2007, 19:28:49] -  BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/26/2007, 19:28:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/26/2007, 19:28:49] -  Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/26/2007, 19:28:49] -  Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/26/2007, 19:28:49] -  BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/26/2007, 19:28:49] -  BHO 5: {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} (CNavExtBho Class)
[03/26/2007, 19:28:49] -  BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/26/2007, 19:28:49] - Finished Searching Browser Helper Objects
[03/26/2007, 19:28:49] - Finishing up...
[03/26/2007, 19:28:49] - Nothing found! Exiting...

Logfile of HijackThis v1.99.1
Scan saved at 7:38:20 PM, on 3/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Tbsa] "C:\WINDOWS\system32\ECURIT~1\wucrtupd.exe" -vt ndrv
O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)


Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 27, 2007, 01:58:56 AM
Hi, Specht15.  You're welcome.  :rose:

You've made it through the difficult part.  That Vundo infection was one of the worst I have seen, coupled with other trojans.  In fact, I would suggest checking AVG Antispyware for updates and running another scan.

I meant to ask you about these before but wanted to take care of the Vundo infection first.  Now that it appears to be gone, note:

O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE

If these are games you have downloaded and need to register for, there should be another like to do so.  They don't need to be in Startup.  Besides, since they weren't removed when you ran ATF Cleaner leads me to believe that it would be best to remove them. 

I also hadn't addressed Viewpoint Manager.  It is a questionable AOL service that some are of the opinion is "foistware".  If you want to remove it, you will need to stop the service first and then remove it.  To do so, Restart your computer in Safe Mode and login on your usual account.  Launch HijackThis and do the following:Still leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - Startup: Delta Force-Black Hawk Down Team Sabre Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{94E36E50-FE90-489B-B590-404775E8B9BE}\{6164D2E7-986B-42F5-B3A6-64D5E53FB889}\NOVG.EXE
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Ryan Specht\Local Settings\Temp\{25576266-1DD7-4541-AAF7-7C935BE4AA37}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

This would be the point to run a new AVG scan, just as you did here:  http://www.landzdown.com/index.php?topic=15396.msg48650#msg48650

You have also downloaded a lot of additional software.  a2 is still on your machine as is Trojan Hunter.  You can also remove VundoFix and Virtumundobegone. 

Have you decided what antivirus software and firewall you are going to use?  (See my post above with links and instructions for removing Norton if you decide on a different antivirus software.)

Granted, it is getting late for me (I start work pretty early in the a.m.) so I may not be seeing as clearly as I should.  However, I'm not spotting anything else in your log.  So, run through what I've written here, make your decisions about a firewall and antivirus software, do the cleanup and then post a fresh HijackThis log but from normal mode this time, not safe mode.  Also, please tell me if you are still noticing your computer feeling slow.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 27, 2007, 01:05:37 PM
I ran the scans and I think AVG did find some more things. I have noticed loading time's are getting much better and things are definitely returning to normal besides not having access to a couple programs. Also, everytime I log on there is a box titled "Security" that always immediately pops up. It's got an exclamation mark in a yellow triangle and the text "The security information is invalid or has been modified. This program will be terminated."

Logfile of HijackThis v1.99.1
Scan saved at 7:43:05 AM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\hijackthis\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:37:39 AM 3/27/2007
+ Scan result:

HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058857.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058858.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\HJT\hijackthis\backups\backup-20070326-064806-363.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058938.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hggfdaa.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hgggedb.dll.vir -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058856.exe -> Downloader.Agent.bca : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058852.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Local Settings\Temp\!update.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Local Settings\Temporary Internet Files\Content.IE5\45I299NQ\!update-4395[1].0000 -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0059190.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Local Settings\Temporary Internet Files\Content.IE5\3E1NNF3J\ml[1].exe -> Downloader.Small.efh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058850.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058851.exe -> Logger.Agent.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@imeem.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@bfast[2].txt -> TrackingCookie.Bfast : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Ryan Specht\Cookies\ryan_specht@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Ares\Ares.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058854.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058855.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384\A0058853.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wcpsu.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 27, 2007, 04:01:37 PM
I haven't really decided on what antivirus program or firewall to use I was planning on keeping AVG AntiSpyware and I have XoftSpySE installed. I'd like to use the best freeware available but I don't know what you'd suggest or what I'd need to do to set up a new one the right way.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 27, 2007, 04:18:26 PM
I'm on my lunch break so don't have time to research your log but I can certainly *lecture* on the importance of a firewall and antivirus software.  ;)

Actually, these days there is an overlap in detection between antispyware and antivirus programs and many companies have "suites".  However, the "engines" are different and and a/v software does specialize in protecting your computer from viruses.

Everyone has different preferences, different experiences.  Since you are keeping AVG AntiSpyware (you will need to manually update when the trial period expires and the AVG Guard will no longer work), you might want to try one of the other two free A/V's I posted.  That "may" provide broader coverage.  I'm not one for "suites" as I would rather put all my eggs in one basket, but that's me.

