WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please Help With Virushelpzone.com

Started by John York , May 07 2007 08:36 AM

Please log in to reply

12 replies to this topic

#1 John York

New Member

New Member
7 posts

Posted 07 May 2007 - 08:36 AM

Guys and gals,

I have been hijacked!!! Probably around January my son was using MSN messenger (to the best of my knowledge) and I had not put Command Antivirus on this new laptop yet. Apparently he clicked on something he wasn't supposed to and I have not been able to get rid of the hijacker since. I have used Spybot, Adaware, and several other freeware malware removal programs, and also purchased one, but still can't get it off. Any help you can give at all would be most appreciated.

Here is the logfile for Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 9:00:51 AM, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virushelpzone.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.everex.com/
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\coytndh\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\coytndh\csrss.exe
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [KodakDental] C:\Program Files\BPK\KodakDental.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: csrss.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\golinkup\xnetns.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...C_2.3.4.105.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoLinkup CRT Service - Collatus Corporation - C:\PROGRA~1\golinkup\xcrtsvc.exe
O23 - Service: GoLinkup Login Service - Unknown owner - C:\PROGRA~1\golinkup\xautosvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: OKI OPHG DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

And here is the logfile for Startuplist:

StartupList report, 5/7/2007, 9:16:08 AM
StartupList version: 1.52.2
Started from : C:\Program Files\Hijackthis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\John\Start Menu\Programs\Startup]
csrss.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VTTimer = VTTimer.exe
VTTrayp = VTtrayp.exe
SoundMan = SOUNDMAN.EXE
SMSERIAL = sm56hlpr.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
SiteAdvisor = C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
csrss =
ISUSPM Startup = C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
Easy SpyRemover = C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
untray = C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
dvprpt = C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
CSAV_CheckViruses = C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
avtray = C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
KodakDental = C:\Program Files\BPK\KodakDental.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

DW4 = "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
csrss =

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=C:\WINDOWS\system32\coytndh\csrss.exe
HKCU\..\Windows NT\CurrentVersion\Windows: run=C:\WINDOWS\system32\coytndh\csrss.exe
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://a1540.g.akama...ex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.ma...director/sw.cab

[FilePlanet Download Control Class]
InProcServer32 = C:\Program Files\IGN\Download Manager\FPDC.dll
CODEBASE = http://www.fileplane...C_2.3.4.105.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #4: C:\PROGRA~1\golinkup\xnetns.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 6,804 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Once again, thank you for any help you can offer.

Have a great week,

John York

Advertisements

Register to Remove

#2 Markka

Advanced Member

Banned
784 posts

Posted 07 May 2007 - 12:25 PM

Hi and welcome to the forums.

I'm Markka and I will be helping you with your malware issues. I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by teachers of Malware Removal University. Please be patient.

#3 John York

New Member

New Member
7 posts

Posted 07 May 2007 - 12:46 PM

Hi and welcome to the forums.
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by
teachers of Malware Removal University.
Please be patient.

Markka,

I might should have told you this, but I had to run hijackthis.exe in Safe Mode because everytime I tried to open it the malware apparently would immediately close. So I booted in Safe Mode and ran the program from there.

Should have told you this before; sorry if that set you behind at all.

John York

#4 Markka

Advanced Member

Banned
784 posts

Posted 08 May 2007 - 06:47 AM

Hello

You don't have a firewall on your computer. Here are free and good firewalls: (Install only one)

Comodo
OutPost
Kerio
Sygate
ZoneAlarm

Please Download MsnVirRem.exe to your desktop from one of the following mirrors.

First close any other programs you have running as this will require a reboot
Double click MsnVirRem.exe to run it
Once open, click the button labeled "Search and Destroy"
<<Your computer will now be scanned for Infected Files>>
When scanning is finished, you will be prompted to reboot only if infected. Click OK
Now click the "REBOOT" Button.
After the Reboot, you WILL receive file not found errors (usually 4) please acknowledge them and continue.
A Message should popup from MsnVirRem if not, double click the program again and it will finish

Please Post the contents of C:\msnvirrem.log along with a fresh HijackThis log

Go to Jotti's Malware Scan.*Click on the "Browse"-button
*Find this file: C:\Program files\golinkup\xnetns.dll
*Click on the "Submit"-button
*Copy/paste the results of Jotti's into a notepad.

