Trojan.Nebula...

I recently got a Trojan.Nebula virus but i don't know how to delete it, norton antivirus does nothing and i searched over the net for something that does but no luck. It happened right after i downloaded Zone Alarm Pro, i downloaded off another site because main site wasn't working for me.


Logfile of HijackThis v1.99.1
Scan saved at 10:48:22 PM, on 30/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Ascentive\ActiveSpeed\AS.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Dove\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Recycler] ydardac.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [regsvc] \regsvc32.exe
O4 - HKLM\..\Run: [NUDGEMANIA] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunServices: [Windows Recycler] ydardac.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [regsvc] \regsvc32.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEGetAll.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144709715359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144890222390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhwp32 - C:\WINDOWS\SYSTEM32\winhwp32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hello and welcome to WindowsBBS Forums.

Lets get an online scan and a special find tool afterwards please.

Also:Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Go to this page, Panda ActiveScan

• Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)
• Then press the green 'Check Now' button.
• Enter your country and state along with a valid email address.
• Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)
• Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.
• Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please then post both the ActiveScan and ComboFix logs into this thread along with a fresh HJT log file as well. Thanks

 

Ok

After going through alot of side problems i did everything u said.

Logfile of HijackThis v1.99.1
Scan saved at 11:17:36 AM, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\NudgeMania\NudgeMania.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLED.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/customize/rogers/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Recycler] ydardac.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [regsvc] \regsvc32.exe
O4 - HKLM\..\Run: [NUDGEMANIA] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunServices: [Windows Recycler] ydardac.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [regsvc] \regsvc32.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEGetAll.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144709715359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144890222390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhwp32 - C:\WINDOWS\SYSTEM32\winhwp32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
________________________________________________________________
ComboFix:

Dove - 06-08-31 11:10:14.43
ComboFix 06.08.30BT - Running from: C:\Program Files\Mozilla Firefox

