hijack this log...Winfixer, cws.qttask, Vx2.Look2m in Security http://www.dslreports.com/forum/r14391810 en Tue, 24 Nov 2009 09:01:31 EDT Tue, 24 Nov 2009 09:01:31 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14610723 MrFixitSC : thanks]]> http://www.dslreports.com/forum/remark,14610723 Wed, 19 Oct 2005 09:22:36 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14610466 CalamityJane : MrFixitCT, you really should start your own new topic instead piggybacking on this one. But it is known that a Vundo infection interferes sometimes with getting the PC into safe mode and the author of the Vundofix tool has verfied that the tool should work in Normal Mode as well. So try that. But if you need help on the specific files ...please post a new topic and we'll glad to assist.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2006
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14610466 Wed, 19 Oct 2005 08:24:16 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14607459 MrFixitSC : I have a vundo related (possibly) when I try to boot in safe mode all I get is a black screen with "safemode" in the four corners so I cant proceed with the fix..??]]> http://www.dslreports.com/forum/remark,14607459 Tue, 18 Oct 2005 19:59:56 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14398390 CalamityJane : You're welcome eay, glad we could help! Hope you have a great week, too :)

@Rusty Dusty: Atribune just notified me that it was the f-lock key on his keyboard not being on so the F buttons didnt work.]]> http://www.dslreports.com/forum/remark,14398390 Mon, 19 Sep 2005 16:36:06 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14398186 eay9 : Greetings Calamity Jane,

Thanks for the information. I'm already using Clean up. Great program and so easy to use.

I downloaded the MS Security stuff...... it's not able to locate my computer. I guess I'm invisible these days. >

The desktop is running smoothly but slow. It's slow because of all the anti-spyware, anti-trojan, and anti-virus programs running in the background. Yep, Color me paranoid.

Thanks again for all of your help. I hope you have a great week. ]]> http://www.dslreports.com/forum/remark,14398186 Mon, 19 Sep 2005 16:10:40 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14397426 Rusty Dusty :
said by Atribune See Profile :

I sent you a messge hopefully you recieve it
Well, this isn't so good.....!

It is great that "eay" problem(s) have been solved, but the resorting to an off-line fix session in the middle of a problem solving process that I was following leaves me wondering what the fix was so that I can learn and help myself or someone else in the future....

So what was the 'fix', please?

Thanks.]]> http://www.dslreports.com/forum/remark,14397426 Mon, 19 Sep 2005 14:26:13 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14395374 CalamityJane : looks like you got it to work :) Many thanks to Atribune for his efforts and help!!

The file that Panda found is in your cache (TIF) folder. Go here and delete all the files in there: C:\Documents and Settings\default\Local Settings\Temporary Internet Files.

You can also run this little program to do that for you:
Download and install CleanUp!
»www.stevengould.org/downloads/cl···Up40.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

You can go ahead and delete the Vundofix folder now that we're done with that, should it be needed again, it's best to download a fresh copy as frequently changes are made to handle newer variants.

The HijackThis log looks good now :)
I think we can move forward to final cleanup and prevention steps now.

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start > Run, click on *My Computer*.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start > Run, click on *My Computer*.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
»support.microsoft.com/default.as···s;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).
»Security »How do I prevent browser hijacks and spyware?

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE
Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!
Windows Update
»v4.windowsupdate.microsoft.com/e···ault.asp

And see this link for instructions on how to configure the enhanced security features in SP2:
»www.microsoft.com/technet/securi···cxp.mspx

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:
Microsoft Baseline Security Analyzer
»www.microsoft.com/technet/securi···ome.mspx
Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14395374 Mon, 19 Sep 2005 08:39:52 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14394004 eay9 : Atribune and Calamity Jane,

Thank you. You turned my bad experience into a wonderful one. You've been very kind and I truly appreciate all of your help.