Post:
- A fresh HijackThis log
- Contents of C:\msnvirrem.log
- The results of Jotti's

#5 John York

New Member

New Member
7 posts

Posted 08 May 2007 - 06:12 PM

Here they are, in the order you requested:

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:06:27 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\BPK\KodakDental.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.everex.com/
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: MsnVirRem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\golinkup\xnetns.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...C_2.3.4.105.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoLinkup CRT Service - Collatus Corporation - C:\PROGRA~1\golinkup\xcrtsvc.exe
O23 - Service: GoLinkup Login Service - Unknown owner - C:\PROGRA~1\golinkup\xautosvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: OKI OPHG DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

msnvirrem.log:

MsnVirRem Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to msnvirremOLD.log

Fix running from: C:\Documents and Settings\Administrator\Desktop
5/8/2007
6:57:29 PM

---Infection Files Found---
C:\Documents and Settings\John\Start Menu\Programs\Startup\csrss.lnk
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\netstat.com

Rebooting...
Fixing Registry Permissions...
Editing Registry...
Fixing Host File...
**Fix Complete!**

Jotti's:
Scan taken on 09 May 2007 00:02:39 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

If you need anything else, please let me know.

Also, I was able to run hijackthis in regular mode after running msnvirrem.

Thank you so much for your help.

John York

#6 Markka

Advanced Member

Banned
784 posts

Posted 09 May 2007 - 08:49 AM

Hello

Do you know what this program is? C:\Program files\golinkup

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

*********************************************************************

Open HijackThis, Click Do a system scan only, checkmark these. Then close all others windows except HijackThis and press fix checked.

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Global Startup: MsnVirRem.exe

*********************************************************************
Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

*********************************************************************
Please then reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

*********************************************************************
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
*********************************************************************

Make your hidden files visible:

Click start
Click my computer
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and shutdown My Computer.

*********************************************************************
Go to VirusTotal.*Click on the "Browse"-button
*Find this file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
*Then click on the "open" -button
*Click on the "Send"-button
*Copy/paste the results of VirusTotal into a notepad.
*********************************************************************
Post:
- A fresh HijackThis log
- AVG's log
- Results of VirusTotal

#7 John York

New Member

New Member
7 posts

Posted 10 May 2007 - 10:37 AM

Golinkup is a program like pc anywhere - I use it to log onto my server at the office from home if needed.

Here are the new logs you've requested:

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 11:31:35 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.everex.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KodakDental] C:\Program Files\BPK\KodakDental.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\golinkup\xnetns.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...C_2.3.4.105.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoLinkup CRT Service - Collatus Corporation - C:\PROGRA~1\golinkup\xcrtsvc.exe
O23 - Service: GoLinkup Login Service - Unknown owner - C:\PROGRA~1\golinkup\xautosvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: OKI OPHG DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

AVG log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:24:32 AM 5/10/2007

+ Scan result:

C:\Program Files\BPK\KodakDental.exe -> Logger.Peflog.31 : Cleaned with backup (quarantined).
C:\Program Files\BPK\KodakDentalr.exe -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned with backup (quarantined).
C:\Program Files\BPK\KodakDentalun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.163 : Cleaned with backup (quarantined).
C:\Program Files\BPK\DentalFeeun.exe -> Not-A-Virus.Monitor.Win32.Perflogger.an : Cleaned with backup (quarantined).
C:\Program Files\BPK\DentalKeyvw.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ca : Cleaned with backup (quarantined).
C:\Program Files\BPK\KodakDentalvw.exe -> Not-A-Virus.Monitor.Win32.Perflogger.ca : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.77:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.78:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.119:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.124:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.131:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.267:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.283:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.412:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.417:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.60:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.61:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.62:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.63:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.64:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.65:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.94:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.95:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.96:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.37:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.38:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.39:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.40:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.41:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.31:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.73:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.522:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.125:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.126:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.127:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.523:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.68:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.149:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.151:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Dealtime : Cleaned.
:mozilla.47:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.109:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.548:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.549:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.23:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.24:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.25:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.26:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.27:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.28:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.227:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.228:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.484:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.485:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.486:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.487:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.488:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.316:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.317:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.563:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.33:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.34:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.35:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.36:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.43:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.44:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.45:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.46:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.342:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.343:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.344:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.345:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.346:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.347:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.348:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.349:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.350:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.351:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.352:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.353:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.354:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.355:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.356:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.453:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.182:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.183:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.184:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.123:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.362:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.363:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.364:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.365:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.366:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.374:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.375:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.376:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.377:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.383:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.384:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.385:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.386:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.455:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.396:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.397:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.398:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.399:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.400:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.401:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.402:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.403:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.472:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.30:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.448:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.449:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.450:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\BPK\DentalKeyhk.dll -> Trojan.Keylog : Cleaned with backup (quarantined).
C:\Program Files\BPK\KodakDentalhk.dll -> Trojan.Keylog : Cleaned with backup (quarantined).