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\IntCodec


((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-29 12:17 18,944 --------- C:\WINDOWS\system32\winhwp32.dll
2006-08-29 08:56 143,360 --a------ C:\WINDOWS\system32\ConTest.dll
2006-07-31 02:05 20,480 --a------ C:\WINDOWS\system32\UnInstall_KAccess.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 11:05 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-31 10:44 -------- d-------- C:\Program Files\WinRAR
2006-08-31 10:44 -------- d-------- C:\Program Files\Windows Defender
2006-08-31 10:44 -------- d-------- C:\Program Files\QuickTime
2006-08-31 10:44 -------- d-------- C:\Program Files\NudgeMania
2006-08-31 10:44 -------- d-------- C:\Program Files\Norton AntiVirus
2006-08-31 10:44 -------- d-------- C:\Program Files\MSN Messenger
2006-08-31 10:44 -------- d-------- C:\Program Files\Internet Explorer
2006-08-31 10:44 -------- d-------- C:\Program Files\GetRight
2006-08-31 10:14 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-31 10:13 -------- d-------- C:\Program Files\Common Files
2006-08-30 21:57 -------- d-------- C:\Program Files\Zone Labs
2006-08-30 18:50 -------- d-------- C:\Program Files\BitComet
2006-08-30 18:23 -------- d-------- C:\Documents and Settings\Dove\Application Data\DMCache
2006-08-29 17:00 65536 --a------ C:\WINDOWS\IFinst27.exe
2006-08-29 08:56 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-29 08:56 -------- d-------- C:\Program Files\Ascentive
2006-08-28 18:46 -------- d-------- C:\Documents and Settings\Dove\Application Data\fltk.org
2006-08-28 11:54 -------- d-------- C:\Program Files\Gravity
2006-08-26 14:54 -------- d-------- C:\Program Files\Easy Macro Recorder
2006-08-25 10:58 -------- d-------- C:\Program Files\IconChanger
2006-08-25 01:18 -------- d-------- C:\Program Files\StepMania
2006-08-24 19:38 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-24 10:38 -------- d-------- C:\Program Files\MessengerDiscovery
2006-08-24 10:38 -------- d-------- C:\Program Files\AceReader Pro Deluxe
2006-08-24 10:33 -------- d-------- C:\Program Files\Common Files\ODBC
2006-08-24 10:31 -------- d-------- C:\Program Files\Windows Media Player
2006-08-24 10:31 -------- d-------- C:\Program Files\Real Alternative
2006-08-24 10:30 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-08-24 10:30 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-24 10:30 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-24 10:30 -------- d-------- C:\Program Files\AB Language Plus
2006-08-15 23:22 -------- d-------- C:\Program Files\Sunbelt Software
2006-08-13 14:59 -------- d-------- C:\Program Files\registry
2006-08-13 09:09 -------- d-------- C:\Program Files\5u56
2006-08-11 21:14 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-11 21:12 -------- d-------- C:\Program Files\Microsoft Office
2006-08-10 16:32 -------- d-------- C:\Program Files\VideoLAN
2006-08-10 01:14 -------- d-------- C:\Program Files\SmartSleep
2006-08-08 22:52 -------- d-------- C:\Program Files\Digital TV 2050
2006-08-08 16:36 -------- d-------- C:\Program Files\GuildFTPd
2006-08-08 16:26 -------- d-------- C:\Program Files\WarRock
2006-08-08 15:12 -------- d-------- C:\Program Files\Media Player Classic
2006-08-08 15:10 -------- d-------- C:\Program Files\KSIGN
2006-08-08 15:10 -------- d-------- C:\Program Files\Common Files\Real
2006-08-08 15:10 -------- d-------- C:\Documents and Settings\Dove\Application Data\Real
2006-08-08 15:07 -------- d-------- C:\Program Files\CEDP Stealer 5.0 for Messenger
2006-08-08 15:06 -------- d-------- C:\Documents and Settings\Dove\Application Data\Avant Browser
2006-08-08 15:05 -------- d---s---- C:\Documents and Settings\Dove\Application Data\Microsoft
2006-08-08 15:04 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-08 15:04 -------- d-------- C:\Documents and Settings\Dove\Application Data\Registry Cleaner
2006-08-08 15:02 -------- d-------- C:\Program Files\Golden FTP Server
2006-08-08 14:52 -------- d-a-s---- C:\Program Files\NewDotNet(2)
2006-08-08 14:52 -------- d-------- C:\Program Files\webHancer(2)
2006-08-01 06:05 -------- d-------- C:\Program Files\Gpotato
2006-07-31 01:21 -------- d-------- C:\Program Files\Ntreev
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 02:21 380 ---h----- C:\WINDOWS\WINRDPD40.SYS
2006-07-18 12:02 91672 --a------ C:\WINDOWS\system32\drivers\khips.sys
2006-07-18 12:02 284184 --a------ C:\WINDOWS\system32\drivers\fwdrv.sys
2006-07-16 04:59 -------- d-------- C:\Program Files\B.Technologies
2006-07-01 15:33 -------- d-------- C:\Documents and Settings\Dove\Application Data\vlc
2006-07-01 12:57 -------- d-------- C:\Program Files\BreakPoint Software
2006-06-16 17:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-05 03:44 73216 --------- C:\WINDOWS\ST6UNST.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"ccRegVfy "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\\\NeroCheck.exe "
"Windows Recycler "= "ydardac.exe "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"regsvc "= "\\regsvc32.exe "
"NUDGEMANIA "= "C:\\Program Files\\NudgeMania\\NudgeMania.exe "
"ActiveSpeed "= "C:\\Program Files\\Ascentive\\ActiveSpeed\\AS.exe -b "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SHS "= "\ "C:\\Program Files\\Rogers\\SelfHealing\\SHS.exe\" /background "
"Update Manager "= "\ "C:\\Program Files\\Rogers\\Update Manager\\UpdateManager.exe\" /background "
"regsvc "= "\\regsvc32.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows Recycler "= "ydardac.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhwp32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 31/08/2006 11:15:22.96
ComboFix.txt
________________________________________________________________

 

ActiveScan Part 1

ActiveScan:

Incident Status Location

Adware:adware/whenusearch Not disinfected C:\Documents and Settings\Dove\Start Menu\Programs\WhenU
Adware:adware/intcodec Not disinfected c:\program files\IntCodec
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Dove\Application Data\Registry Cleaner
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.com.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.overture.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[adserver.filefront.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.ads.addynamix.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.spylog.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Dove\Application

 

ActiveScan Part 2

Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.888.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[c.goclick.com/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[www.advnt01.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.atwola.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[hc2.humanclick.com/hc/87430115]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[hc2.humanclick.com/hc/87430115]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.azjmp.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[server.iad.liveperson.net/hc/21971720]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[server.iad.liveperson.net/hc/21971720]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Dove\Application Data\Mozilla\Firefox\Profiles\rl6ljlwx.default\cookies.txt[.adtech.de/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dove\Cookies\dove@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Dove\Cookies\dove@ad.yieldmanager[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Dove\Cookies\dove@adserver.filefront[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dove\Cookies\dove@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dove\Cookies\dove@atdmt[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Dove\Cookies\dove@bluestreak[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Dove\Cookies\dove@casalemedia[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Dove\Cookies\dove@cgi-bin[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Dove\Cookies\dove@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dove\Cookies\dove@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Dove\Cookies\dove@fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Dove\Cookies\dove@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Dove\Cookies\dove@perf.overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dove\Cookies\dove@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Dove\Cookies\dove@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Dove\Cookies\dove@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Dove\Cookies\dove@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dove\Cookies\dove@zedo[2].txt

