geez, I never knew trojans could be so persistant, especially ones like Virut. Hopefully these cyber terrorists will slip up one day…
Hi Jamboy,
No problem on the names, it happens all the time. 8)
I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager – the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.
Viewpoint Manager is considered as foistware instead of malware since it is often installed without user’s approval but doesn’t spy or do anything “bad”. This may change, read Viewpoint to Plunge Into Adware
It is STRONGLY recommended that you remove the Viewpoint products; However, since you use AOL products, Viewpoint will reinstall itself. I suggest you disable the updates as outlined above.
.
We will use combofix again but run it differently this time.
Please follow all previous instructions regarding security programs.
Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.
[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Do Not copy the word CODE
File::
c:\windows\system32\fubatuzo.dll.tmp
c:\windows\system32\jozoyona.dll.tmp
c:\windows\system32\perowimi.dll.tmp
Registry::
Driver::
In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.
This will start ComboFix again.Close all browser/windows first.
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
.
Please post back with
[]combofix log
[]new HJT log
How is the computer?
Thanks
ComboFix 09-05-08.03 - Owner 05/10/2009 13:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.702.421 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090509-0] On-access scanning disabled (Updated)
FW: Online Armor Firewall enabled
FILE ::
c:\windows\system32\fubatuzo.dll.tmp
c:\windows\system32\jozoyona.dll.tmp
c:\windows\system32\perowimi.dll.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\fubatuzo.dll.tmp
c:\windows\system32\jozoyona.dll.tmp
c:\windows\system32\perowimi.dll.tmp
.
((((((((((((((((((((((((( Files Created from 2009-04-10 to 2009-05-10 )))))))))))))))))))))))))))))))
.
2009-05-08 00:15 . 2009-05-08 00:15 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-08 00:15 . 2009-04-06 20:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-08 00:15 . 2009-04-06 20:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-08 00:15 . 2009-05-08 00:15 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-08 00:15 . 2009-05-08 00:15 -------- d-----w c:\program files\Malwarebytes’ Anti-Malware
2009-05-07 23:26 . 2009-05-07 23:26 -------- d-----w C:_OTListIt
2009-05-03 22:56 . 2009-05-03 22:56 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-01 17:19 . 2009-05-01 17:21 -------- d-----w c:\program files\Common Files\Adobe
2009-05-01 16:42 . 2009-05-01 16:45 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-01 16:42 . 2009-05-01 16:42 -------- d-----w c:\program files\NOS
2009-05-01 16:38 . 2009-05-01 16:38 -------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-04-27 19:23 . 2009-04-27 19:23 -------- d-----w c:\documents and settings\All Users\Application Data\PopCap
2009-04-25 15:54 . 2009-04-25 15:53 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-25 15:53 . 2009-04-25 15:53 -------- d-----w c:\program files\Java
2009-04-25 04:42 . 2009-04-25 04:42 -------- d-----w c:\documents and settings\Owner\Application Data\Viewpoint
2009-04-22 17:26 . 2009-04-22 17:30 -------- d-----w c:\documents and settings\Owner\Application Data\vlc
2009-04-21 03:01 . 2009-05-10 17:53 -------- d-----w c:\documents and settings\home.YOUR-E33A47D287\Application Data\OnlineArmor
2009-04-21 01:28 . 2009-05-10 17:55 -------- d-----w c:\documents and settings\Owner\Application Data\OnlineArmor
2009-04-21 01:28 . 2009-04-21 01:28 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-21 01:27 . 2008-12-13 07:26 30920 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-04-21 01:27 . 2008-12-13 07:26 28872 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-04-21 01:27 . 2008-12-13 07:26 178376 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-04-21 01:27 . 2009-04-21 01:27 -------- d-----w c:\program files\Tall Emu
2009-04-20 19:55 . 2009-04-20 19:55 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Ahead
2009-04-20 01:02 . 2009-04-20 01:02 -------- d-----w c:\documents and settings\home.YOUR-E33A47D287\Application Data\InstallShield Installation Information
2009-04-20 01:01 . 2009-04-20 01:01 -------- d-----w c:\program files\ValuSoft
2009-04-20 01:00 . 2009-04-20 01:00 -------- d-----w c:\documents and settings\home.YOUR-E33A47D287\Application Data\InstallShield