::Report end

VirusTotal:

STATUS: FINISHEDComplete scanning result of "OPHGLDCS.EXE", received in VirusTotal at 05.10.2007, 17:54:37 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.10.0 05.10.2007 no virus found
AntiVir 7.4.0.15 05.10.2007 no virus found
Authentium 4.93.8 05.10.2007 no virus found
Avast 4.7.997.0 05.10.2007 no virus found
AVG 7.5.0.467 05.09.2007 no virus found
BitDefender 7.2 05.10.2007 no virus found
CAT-QuickHeal 9.00 05.10.2007 no virus found
ClamAV devel-20070416 05.10.2007 no virus found
DrWeb 4.33 05.10.2007 no virus found
eSafe 7.0.15.0 05.10.2007 no virus found
eTrust-Vet 30.7.3624 05.10.2007 no virus found
Ewido 4.0 05.10.2007 no virus found
FileAdvisor 1 05.10.2007 no virus found
Fortinet 2.85.0.0 05.10.2007 no virus found
F-Prot 4.3.2.48 05.10.2007 no virus found
F-Secure 6.70.13030.0 05.10.2007 no virus found
Ikarus T3.1.1.7 05.10.2007 no virus found
Kaspersky 4.0.2.24 05.10.2007 no virus found
McAfee 5028 05.10.2007 no virus found
Microsoft 1.2503 05.10.2007 no virus found
NOD32v2 2256 05.10.2007 no virus found
Norman 5.80.02 05.10.2007 no virus found
Panda 9.0.0.4 05.10.2007 no virus found
Prevx1 V2 05.10.2007 no virus found
Sophos 4.17.0 05.08.2007 no virus found
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.10.2007 no virus found
TheHacker 6.1.6.112 05.10.2007 no virus found
VBA32 3.12.0 05.09.2007 no virus found
VirusBuster 4.3.7:9 05.10.2007 no virus found
Webwasher-Gateway 6.0.1 05.10.2007 no virus found

Aditional Information
File size: 24576 bytes
MD5: e02af36be915f81168d68282dedb1a29
SHA1: dbb6d35a0a5249217d53fb64b69b8770fd26d951

Thanks again for your help.

John York

#8 Markka

Advanced Member

Banned
784 posts

Posted 11 May 2007 - 06:28 AM

Hello

I have a question for you: Have you installed BPK -program?

Because BPK is a keylogger you should change all the online passwords (e-mail, online banks and etc..). And if possible change your passwords from other computer and make sure it's clean.

Open HijackThis, Click Do a system scan only, checkmark this. Then close all others windows except HijackThis and press fix checked.

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

******************************************************
Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

******************************************************
Kaspersky online scanner works only with IE!

Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

******************************************************

Post:
- A fresh HijackThis log
- Kaspersky's report

#9 John York

New Member

New Member
7 posts

Posted 11 May 2007 - 09:47 PM

The bpk was Perfect Keylogger, a program that we installed to track online activity of our children. We will take care of changing the passwords also.

Here are the posts:

Kasperksy:

KASPERSKY ONLINE SCANNER REPORT
Friday, May 11, 2007 10:40:48 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/05/2007
Kaspersky Anti-Virus database records: 317847
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 45422
Number of viruses found 5
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 00:49:19

Infected Object Name Virus Name Last Action
C:\Documents and Settings\John\.housecall6.6\Quarantine\DentalFee.exe.Quarantined.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\DentalFeer.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.bx skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\DentalKey.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\DentalKeyr.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\DentalKeyun.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\KodakDental.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\KodakDentalr.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\.housecall6.6\Quarantine\KodakDentalun.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\cert8.db Object is locked skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\history.dat Object is locked skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\key3.db Object is locked skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\parent.lock Object is locked skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\search.sqlite Object is locked skipped
C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Mozilla\Firefox\Profiles\8xr45iwq.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\Perflib_Perfdata_f24.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/bpkun.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/bpkvw.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/Setup.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/bpkwb.dll Infected: Trojan-Spy.Win32.Perfloger.i skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe/BPKr.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe RAR: infected - 7 skipped
C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\EVEREX.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05223.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT071aa.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:48 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe
C:\Program Files\Authentium\Command AntiVirus\avtray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.everex.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KodakDental] C:\Program Files\BPK\KodakDental.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\golinkup\xnetns.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...C_2.3.4.105.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoLinkup CRT Service - Collatus Corporation - C:\PROGRA~1\golinkup\xcrtsvc.exe
O23 - Service: GoLinkup Login Service - Unknown owner - C:\PROGRA~1\golinkup\xautosvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: OKI OPHG DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again for your continued excellent support.