 

Ok, lets clean up some of this mess.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you re-enable Real-time Protection again.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\winhwp32.dll
C:\WINDOWS\IFinst27.exe
C:\Documents and Settings\Dove\Application Data\fltk.org
ydardac.exe
regsvc32.exe


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Do not reboot yet.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/c...search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofull crackgreatelmo\IDMIECC.dll

O4 - HKLM\..\Run: [Windows Recycler] ydardac.exe

O4 - HKLM\..\Run: [regsvc] \regsvc32.exe

O4 - HKLM\..\RunServices: [Windows Recycler] ydardac.exe

O4 - HKCU\..\Run: [regsvc] \regsvc32.exe


O8 - Extra context menu item: Download with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofull crackgreatelmo\IEExt.htm


O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


O20 - Winlogon Notify: winhwp32 - C:\WINDOWS\SYSTEM32\winhwp32.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\Messenger Plus! Live<<<<---this folder
C:\Program Files\registry<<<<---this folder
C:\Program Files\5u56<<<<---this folder
C:\Program Files\NewDotNet(2)<<<<---this folder
C:\Program Files\webHancer(2)<<<<---this folder
C:\Program Files\Gpotato<<<<---this folder
C:\Program Files\Ntreev<<<<---this folder

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

Done

Logfile of HijackThis v1.99.1
Scan saved at 2:33:14 PM, on 31/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NUDGEMANIA] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunServices: [Windows Recycler] ydardac.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O8 - Extra context menu item: Download All Links with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEGetAll.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144709715359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144890222390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhwp32 - winhwp32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

________________________________________________________________

Dove - 06-08-31 14:24:02.06
ComboFix 06.08.30BT - Running from: C:\Program Files\Mozilla Firefox

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))


2006-08-29 08:56 143,360 --a------ C:\WINDOWS\system32\ConTest.dll
2006-07-31 02:05 20,480 --a------ C:\WINDOWS\system32\UnInstall_KAccess.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-31 14:23 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-31 14:21 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-31 14:20 -------- d-------- C:\Program Files\Common Files
2006-08-31 11:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-31 11:42 -------- d-------- C:\Program Files\Triggersoft
2006-08-31 11:29 -------- d-------- C:\Documents and Settings\Dove\Application Data\DMCache
2006-08-31 10:44 -------- d-------- C:\Program Files\WinRAR
2006-08-31 10:44 -------- d-------- C:\Program Files\Windows Defender
2006-08-31 10:44 -------- d-------- C:\Program Files\QuickTime
2006-08-31 10:44 -------- d-------- C:\Program Files\NudgeMania
2006-08-31 10:44 -------- d-------- C:\Program Files\Norton AntiVirus
2006-08-31 10:44 -------- d-------- C:\Program Files\MSN Messenger
2006-08-31 10:44 -------- d-------- C:\Program Files\Internet Explorer
2006-08-31 10:44 -------- d-------- C:\Program Files\GetRight
2006-08-30 21:57 -------- d-------- C:\Program Files\Zone Labs
2006-08-30 18:50 -------- d-------- C:\Program Files\BitComet
2006-08-29 08:56 -------- d-------- C:\Program Files\Ascentive
2006-08-28 11:54 -------- d-------- C:\Program Files\Gravity
2006-08-26 14:54 -------- d-------- C:\Program Files\Easy Macro Recorder
2006-08-25 10:58 -------- d-------- C:\Program Files\IconChanger
2006-08-25 01:18 -------- d-------- C:\Program Files\StepMania
2006-08-24 19:38 -------- d-------- C:\Program Files\MSXML 4.0
2006-08-24 10:38 -------- d-------- C:\Program Files\MessengerDiscovery
2006-08-24 10:38 -------- d-------- C:\Program Files\AceReader Pro Deluxe
2006-08-24 10:33 -------- d-------- C:\Program Files\Common Files\ODBC
2006-08-24 10:31 -------- d-------- C:\Program Files\Windows Media Player
2006-08-24 10:31 -------- d-------- C:\Program Files\Real Alternative
2006-08-24 10:30 -------- d-------- C:\Program Files\Hewlett-Packard
2006-08-24 10:30 -------- d-------- C:\Program Files\Common Files\AOL
2006-08-24 10:30 -------- d-------- C:\Program Files\AB Language Plus
2006-08-15 23:22 -------- d-------- C:\Program Files\Sunbelt Software
2006-08-11 21:14 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-08-11 21:12 -------- d-------- C:\Program Files\Microsoft Office
2006-08-10 16:32 -------- d-------- C:\Program Files\VideoLAN
2006-08-10 01:14 -------- d-------- C:\Program Files\SmartSleep
2006-08-08 22:52 -------- d-------- C:\Program Files\Digital TV 2050
2006-08-08 16:36 -------- d-------- C:\Program Files\GuildFTPd
2006-08-08 16:26 -------- d-------- C:\Program Files\WarRock
2006-08-08 15:12 -------- d-------- C:\Program Files\Media Player Classic
2006-08-08 15:10 -------- d-------- C:\Program Files\KSIGN
2006-08-08 15:10 -------- d-------- C:\Program Files\Common Files\Real
2006-08-08 15:10 -------- d-------- C:\Documents and Settings\Dove\Application Data\Real
2006-08-08 15:07 -------- d-------- C:\Program Files\CEDP Stealer 5.0 for Messenger
2006-08-08 15:06 -------- d-------- C:\Documents and Settings\Dove\Application Data\Avant Browser
2006-08-08 15:05 -------- d---s---- C:\Documents and Settings\Dove\Application Data\Microsoft
2006-08-08 15:04 -------- d-------- C:\Program Files\Spyware Doctor
2006-08-08 15:04 -------- d-------- C:\Documents and Settings\Dove\Application Data\Registry Cleaner
2006-08-08 15:02 -------- d-------- C:\Program Files\Golden FTP Server
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 02:21 380 ---h----- C:\WINDOWS\WINRDPD40.SYS
2006-07-18 12:02 91672 --a------ C:\WINDOWS\system32\drivers\khips.sys
2006-07-18 12:02 284184 --a------ C:\WINDOWS\system32\drivers\fwdrv.sys
2006-07-16 04:59 -------- d-------- C:\Program Files\B.Technologies
2006-07-01 15:33 -------- d-------- C:\Documents and Settings\Dove\Application Data\vlc
2006-07-01 12:57 -------- d-------- C:\Program Files\BreakPoint Software
2006-06-16 17:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll
2006-06-05 03:44 73216 --------- C:\WINDOWS\ST6UNST.EXE