Here's the Panda and HJt logs.
-----------------------------------------------------------
ACTIVE SCAN:

Incident Status Location

Adware:adware/savenow No disinfected
Windows registry
Adware:Adware/CWS
No disinfected
C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\8HMN81QF\menus[1].js ------------------------------------------------------------
HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:40 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe]]> http://www.dslreports.com/forum/remark,14394004 Sun, 18 Sep 2005 23:48:45 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393446 Atribune : Resent]]> http://www.dslreports.com/forum/remark,14393446 Sun, 18 Sep 2005 22:05:33 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393323 eay9 : Hmm....Would it be possible to re-send the message? I forgot to update my profile when I changed ISP's. My fault.

Thank you for your help.]]> http://www.dslreports.com/forum/remark,14393323 Sun, 18 Sep 2005 21:44:34 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393261 Atribune : I sent you a messge hopefully you recieve it]]> http://www.dslreports.com/forum/remark,14393261 Sun, 18 Sep 2005 21:34:14 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14393161 eay9 : Logfile of HijackThis v1.99.1
Scan saved at 8:18:18 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe]]> http://www.dslreports.com/forum/remark,14393161 Sun, 18 Sep 2005 21:19:21 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393120 Atribune : Can you post a new hijackthis log]]> http://www.dslreports.com/forum/remark,14393120 Sun, 18 Sep 2005 21:14:16 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14393103 eay9 : enter, ctrl+z, enter......didn't work:(]]> http://www.dslreports.com/forum/remark,14393103 Sun, 18 Sep 2005 21:11:27 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393092 Atribune : You're welcome, but i wouldn't call it help yet.]]> http://www.dslreports.com/forum/remark,14393092 Sun, 18 Sep 2005 21:09:37 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14393072 eay9 : Will do. Thanks for your help.]]> http://www.dslreports.com/forum/remark,14393072 Sun, 18 Sep 2005 21:06:41 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14393064 eay9 : Not a problem. I was just thinking out loud:D]]> http://www.dslreports.com/forum/remark,14393064 Sun, 18 Sep 2005 21:05:38 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393055 Atribune : Can you try Calamity Janes instructions again but this time instead of enter f6 enter use enter ctrl+z enter and let me know how that goes.]]> http://www.dslreports.com/forum/remark,14393055 Sun, 18 Sep 2005 21:04:22 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14393042 CalamityJane : Hold on. Atribune is looking at this thread. He should post soon :)]]> http://www.dslreports.com/forum/remark,14393042 Sun, 18 Sep 2005 21:03:09 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14393016 eay9 : What would happen if I just renamed the file? ]]> http://www.dslreports.com/forum/remark,14393016 Sun, 18 Sep 2005 20:59:26 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392933 eay9 : Oops. I forgot The other files are ......

Readme.txt
Vundo Registration Entries
srthjt]]> http://www.dslreports.com/forum/remark,14392933 Sun, 18 Sep 2005 20:47:52 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392908 eay9 : It has ..........

process
command line utitlity
www.beyondlogic.org

I have reinstalled this fix twice thinking that perhaps it was missing something. ]]> http://www.dslreports.com/forum/remark,14392908 Sun, 18 Sep 2005 20:43:45 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392863 CalamityJane : Ah, big cavalry. The author of the program, suggests this:

Can you ask your user to open the vundofix folder and post a list of files that are in it.

If you dont see process.exe have him redownload the vundofix.exe.

»www.atribune.org/downloads/VundoFix.exe

Note to Mods: While the forum rules state not to use a link to an .exe file in a post to protect users from accidentally clicking on a malware file. This fix uses a self-extracting archive in an .exe that is a fix tool only and is NOT malware. No other mirrored download links are allowed by the author of the tool, therefore, you will see the link to Vundofix.exe in my post here is an exception to this forum rule. Using that link for the tool ensures that the OP has the most current version of the tool maintained on the author's authorized website
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14392863 Sun, 18 Sep 2005 20:35:21 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392814 CalamityJane : LOL...you're very quick! Lemme call more cavalry ;)]]> http://www.dslreports.com/forum/remark,14392814 Sun, 18 Sep 2005 20:29:03 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392808 CalamityJane : Ok - we'll scratch MSAS didn't work?