2009-04-15 19:39 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 19:39 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 19:39 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 19:39 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 19:39 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 19:39 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 19:39 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 19:39 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 19:39 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-15 19:37 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 19:37 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-14 23:38 . 2009-04-14 23:38 -------- d-----w c:\program files\Trend Micro
2009-04-12 23:31 . 2009-04-12 23:31 -------- d-----w c:\documents and settings\home.YOUR-E33A47D287\Application Data\acccore
2009-04-12 23:30 . 2009-04-12 23:30 -------- d-----w c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\AOL OCP
2009-04-12 23:30 . 2009-04-12 23:30 -------- d-----w c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\AOL
2009-04-11 23:38 . 2009-04-11 23:38 -------- d-----w c:\documents and settings\Owner\Application Data\acccore
2009-04-11 23:38 . 2009-04-11 23:38 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\AOL OCP
2009-04-11 23:38 . 2009-04-11 23:38 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\AOL
2009-04-11 23:35 . 2009-04-11 23:35 -------- d-----w c:\documents and settings\All Users\Application Data\acccore
2009-04-11 23:35 . 2009-04-11 23:39 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP
2009-04-11 22:51 . 2009-04-11 22:51 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\Yahoo
2009-04-11 22:45 . 2009-04-11 23:38 -------- d-----w c:\program files\AIM6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 08:59 . 2009-03-09 23:49 -------- d-----w c:\program files\Google
2009-04-25 01:01 . 2009-03-21 05:09 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-25 01:00 . 2009-03-21 04:00 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-11 23:36 . 2009-03-10 00:02 -------- d-----w c:\program files\Viewpoint
2009-04-11 23:35 . 2009-03-10 00:01 -------- d-----w c:\program files\Common Files\AOL
2009-04-11 22:50 . 2009-03-21 03:02 -------- d-----w c:\program files\Yahoo!
2009-04-11 16:25 . 2009-04-01 03:06 47752 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-07 03:47 . 2009-04-07 03:38 166 ----a-w c:\documents and settings\home.YOUR-E33A47D287\Application Data\wklnhst.dat
2009-04-01 11:44 . 2009-03-22 15:33 47752 ----a-w c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-01 04:00 . 2009-04-01 03:53 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-01 03:18 . 2009-04-01 03:18 -------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2009-04-01 03:06 . 2009-04-01 03:06 128 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\fusioncache.dat
2009-03-22 15:32 . 2009-03-22 15:32 143 ----a-w c:\documents and settings\home.YOUR-E33A47D287\Local Settings\Application Data\fusioncache.dat
2009-03-22 15:30 . 2009-03-22 14:24 104352 ----a-w c:\windows\hpoins04.dat
2009-03-22 15:23 . 2009-03-22 12:12 -------- d-----w c:\program files\HP
2009-03-22 14:59 . 2009-03-22 14:59 -------- d-----w c:\program files\Common Files\HP
2009-03-22 14:57 . 2009-03-22 14:57 -------- d-----w c:\program files\Hewlett-Packard
2009-03-22 14:56 . 2009-03-22 14:56 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-03-22 14:43 . 2009-03-22 14:43 -------- d-----w c:\program files\VideoLAN
2009-03-22 12:30 . 2004-08-26 18:03 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-22 10:09 . 2009-03-10 00:08 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
2009-03-22 10:02 . 2009-03-22 09:35 -------- d-----w c:\program files\Ahead
2009-03-22 09:56 . 2009-03-22 09:35 -------- d-----w c:\program files\Common Files\Ahead
2009-03-21 16:46 . 2009-03-21 16:46 17801 ----a-w c:\windows\system32\drivers\AegisP.sys
2009-03-21 16:46 . 2009-03-21 16:46 -------- d-----w c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster
2009-03-21 05:03 . 2009-03-21 05:03 -------- d-----w c:\program files\MSXML 4.0
2009-03-21 03:59 . 2009-03-21 03:59 -------- d-----w c:\program files\Lavasoft
2009-03-21 03:33 . 2009-03-10 00:02 -------- d-----w c:\program files\Pure Networks
2009-03-21 03:06 . 2009-03-21 03:06 -------- d-----w c:\program files\Alwil Software