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\" "
"ccRegVfy "= "\ "C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Symantec NetDriver Monitor "= "C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer "
"IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"SoundMan "= "SOUNDMAN.EXE "
"SunJavaUpdateSched "= "C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe "
"NeroCheck "= "C:\\WINDOWS\\system32\\\\NeroCheck.exe "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"NUDGEMANIA "= "C:\\Program Files\\NudgeMania\\NudgeMania.exe "
"ActiveSpeed "= "C:\\Program Files\\Ascentive\\ActiveSpeed\\AS.exe -b "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SHS "= "\ "C:\\Program Files\\Rogers\\SelfHealing\\SHS.exe\" /background "
"Update Manager "= "\ "C:\\Program Files\\Rogers\\Update Manager\\UpdateManager.exe\" /background "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Windows Recycler "= "ydardac.exe "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\\WINDOWS\\System32\\CTFMON.EXE "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhwp32


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 31/08/2006 14:29:47.26
ComboFix.txt
ComboFix2.txt

 

Ok, looks like we have one more to get still, its hanging on. And we need to hack two registry points as well.

Lets reboot into safe mode and use Killbox with the same instructions in my previous post on the following entry:
winhwp32.dll

Then run HJT and fix the following if it appears:
O20 - Winlogon Notify: winhwp32 - winhwp32.dll (file missing)

Reboot into normal mode and back up your registry.

Then Click the 'Start' button, seleect 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Runservices

In the right hand side of the window, look for:
Windows Recycler

Highlight it right-click and delete it.

Then navigate to:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winhwp32

High light and delete the 'winhwp32' key.

Close the registry reboot, run ComboFix first then HJT and post both logs back here for what I hope will be a final review.

 

I'm not able to open "Killbox" in safe mode. A error pops out saying "System Error 8H800706BA (-2147023174) The RPC server is unavailable.

 

That's odd, I can't find any info on that error. I'll look around some. In the mean time, see if you can find the file and delete it manually.

You may get some type of error stating the file is in use, if so, try this tool:

DL Unlocker.