Did you try typing in the file name?]]> http://www.dslreports.com/forum/remark,14392808 Sun, 18 Sep 2005 20:28:17 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392778 eay9 : ""Try typing it in (be very careful)""

I did that too]]> http://www.dslreports.com/forum/remark,14392778 Sun, 18 Sep 2005 20:23:54 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392768 eay9 : I did that earlier today. I updated the definitions and ran the scan. The scan came out clean.]]> http://www.dslreports.com/forum/remark,14392768 Sun, 18 Sep 2005 20:22:21 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392766 CalamityJane : Try typing it in (be very careful)]]> http://www.dslreports.com/forum/remark,14392766 Sun, 18 Sep 2005 20:21:46 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392752 eay9 : Nope.....it still hangs on the first file path :huh:]]> http://www.dslreports.com/forum/remark,14392752 Sun, 18 Sep 2005 20:19:53 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392740 CalamityJane : Ok, another suggestion from LoPhat...he reports seeing where someone had success using Microsoft Antispyware with the latest defs (#5757)

The download is here:
»www.microsoft.com/athome/securit···ult.mspx

Be sure you update it first before scanning.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14392740 Sun, 18 Sep 2005 20:17:35 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392699 CalamityJane : Let's see, one member of the calvary ( LoPhatPhuud See Profile - thank you Lo!) has spotted an error in the second file name....lemme revise instructions. But I think the first file is where it is hanging??

Please follow these instructions:

1. Make a copy of these instructions so you have them handy as the most steps need to be done in safe mode with IE closed.

2. Please download the VundoFix tool
www.atribune.org/downloads/VundoFix.exe

3. Double-click VundoFix.exe to extract the files

4. This will create a folder named VundoFix on your desktop.

5. After the files are extracted, please reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam

6. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a message and a list of forums to seek help at (but you're already getting help now at this forum)

At this point press enter one time.

7. Next you will see:
quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix


At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\yabab.dll

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

8. Next you will see:
quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\babay.*

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

9. The fix will run then HijackThis will open.

Using HijackThis, please place a check next to the following items and click the *FIX CHECKED* button:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll

10. After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

Once your machine reboots please continue with the instructions below.

11. Then, please run this online virus scan to clean up any leftovers:
»www.pandasoftware.com/products/a···scan.htm

Save the results of the Panda ActiveScan so you can post them for review back here.

12. Also please post a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14392699 Sun, 18 Sep 2005 20:12:04 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392677 eay9 : ;)I started doing that about 20 minutes ago. Still just sits there after I entered the file path and*enter,F6,Enter*.......Crazy.]]> http://www.dslreports.com/forum/remark,14392677 Sun, 18 Sep 2005 20:08:01 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392636 CalamityJane : While waiting for the calvary to arrive, could you reboot into safe mode and give the tool a while longer to work? (More than several minutes).]]> http://www.dslreports.com/forum/remark,14392636 Sun, 18 Sep 2005 20:00:14 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392602 eay9 : Thanks for all of your help. ]]> http://www.dslreports.com/forum/remark,14392602 Sun, 18 Sep 2005 19:53:10 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392562 CalamityJane : Ok, well, the file is definitely there. I've called in some others to take a look and add suggestions. This is the first time I've been stumped with it acting this way - in the many I've done.]]> http://www.dslreports.com/forum/remark,14392562 Sun, 18 Sep 2005 19:46:15 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392529 eay9 : To answer your question on the Vundi Fix.......Each time I ran it I waited several minutes. Nothing ever showed after the file path entry.]]> http://www.dslreports.com/forum/remark,14392529 Sun, 18 Sep 2005 19:39:02 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392515 eay9 :
Here's the scoop from file finder............