John York

#10 Markka

Advanced Member

Banned
784 posts

Posted 12 May 2007 - 02:57 AM

Hello

Empty this folder:
C:\Documents and Settings\John\.housecall6.6\Quarantine

Delete this file:
C:\Documents and Settings\John\My Documents\My Downloads\i_bpk2007.exe

Re-run with the Kaspersky online scanner!

Post:
- A fresh HijackThis log
- Kaspersky's report

#11 John York

New Member

New Member
7 posts

Posted 12 May 2007 - 07:40 AM

Here they are:

Kaspersky:

KASPERSKY ONLINE SCANNER REPORT
Saturday, May 12, 2007 8:37:52 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 12/05/2007
Kaspersky Anti-Virus database records: 318102
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 45915
Number of viruses found 5
Number of infected objects 16
Number of suspicious objects 0
Duration of the scan process 00:45:34

Infected Object Name Virus Name Last Action
C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\History\History.IE5\MSHist012007051220070513\index.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temp\Perflib_Perfdata_f24.dat Object is locked skipped
C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\DentalFee.exe.Quarantined.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.ad skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\DentalFeer.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.bx skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\DentalKey.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\DentalKeyr.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\DentalKeyun.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\KodakDental.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\KodakDentalr.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc3.6\Quarantine\KodakDentalun.exe.bac_a03540 Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/bpkun.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/bpkvw.exe Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/Setup.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/bpkhk.dll Infected: not-a-virus:Monitor.Win32.Perflogger.ca skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/bpkwb.dll Infected: Trojan-Spy.Win32.Perfloger.i skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe/BPKr.exe Infected: not-a-virus:Monitor.Win32.Perflogger.163 skipped
C:\RECYCLER\S-1-5-21-746137067-1336601894-725345543-1004\Dc4.exe RAR: infected - 7 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\EVEREX.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05223.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT071aa.TMP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:19 AM, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
C:\Program Files\Authentium\Command AntiVirus\dvprpt.exe
C:\Program Files\Authentium\Command AntiVirus\avtray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.everex.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Easy SpyRemover] C:\Program Files\Easy SpyRemover\EasySpyRemover.exe /smart
O4 - HKLM\..\Run: [untray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\untray.exe
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\AUTHEN~1\COMMAN~1\dvprpt.exe
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\AUTHEN~1\COMMAN~1\vchk.exe
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\AUTHEN~1\COMMAN~1\avtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KodakDental] C:\Program Files\BPK\KodakDental.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\golinkup\xnetns.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...C_2.3.4.105.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: avinitnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\avinitnt.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoLinkup CRT Service - Collatus Corporation - C:\PROGRA~1\golinkup\xcrtsvc.exe
O23 - Service: GoLinkup Login Service - Unknown owner - C:\PROGRA~1\golinkup\xautosvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: OKI OPHG DCS Loader - Oki Data Corporation - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
O23 - Service: schscnt - Authentium, Inc. - C:\Program Files\Authentium\Command AntiVirus\schscnt.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks again,

John York

#12 Markka

Advanced Member

Banned
784 posts

Posted 12 May 2007 - 10:28 AM

Hello

Your HijackTHis log is clean! How is your computer running now?

Here are a couple of things how to stay clean:

Clean speech:
Use Mozilla firefox or Opera as your browser!
Mozilla firefox or Opera are better than Internet Explorer.
Download Mozilla firefox from here!
Download Opera from here!
Install Hosts-file!
Hosts-file blocks bad web addresses. Remember to update hosts-file regularly.
Download Hosts-file from here!
Install Winpatrol!
Winpatrol monitors your system and blocks hijacks.
Download Winpatrol from here!
Install AVG Anti-Spyware!
AVG anti-spyware detecs and removes malware and cleans your register too. Run a scan with Ad-aware regularly and update it before the scan.
Download AVG anti-spyware from here!
Install Ccleaner!
CCleaner cleans your temporary files and also cleans your register. Run CCleaner regularly.
Download CCleaner from here!
Install Ad-Aware!
Ad-aware detecs and removes malware and cleans your register too. Run a scan with Ad-aware regularly and update it before the scan.
Download Ad-aware from here!
Install SpywareBlaster!
Spywareblaster blocks bad activeX-components. Update it regularly.
Download Spywareblaster from here!
System restore!
Clean and create new system restore point regularly.
How do I clean my system restore and create new system restore point?
Here are instructions!
Keep all programs updated!
Remember to keep all programs up-to-date, also Windows. So please visit here regularly and install all critical updates.

#13 John York

New Member

New Member
7 posts

Posted 12 May 2007 - 12:26 PM

AWESOME!!! Thanks so much again for your help. And I'll take your recommendations and get those things done today. Have a great weekend. John

Body Background

skin color theme