WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan agent winlogonhook

Started by rossyboy8 , Apr 27 2006 12:15 PM

This topic is locked

25 replies to this topic

#1 rossyboy8

New Member

Authentic Member
16 posts

Posted 27 April 2006 - 12:15 PM

i have used spysweeper and found this "trojan agent winlogonhook" and i have done 5 scans and deleted it everytime but yet it still comes back.

can anyone please help me, he is my HJT log

Logfile of HijackThis v1.97.7
Scan saved at 19:06:42, on 27/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Ross\Desktop\Ross\Programs\Other\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=www.google.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

thanks in advance :thumbup:

Advertisements

Register to Remove

#2 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 27 April 2006 - 12:44 PM

Hello rossyboy8 and Welcome to TomCoyote,

Your hijackthis version is out-of-date. Please use the following link and in the left margin you will see the Download button.
http://www.tomcoyote.org/hjt/

Please post another hijackthis log with the new version.

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 rossyboy8

New Member

Authentic Member
16 posts

Posted 27 April 2006 - 12:50 PM

sorry heres the new log
--------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19:49:09, on 27/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ross\Desktop\Ross\Programs\Other\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.google.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\SYSTEM32\winbue32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acif2vecce - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 27 April 2006 - 01:26 PM

Thanks for hijackthis--see the 023's now.

STEP 1.
======
SpySweeper
Please run SpySweeper again.
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Blacklight

Download Blacklight Beta from here:
http://www.f-secure....light/try.shtml

Hit I accept. It will take you to download page.
Download blbeta.exe and save it to the Desktop.
Once saved... double click blbeta.exe to install the program.
Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
If it displays any items...don't do anything with them yet. Just hit exit (close)
It will drop a log on Desktop that starts with fsbl....big number

Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido post contents of fsbl....big number log. and a new hijackthis log.

#5 rossyboy8

New Member

Authentic Member
16 posts

Posted 27 April 2006 - 02:19 PM

The Spy sweeper log has everything thats happened since it has been installed, shall i include it all or shall i just use todays

#6 rossyboy8

New Member

Authentic Member
16 posts

Posted 27 April 2006 - 02:49 PM

Here is the scan results sorry they took so long
--------------------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:13:38, 27/04/2006
+ Report-Checksum: 903FE10E

+ Scan result:

:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\cln6yn0l.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ehg-nvidia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.8:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.37:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.38:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.39:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.40:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.41:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.42:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.43:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.48:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.49:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.50:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.51:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.52:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.68:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup
:mozilla.76:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.77:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.78:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.79:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.80:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.81:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.88:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.89:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.90:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.91:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.100:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.101:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.102:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.104:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.105:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.116:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.126:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.131:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.132:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.140:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.182:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.184:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.188:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.189:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.191:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.192:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.218:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.219:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.223:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.224:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.228:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.229:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.230:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.231:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.241:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.245:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.246:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.247:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.248:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.251:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.252:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.253:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.329:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.339:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.359:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.360:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.392:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.393:C:\Documents and Settings\CALUM !!\Application Data\Mozilla\Firefox\Profiles\8hgyxawq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\CALUM !!\Cookies\calum !!@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Yazzle Sudoku\Sudoku.exe -> Dropper.VB.kk : Cleaned with backup

::Report End

------------------------

04/27/06 21:14:31 [Info]: BlackLight Engine 1.0.36 initialized
04/27/06 21:14:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
04/27/06 21:14:31 [Note]: 7019 4
04/27/06 21:14:31 [Note]: 7005 0
04/27/06 21:14:33 [Note]: 7006 0
04/27/06 21:14:35 [Note]: 7011 3188
04/27/06 21:14:35 [Note]: 7026 0
04/27/06 21:14:35 [Note]: 7026 0
04/27/06 21:14:44 [Note]: FSRAW library version 1.7.1015
04/27/06 21:20:30 [Note]: 7007 0

----------------------------

********
21:25: | Start of Session, 27 April 2006 |
21:25: Spy Sweeper started
21:25: Sweep initiated using definitions version 665
21:25: Starting Memory Sweep
21:30: Memory Sweep Complete, Elapsed Time: 00:04:52
21:30: Starting Registry Sweep
21:30: Found Trojan Horse: trojan agent winlogonhook
21:30: HKLM\software\microsoft\mssmgr\ (7 subtraces) (ID = 937101)
21:30: Registry Sweep Complete, Elapsed Time:00:00:18
21:30: Starting Cookie Sweep
21:30: Cookie Sweep Complete, Elapsed Time: 00:00:00
21:30: Starting File Sweep
21:34: IE Tracking Cookies Shield: Removed atlas dmt cookie
21:46: File Sweep Complete, Elapsed Time: 00:16:00
21:46: Full Sweep has completed. Elapsed time 00:21:14
21:46: Traces Found: 8
********
-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 21:48:09, on 27/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Movie Maker\moviemk.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Ross\Desktop\Ross\Programs\Other\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.google.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\SYSTEM32\winbue32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acif2vecce - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#7 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 27 April 2006 - 04:02 PM

Thank you very much for logs.