Number of files found:1 Files found in 182 Directories
Size of files found under C:\WINDOWS\system32\ = 528,404 Bytes

Export.txt:

C:\WINDOWS\system32\yabab.dll - 528404 Bytes]]> http://www.dslreports.com/forum/remark,14392515 Sun, 18 Sep 2005 19:37:00 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392451 CalamityJane : Ok, I may need to call some Vundo experts in here. I should see {file missing}on HJT if it had been deleted. How much time are you giving it to search for the file? Or does the program just close?

2. download this tool called Filefind:
»www.atribune.org/downloads/FileFind.zip

Unzip it and doubleclick on Filefind.exe to run it

Copy and paste into the *Directory* searchbox the following line:
C:\WINDOWS\system32

Then copy and paste into the *file* find search box:
yabab.dll

Then press the *find* button. Wait for it to scan. Copy and paste the results found back here please.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14392451 Sun, 18 Sep 2005 19:26:46 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392395 eay9 : Logfile of HijackThis v1.99.1
Scan saved at 6:15:16 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe]]> http://www.dslreports.com/forum/remark,14392395 Sun, 18 Sep 2005 19:16:58 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392385 eay9 : all righty then.......that didn't work either ;-(
I "cut and paste" the file paths. That didn't work. Then I typed the file paths and that didn't work.

Sorry. I'm clueless on why this isn't working. ]]> http://www.dslreports.com/forum/remark,14392385 Sun, 18 Sep 2005 19:13:51 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392359 CalamityJane : The program is set to exit if the file is not found. So if it still does that as well in normal mode, scan with HijackThis and post a fresh HJT log please.]]> http://www.dslreports.com/forum/remark,14392359 Sun, 18 Sep 2005 19:09:46 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14392353 eay9 : OK, I'll try that and post the results.

Thanks for your help on this. I appreciate truly it.]]> http://www.dslreports.com/forum/remark,14392353 Sun, 18 Sep 2005 19:08:32 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392319 CalamityJane : Hmmm, you're using this filename and path, right?:

C:\WINDOWS\system32\yabab.dll

Maybe try rebooting back into normal mode. Then try running the tool. I saw once instance where it wasn't working right in safe mode.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14392319 Sun, 18 Sep 2005 19:01:20 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392297 eay9 : It doesn't say anything........just the file path and then nothing. My version of XP is an upgrade from WinME. Would that make a difference?]]> http://www.dslreports.com/forum/remark,14392297 Sun, 18 Sep 2005 18:55:27 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392211 CalamityJane : Does Vundo fix say file not found? If so, something else may have already taken care of it and we can do some fixing of entries in HijackThis.]]> http://www.dslreports.com/forum/remark,14392211 Sun, 18 Sep 2005 18:37:45 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14392120 eay9 : Thank you Calamity Jane.

I did as you suggested but the Vundi Fix will not work.

After I *cut and paste* the file path and do the "*enter,F6,enter*" it does not proceed to the next step.
I do not see the ""Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.""

I am in safe mode. I'm XP SP2.

Any suggestions?]]> http://www.dslreports.com/forum/remark,14392120 Sun, 18 Sep 2005 18:19:20 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14391968 CalamityJane : On this item noted by Trojan Hunter:
C:\WINDOWS\SYSTEM32\strings.exe (Suspicious: UPX-packed file in Windows System folder)

You can get a second (well actually 14) opinion here:
Jotti Malware Scan
»virusscan.jotti.org/

Let Jotti scan the file (just browse to it and submit) and wait while it finishes scanning. Copy the report when it's done and post the results back here :)

If Jotti's Malware scan is busy, you can also use this one

Virus Total
»www.virustotal.com/
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14391968 Sun, 18 Sep 2005 17:50:40 EDT Re: hijack this log...Winfixer, cws.qttask, Vx2.Lo http://www.dslreports.com/forum/remark,14391935 CalamityJane : It's Vundo

Please follow these instructions:

1. Make a copy of these instructions so you have them handy as the most steps need to be done in safe mode with IE closed.