There is such a thing as too much protection.  Getting Microsoft updates, having a good firewall, updated antivirus and antispyware sofware programs, real-time protection (i.e., WinPatrol) and SpywareBlaster.  Then, if there is a problem, do an online scan and/or run a different antispyware application.  Or come here.  :)

Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 27, 2007, 05:45:45 PM
Awesome, that sounds good I think I'm just going to resubscribe to Norton. Thank you for the advice.
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 27, 2007, 09:21:05 PM
You're welcome.  Just don't wait too long to resubscribe to Norton.

I do believe that I found the culprit!  Please reboot to safe mode and remove the following with HijackThis.  Note that I've included the Zeus Learning item because your log at SWI was the only other finding.

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\eofxdsew.dll",setvm
O16 - DPF: {EFFF96BF-7DA7-4646-BE34-9624B0C1475E} (Zeus Learning::. Complex Application Distribution System Control (CADS)) - http://www.keyboarding.emcp.com/Resources/Component/cads.CAB

Using Windows Explorer, locate the following file and delete it:

C:\WINDOWS\system32\eofxdsew.dll

Exit Explorer, and reboot as normal afterwards.

Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) (If th at link doesn't work for you, the download link is at the bottom of this page:  http://www.drweb-online.com/en/cure_it.asp?rpid=
(P.S.  Don't forget to update Adobe and let me know how you're doing. ;) )
(P.P.S.  Seeing as how you're spending so much time with us, feel free to hang out in the LzD Lounge & play a game or read/share a joke in the Jokes forum :rose: )
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 28, 2007, 03:36:39 AM
I can't find any traces of the old Adobe it says I have 7.0.9 in Add or Remove Programs i can't find 7.0.8 anywhere.

Logfile of HijackThis v1.99.1
Scan saved at 10:32:44 PM, on 3/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis\HJT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://stlouis.cardinals.mlb.com/NASApp/mlb/index.jsp?c_id=stl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Valve\Steam\Steam.exe" -silent
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151558318093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4991/mcfscan.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)

hoajyhc.dll;C:\Documents and Settings\Ryan Specht\Local Settings\Application Data;Trojan.DownLoader.based;Deleted.;
nsb5.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
nse5.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
nsf5.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
nsf5DC.tmp;C:\Documents and Settings\Ryan Specht\Local Settings\Temp;Tool.Prockill;Incurable.Moved.;
backup-20070326-064806-686.dll;C:\HJT\hijackthis\backups;Trojan.Virtumod;Deleted.;
backup-20070326-064806-984.dll;C:\HJT\hijackthis\backups;Trojan.DownLoader.based;Deleted.;
backup-20070326-190321-910.dll;C:\HJT\hijackthis\backups;Trojan.DownLoader.based;Deleted.;
inetchk.exe;C:\Program Files\music_now;Trojan.Click.2093;Deleted.;
A0052179.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Adware.WebHancer;Incurable.Moved.;
A0053224.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Adware.TopSearch;Incurable.Moved.;
A0053226.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Trojan.Virtumod;Deleted.;
A0053227.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP369;Trojan.Virtumod;Deleted.;
A0053241.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370;Trojan.Virtumod;Deleted.;
A0053265.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP370;Trojan.Virtumod;Deleted.;
A0055976.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP376;Trojan.Virtumod;Deleted.;
A0056978.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057008.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057009.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057043.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0057102.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP378;Trojan.Virtumod;Deleted.;
A0058937.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.Virtumod;Deleted.;
A0058946.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.DownLoader.based;Deleted.;
A0059134.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Tool.Prockill;Incurable.Moved.;
A0059230.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.Virtumod;Deleted.;
A0059231.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP384;Trojan.Virtumod;Deleted.;
A0061267.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.Virtumod;Deleted.;
A0061286.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.DownLoader.based;Deleted.;
A0061287.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.Virtumod;Deleted.;
A0061288.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.DownLoader.based;Deleted.;
A0061289.dll;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.DownLoader.based;Deleted.;
A0061290.exe;C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP388;Trojan.Click.2093;Deleted.;
awtqr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
mlljh.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vcnfnygn.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
awvvt.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
hoajyhc.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
jkhfg.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
jkkjh.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mbhjayh.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
mllmj.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
odxfrjj.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
qlyaqlna.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
spgupgbc.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tbqgwhj.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
tjvypbmj.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
ucoaxpan.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
uxghvqcb.exe;C:\WINDOWS\system32;Adware.TopSearch;Incurable.Moved.;
vtstq.dll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
vtuts.dll.vir;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
wbztyck.dll;C:\WINDOWS\system32;Trojan.DownLoader.based;Deleted.;
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 28, 2007, 11:13:32 AM
Wow!  I have been following elsewhere where Dr.Web CureIt has been effective to use when there still appears to be issues.  It certainly seems to have done the job here.  How is your computer now?
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Specht15 on March 28, 2007, 11:43:51 PM
i think it may actually be better now than before gettin that bad virus. Thank you very much
Title: Re: Plz Help! Webcry, Netster..etc Redirecting and Using Memory
Post by: Corrine on March 29, 2007, 01:32:29 AM
That is good news!!!  :rose:
Text only | Text with Images