Please do the following:Hello and Welcome to the Forums!

======
Disable SpySweeper:
You have SpySweeper installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.

Open it click >Options over to the left then >program options>Uncheck "load at windows startup"
Over to the left click "shields" and uncheck all there.
Uncheck" home page shield".
Uncheck ''automatically restore default without notification".

After all of the fixes are complete it is very important that you enable SpySweeper again.

======
Update Your Java
Update your Java to the latest version.

Uninstall any and all versions you have listed in add/remove programs
Install the latest version from here: http://www.java.com/en/

======
Scan with HijackThis. Place a check against each of the following:
O23 - Service: Acif2vecce - - (no file)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

STEP 1.
======
Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\WINDOWS\SYSTEM32\winbue32.dll
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.

======
Regscan

Please download RegScan.
Within RegScan.zip you will find the file regscan.vbs
You may have to allow this script to run, or disable anti-spyware again in order for it to run.
A window will open titled RegFinder.vbs and you will see place to input search terms.
Please enter the search terms:
mssmgr
After the search has completed a window titled Results.txt will open.
Please copy the results and post(reply) back.

Post back the Jotti results, regscan results, and a fresh HijackThis log please.

#8 rossyboy8

New Member

Authentic Member
16 posts

Posted 29 April 2006 - 04:22 AM

Here are the results
------------------------------

Windows Registry Editor Version 5.00

; Regscan.vbs Version: 1.2 by rand1038

; 29/04/2006 11:14:07
; Search Term(s) Used: "mssmgr"
; 2 matches were found.
; The search took 35 seconds.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR]

[HKEY_USERS\S-1-5-21-1606980848-1614895754-725345543-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="mssmgr"

------------------------------

Jotti was too high so I used Virus Total

Antivirus Result
AntiVir TR/Agent.QT.5
Avast Win32:Trojano-BJ
AVG Generic.STY
Avira TR/Agent.QT.5
BitDefender Backdoor.Vuro.A
CAT-QuickHeal no virus found
ClamAV no virus found
DrWeb BackDoor.Vuro
eTrust-InoculateIT Win32/SillyDL.12221!DLL!Trojan
eTrust-Vet Win32/Spudim.A
Ewido Trojan.Agent.qt
Fortinet W32/Agent.QT!tr
F-Prot no virus found
Ikarus Backdoor.Win32.Hupigon.BV
Kaspersky Trojan.Win32.Agent.qt
McAfee no virus found
Microsoft no virus found
NOD32v2 Win32/TrojanDownloader.Small.CML
Norman W32/Agent.ZVY
Panda Adware/PurityScan
Sophos no virus found
Symantec no virus found
TheHacker Trojan/Agent.qt
UNA Trojan.Win32.Agent
VBA32 BackDoor.Vuro

Virus Total Results
-------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:20:22, on 29/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\MessengerPlus! 3\MsgPlus1.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ross\Desktop\Ross\Programs\Other\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [E-KeyWork] C:\PROGRA~1\ELTech\Keyboard\Easymain.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.google.co.uk
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games....GamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\SYSTEM32\winbue32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Acif2vecce - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
---------------------------
I did fix checked for 023 - Service: Acif2vecce - - (no file) but i noticed that its still there

#9 rossyboy8

New Member

Authentic Member
16 posts

Posted 29 April 2006 - 09:37 AM

bump

#10 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 29 April 2006 - 09:44 AM

What's the bump for?

Advertisements

Register to Remove

#11 rossyboy8

New Member

Authentic Member
16 posts

Posted 01 May 2006 - 05:12 AM

What's the bump for?