2. Please download the VundoFix tool
www.atribune.org/downloads/VundoFix.exe

3. Double-click VundoFix.exe to extract the files

4. This will create a folder named VundoFix on your desktop.

5. After the files are extracted, please reboot your computer into Safe Mode.
How to start the computer in Safe mode
»service1.symantec.com/SUPPORT/ts···_doc_nam

6. Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a message and a list of forums to seek help at (but you're already getting help now at this forum)

At this point press enter one time.

7. Next you will see:
quote:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix


At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\yabab.dll

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

8. Next you will see:
quote:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.


At this point please copy and paste the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\system32\babay

Press *Enter*, then press the *F6* key, then press *Enter* one more time to continue with the fix.

9. The fix will run then HijackThis will open.

Using HijackThis, please place a check next to the following items and click the *FIX CHECKED* button:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll

10. After you have fixed these items, close HijackThis and Press any key to force a reboot of your computer.

Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!

Once your machine reboots please continue with the instructions below.

11. Then, please run this online virus scan to clean up any leftovers:
»www.pandasoftware.com/products/a···scan.htm

Save the results of the Panda ActiveScan so you can post them for review back here.

12. Also please post a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
It takes a disaster to make a woman out of a female

Microsoft MVP/Windows Security 2003-2005


Proud Member of ASAP (Alliance of Security Analysis Professionals)]]> http://www.dslreports.com/forum/remark,14391935 Sun, 18 Sep 2005 17:45:58 EDT hijack this log...Winfixer, cws.qttask, Vx2.Look2m http://www.dslreports.com/forum/remark,14391810 eay9 : My browser was hijacked with Winfixer popups. In the process of trying to remove that I found and hopefully, removed others.

I ran every program I know of: CWShredder, AdAware, Spybot, Spware Sweeper, Counter Spy, Trojan Hunter, Trend micro, Ewido and any other program I could locate ;-)

CWshredder found: VX2. Look2me
Counterspy Found: cws.qttask
Spybot: Winfixer
AdAware or maybe trend found and removed Vundi

Trojan Huner found a possible Trojan. Here's the log:
###########################################################
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found possible trojan file: C:\WINDOWS\SYSTEM32\strings.exe (Suspicious: UPX-packed file in Windows System folder)
1 possible trojan files found
#############################################################

My system is running better but I'm still getting an occasional pop up. I would appreciate any help you can provide. Thanks!
############################################################
Here's my hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 3:45:47 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\default\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »desktop.presario.net/scripts/red···&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\yabab.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] C:\Program Files\TrojanHunter 4.2\THGuard.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\default\My Documents\filelib\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: Yahoo! Pool 2 - »download.games.yahoo.com/games/c···te_x.cab
O16 - DPF: Yahoo! Pyramids - »download.games.yahoo.com/games/c···t1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - »messenger.zone.msn.com/binary/ms···1267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - »housecall60.trendmicro.com/house···an60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - »www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - »messenger.zone.msn.com/binary/Up···1267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - »go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - »download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - »h20270.www2.hp.com/ediags/gmn/in···_gmn.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - »messenger.zone.msn.com/binary/Mi···1267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - »jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - »appldnld.m7z.net/qtinstall.info.···ller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - »spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - »v5.windowsupdate.microsoft.com/v···10355375
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - »appdirectory.messenger.msn.com/A···ctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - »messenger.zone.msn.com/binary/Me···1267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - »appdirectory.messenger.msn.com/A···kMSN.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - »www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - »messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - »messenger.zone.msn.com/binary/ZI···2846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - »messenger.zone.msn.com/binary/Ba···1267.cab
O16 - DPF: {C852B12E-3F08-4099-AF8E-32FD327B88EA} (msnloader Class) - »rockstar.messenger.msn.com/rockstar.cab
O20 - Winlogon Notify: yabab - C:\WINDOWS\system32\yabab.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\default\Local Settings\Temporary Internet Files\Content.IE5\82VVYU4H\CWShredder[1].exe (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe]]> http://www.dslreports.com/forum/remark,14391810 Sun, 18 Sep 2005 17:22:58 EDT