2009-03-21 02:48 . 2009-03-10 00:05 -------- d-----w c:\program files\AvRack
2009-03-21 02:47 . 2009-03-10 00:02 -------- d-----w c:\program files\AOL Toolbar
2009-03-15 03:53 . 2009-03-09 23:47 -------- d–h–w c:\program files\InstallShield Installation Information
2009-03-10 00:03 . 2009-03-10 00:03 8552 ----a-w c:\windows\system32\drivers\asctrm.sys
2009-03-10 00:01 . 2009-03-10 00:01 335 ----a-w c:\windows\nsreg.dat
2009-03-09 23:23 . 2009-03-09 23:23 60 ----a-w c:\windows\system32\SYSDRV.DAT
2009-03-06 14:22 . 2006-02-23 00:55 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-02-23 00:57 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2006-02-23 00:52 78336 ----a-w c:\windows\system32\ieencode.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-05-09_16.59.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-05-10 01:04 . 2009-05-10 01:04 16384 c:\windows\Temp\Perflib_Perfdata_6e0.dat
- 2009-05-10 16:50 . 2009-05-10 16:50 16384 c:\windows\Temp\Perflib_Perfdata_69c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]
“Search Protection”=“c:\program files\Yahoo!\Search Protection\SearchProtection.exe” [2008-10-07 111856]
“YSearchProtection”=“c:\program files\Yahoo!\Search Protection\SearchProtection.exe” [2008-10-07 111856]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“PhotoShow Deluxe Media Manager”=“c:\progra~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe” [2004-11-12 212992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunKistEM”=“c:\program files\Digital Media Reader\shwiconem.exe” [2004-11-15 135168]
“RemoteControl”=“c:\program files\CyberLink\PowerDVD\PDVDServ.exe” [2004-11-03 32768]
“Recguard”=“c:\windows\SMINST\RECGUARD.EXE” [2002-09-14 212992]
“Reminder”=“c:\windows\Creator\Remind_XP.exe” [2005-03-15 966656]
“YSearchProtection”=“c:\program files\Yahoo!\Search Protection\SearchProtection.exe” [2008-10-07 111856]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
“Ad-Watch”=“c:\program files\Lavasoft\Ad-Aware\AAWTray.exe” [2009-04-25 516440]
“NeroFilterCheck”=“c:\windows\system32\NeroCheck.exe” [2001-07-09 155648]
“HP Software Update”=“c:\program files\HP\HP Software Update\HPWuSchd2.exe” [2004-02-12 49152]
“HP Component Manager”=“c:\program files\HP\hpcoretech\hpcmpmgr.exe” [2004-05-12 241664]
“@OnlineArmor GUI”=“c:\program files\Tall Emu\Online Armor\oaui.exe” [2008-12-13 6223048]
“QuickTime Task”=“c:\program files\QuickTime\qttask.exe” [2009-03-10 98304]
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-04-25 148888]
“Adobe Reader Speed Launcher”=“c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe” [2009-02-27 35696]
“VTTimer”=“VTTimer.exe” - c:\windows\system32\VTTimer.exe [2005-03-08 53248]
“VTTrayp”=“VTtrayp.exe” - c:\windows\system32\VTTrayp.exe [2005-03-12 147456]
“SoundMan”=“SOUNDMAN.EXE” - c:\windows\soundman.exe [2005-04-15 77824]
c:\documents and settings\All Users\Start Menu\Programs\Startup
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2009-3-9 1742384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-28 53248]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=“Service”
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“EnableFirewall”= 0 (0x0)
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Common Files\AOL\Loader\aolload.exe”=
“c:\Program Files\Common Files\AolCoach\en_en\player\AOLNySEV.exe”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe”=
“c:\Program Files\AIM6\aim6.exe”=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/20/2009 11:00 PM 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [3/20/2009 10:07 PM 114768]
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [4/20/2009 8:27 PM 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [4/20/2009 8:27 PM 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [4/20/2009 8:27 PM 28872]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/20/2009 10:07 PM 20560]
R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [4/20/2009 8:27 PM 1402568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/11/2009 6:36 PM 24652]
R2 WUSB54GSCSVC;WUSB54GSCSVC;c:\program files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe [3/21/2009 11:46 AM 53307]
R2 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [11/9/2008 3:48 PM 602392]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 953168]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [4/20/2009 8:27 PM 3321032]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/1/2009 11:42 AM 33176]
.