Hoping that problem could be solved before I went away for weekend

#12 rossyboy8

New Member

Authentic Member
16 posts

Posted 01 May 2006 - 05:39 AM

I done another Spysweeper scan and it came up with 2 more trojans, trojan-downloader-aux and trojan-downloader-errlook plus there was more traces of trojan agent winlogonhook, ******** 12:13: | Start of Session, 01 May 2006 | 12:13: Spy Sweeper started 12:13: Sweep initiated using definitions version 668 12:13: Starting Memory Sweep 12:16: Memory Sweep Complete, Elapsed Time: 00:03:20 12:16: Starting Registry Sweep 12:17: Found Trojan Horse: trojan agent winlogonhook 12:17: HKLM\software\microsoft\mssmgr\ (14 subtraces) (ID = 937101) 12:17: Registry Sweep Complete, Elapsed Time:00:00:24 12:17: Starting Cookie Sweep 12:17: Cookie Sweep Complete, Elapsed Time: 00:00:00 12:17: Starting File Sweep 12:21: Found Trojan Horse: trojan-downloader-aux 12:21: win884.tmp.exe (ID = 282640) 12:21: Found Trojan Horse: trojan-downloader-errlook 12:21: win88a.tmp.exe (ID = 283245) 12:29: win97e.tmp.exe (ID = 282640) 12:29: win982.tmp.exe (ID = 280087) 12:31: win986.tmp.exe (ID = 283245) 12:33: File Sweep Complete, Elapsed Time: 00:16:39 12:33: Full Sweep has completed. Elapsed time 00:20:29 12:33: Traces Found: 20 12:34: Quarantining All Traces: trojan agent winlogonhook 12:34: Quarantining All Traces: trojan-downloader-aux 12:34: Quarantining All Traces: trojan-downloader-errlook ******** 10:51: | Start of Session, 29 April 2006 | 10:51: Spy Sweeper started 10:51: Sweep initiated using definitions version 668 10:51: Starting Memory Sweep 10:54: Memory Sweep Complete, Elapsed Time: 00:03:28 10:54: Starting Registry Sweep 10:54: Found Trojan Horse: trojan agent winlogonhook 10:54: HKLM\software\microsoft\mssmgr\ (13 subtraces) (ID = 937101) 10:54: Registry Sweep Complete, Elapsed Time:00:00:15 10:54: Starting Cookie Sweep 10:54: Cookie Sweep Complete, Elapsed Time: 00:00:00 10:54: Starting File Sweep 10:55: Found Trojan Horse: trojan-downloader-aux 10:55: srvlbin5[1].exe (ID = 280087) 10:55: win882.tmp.exe (ID = 280087) 10:55: mulbin1[1].exe (ID = 282640) 10:55: Found Trojan Horse: trojan-downloader-errlook 10:55: wizp32[1].exe (ID = 283245) 10:56: Sweep Canceled 10:56: File Sweep Complete, Elapsed Time: 00:01:50 10:56: Traces Found: 18 10:56: Quarantining All Traces: trojan agent winlogonhook 10:56: Quarantining All Traces: trojan-downloader-aux 10:56: Quarantining All Traces: trojan-downloader-errlook 10:57: Deletion from quarantine initiated 10:57: Processing: trojan agent winlogonhook 10:57: Processing: trojan-downloader-aux 10:57: Processing: trojan-downloader-errlook 10:57: Deletion from quarantine completed. Elapsed time 00:00:00 10:57: Processing Startup Alerts 10:57: Allowed Startup entry: msnmsgr 12:12: IE Tracking Cookies Shield: Removed atlas dmt cookie 12:12: IE Tracking Cookies Shield: Removed mediaplex cookie 12:12: Processing Startup Alerts 12:12: Allowed Startup entry: SunJavaUpdateSched 12:13: | End of Session, 01 May 2006 | ********

#13 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 01 May 2006 - 06:44 AM

Hello rossyboy8,

I have not forgotten you. I need a reviewal of registry fixes before I can post. But please do the following meanwhile.

Please do the following:

http://www.thespykil...x.php?board=1.0

Please go to the link above and scroll down so that you see the board with the headings -subjects, started by, replies, etc. You will see a tab “New Topic” at the right. Please click the “New Topic” tab.

Then scroll down. Please enter your name and email address.
Copy and paste “for LonnyRJones” into the Subject line.

Copy and paste the following link into the box.
http://forums.tomcoy...=0

You will see the “Attach” below and click the “Browse” button and navigate to the following file on your computer:
C:\WINDOWS\SYSTEM32\winbue32.dll

Then please Click “Post”.

Please let me know if you were able to do this.

#14 rossyboy8

New Member

Authentic Member
16 posts

Posted 01 May 2006 - 09:10 AM

I have done as you requested

#15 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 01 May 2006 - 06:02 PM

Hello rossyboy8,

Please do the following:

STEP 1.
======
Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

STEP 2.
======
Then, go to start-->run

and type this in:
notepad

Paste this into the box:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR]

[HKEY_USERS\S-1-5-21-1606980848-1614895754-725345543-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"001"=-

Then click on the FILE menu and select save as
Save the file as regfix.reg. Save the file to the desktop.
IMPORTANT: make sure to save the file as "all types" and NOT as a text file
**

Now double click on regfix.reg and insert it into the registry.

STEP 3.
======

Hijackthis Delete on Reboot tool

Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file:
C:\WINDOWS\SYSTEM32\winbue32.dll
Click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes

STEP 4.
======
Cleanmgr
To clean temporary files:

Go > start > run and type cleanmgr and click OK
Scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
Click OK to remove those files.
Click Yes to confirm deletion.

STEP 5.
======
(copy and paste in start > run: )

sc delete Acif2vecce

Click Okay

STEP 6.
======
Scan with HijackThis. Place a check against each of the following:
O20 - Winlogon Notify: winbue32 - C:\WINDOWS\SYSTEM32\winbue32.dll
O23 - Service: Acif2vecce - - (no file)
Close all windows or browsers except for Hijackthis. Click on Fix Checked when finished and exit HijackThis.

Please post a new HijackThis log

Body Background

skin color theme