Once installed:
Locate the file
Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

 

I went into safe mode and looked into my System32 folder for winhlp.dll but it was no where to be found (my folder options were set to "view hidden folders" so then i ran HJT and scanned my computer and found
O20 - Winlogon Notify: winhwp32 - winhwp32.dll (file missing) Should i go ahead and continue with your previous steps?

Logfile of HijackThis v1.99.1
Scan saved at 8:43:57 AM, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NUDGEMANIA] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\RunServices: [Windows Recycler] ydardac.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O8 - Extra context menu item: Download All Links with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEGetAll.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144709715359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144890222390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winhwp32 - winhwp32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Ok, looks like we need to see if this is a rootkit.

Please download RootKitRevealer from here

Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire log file back into this thread for me to view.

 

Data removed, information contained email addresses of users and was not infection related.

C:\Documents and Settings\Dove\Local Settings\Application Data\Microsoft\Messenger\xxxAThotmail.com\Sha ringMetadata\xxxxATmsn.com\DFSR\Staging\CS{4AF4 C45A-2A57-4CCD-4ADA-39409124F0AB}\00\100-{4BB71EE2-752A-47D2-9281-F2878E644D58}-v100-{4BB71EE2-75 28/08/2006 6:42 PM 8 bytes Hidden from Windows API.

TeMerc

 

Ok, after looking over your last HJT file I noticed we still have an errant 04 running, which may be hooking the 020.

Lets work Killbox on the following files:
ydardac.exe
winhwp32.dll

Don't reboot after using it, I want you to search for that file name and delete each instance of it once we kill it.

Click 'Start', select 'Run', type in REGEDIT when dialog box appears, hit 'Enter'.

Once registry editor pops up, select 'Edit' from the menu, then select 'Find' and type in ydardac , hit 'Enter'.

The registry will search for any items labeled as such. Delete all found, keep searching until all traces are removed.

Run HJT and fix the following lines:

O4 - HKLM\..\RunServices: [Windows Recycler] ydardac.exe

O20 - Winlogon Notify: winhwp32 - winhwp32.dll (file missing)

Reboot, give me a new HJT log file along with an Uninstall List from HJT:
Start HijackThis

• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.
• Click on the Save list button and specify where you would like to save the file.
• When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents back here for me to look at.

 

ydardac.exe
winhwp32.dll

does not exist, at least thats what killbox says

 

OK can I please get the two logs as requested, thanks.

 

Logfile of HijackThis v1.99.1
Scan saved at 9:04:52 PM, on 05/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NUDGEMANIA] C:\Program Files\NudgeMania\NudgeMania.exe
O4 - HKLM\..\Run: [ActiveSpeed] C:\Program Files\Ascentive\ActiveSpeed\AS.exe -b
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O8 - Extra context menu item: Download All Links with IDM - C:\Documents and Settings\Dove\Desktop\Idm 4.05\internetdownloadmanagerv4.05build3trialtofullcrackgreatelmo\IEGetAll.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144709715359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144890222390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/tricksterActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


ActiveSpeed
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
AffinityRO Patcher
BitComet 0.70
Digital TV 2050
Easy Macro Recorder 3.3
GetRight
Google Earth
GuildFTPd FTP Deamon
Hex Workshop v4.23
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Intel(R) Extreme Graphics 2 Driver
Internet Download Manager
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
KSignAccessToolkit v1.0
Learn2 Player (Uninstall Only)
LimeWire 4.12.6
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Messenger Plus! Live
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Office Professional Edition 2003
Microsoft Streets and Trips 2002
Microsoft Windows Application Compatibility Database
Mozilla Firefox (1.5.0.6)
MSXML 4.0 SP2 ????? SDK
Nero - Burning Rom
Norton AntiVirus 2003
Norton WMI Update
Panda ActiveScan
Performance Center
PowRo Launcher
QuickTime
Ragnarok Online
Ragnarok Sakray
Real Alternative 1.49
Realtek AC'97 Audio
RF Online
Rogers Self Healing (remove only)
Rogers Update Manager (remove only)
Rogers Yahoo! Applications
Rose Online
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
SmartSleep 3.571
Spybot - Search & Destroy 1.4
StepMania (remove only)
Student Resume Writer 4.5
Sunbelt Kerio Personal Firewall
TricksterEng
Uninstall CEDP Stealer 5.0 for Messenger
Uninstall NudgeMania 2.0 for MSN Messenger
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
XviD 1.1 final uninstall
ZoneAlarm

 

Well it seems that is a good log, are you experiencing any more unwanted actions from your machine at this point? Let us know please.

Also, is there anything in your Uninstall list that does not belong? It's hard sometimes to discern what should and shouldn't be there. If there happens to be, uninstall it, and let us know if you run into any problems.