Contents of the ‘Scheduled Tasks’ folder
2009-05-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 01:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.yahoo.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath -
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-10 13:06
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0
.
Completion time: 2009-05-10 13:07
ComboFix-quarantined-files.txt 2009-05-10 18:06
ComboFix2.txt 2009-05-09 17:00
Pre-Run: 142,528,512,000 bytes free
Post-Run: 142,580,551,680 bytes free
204 — E O F — 2009-04-29 20:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:36 PM, on 5/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [YSearchProtection] “C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [@OnlineArmor GUI] “C:\Program Files\Tall Emu\Online Armor\oaui.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
–
End of file - 9374 bytes
Hey oldman i posted the logs and how do i ge to the viewpoint control panel to disable bc when i go to control panel add/remove program the only option it gives me for viewpoint is to remove.
Hi Jamboy,
Don’t go to add/remove programs. Just open the control panel.
Click Start, click Control Panel
In the Control Panel window, select the Viewpoint Manager control panel. Your selection opens a separate window.
Select the option to “Disable auto-updating for the Viewpoint Manager.” Once selected, the player no longer will attempt to check for updates.
We will clean up our tools one you post back.
Thanks
Hi oldman i went to control panel, change classic view but i still dont see an option for viewpoint
Hi Jamboy,
Ok don’t worry about it, it’s nothing really serious. I see the service running but I don’t see Viewpoint Manager installed. How’s the computer running?
Any problems? If not we can clean up the tools we used.
From your desktop, please delete
[*]any notepads/logs that we created
.
Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /u
Open OTListIt2 then click the Clean Up button. You may get prompted by your firewall that OTListIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.
I all ready gave you some prevention tips
http://forum.avast.com/index.php?topic=44292.msg373519#msg373519
Take care.
I must be doing something wrong b/c my comp keeps getting infected, can any0ne please help me out
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, May 28, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, May 29, 2009 03:44:27
Records in database: 2268803
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:
D:
G:
H:
I:
J:\
Scan statistics:
Files scanned: 110347
Threat name: 2
Infected objects: 37
Suspicious objects: 0
Duration of the scan: 02:21:29
File name / Threat name / Threats count
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP62\A0027903.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP62\A0027904.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP62\A0027905.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027933.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027934.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027935.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027936.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027937.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027938.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027939.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027940.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027941.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027942.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027943.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027944.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027945.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027946.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027947.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027948.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027949.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027950.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027952.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027953.exe Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027954.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027955.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027956.dll Infected: Trojan.Win32.Monder.bzdz 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0027957.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034105.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034106.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034107.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034110.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034111.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034112.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034113.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034114.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0034115.dll Infected: Packed.Win32.Krap.p 1
C:\System Volume Information_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP81\A0043549.dll Infected: Packed.Win32.Krap.p 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:25 PM, on 5/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WUSB54GSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Owner\Local Settings\Temp\jkos-Owner\binaries\ScanningProcess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [YSearchProtection] “C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [HP Software Update] “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe”
O4 - HKLM..\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [@OnlineArmor GUI] “C:\Program Files\Tall Emu\Online Armor\oaui.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1238555312500
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WUSB54GSCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Network Adapter with SpeedBooster\WLService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
–
End of file - 9730 bytes
Hi Jamboy,
All those detections are in old System Restore points that should have been removed when you cleaned up the tools. We’ll remove them now.
- Create a new restore point
You must be logged on to an administrator account
[]Go to Start - All Programs - Accessories - System Tools - System Restore.
[]Click Create a restore point, and then click Next.
[]In the text box labeled Restore Point Description, type a name for this restore point
[] click create
- Remove old restore points
[]Go to Start - All Programs - Accessories - system tools.
[]Launch the Disk Cleanup tool and let it run.
[]When it finishes a box with tabs will appear, select the more options tab.
[]On this tab you will find a section for System Restore.
[*]If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
Wrong post. Sorry :-[
Thanks oldman I deleted prior restore points and cleaned up temporary internet files.
Hi Jamboy,
You should be good to go then. 8)
geez thats a lot of krap…