Results 1 to 4 of 4
  1. #1
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default Multiple Trojans and other fun stuff

    Trying to help another buddy disinfect their laptop.
    From what I gather, while he was on line a browser tool "Trojan Security Toolbar" popped up and said it found "w32 . myzor . fk @ yf is a virus that infects files with.exe extensions.
    It atempts to steal passwords & private information from the infected computer. Malwarecore is the recommended website to fix." or pretty much to that effect.
    He went there and did their scan and it grabbed a couple cookies, but not much else. I goggled "Malwarecore" and it turns out to be crap.

    So I had him run superantispyware and it found;
    Rouge Antispykit
    Adware E404helper/variant-2
    Adware Tracking cookies
    Adware E404helper/hij
    Trojan security toolbar
    Trojan DNS Charger-codec
    Trojan media-codec/v4
    Trojan unclassifed/laf variant
    browser hijacker favorites

    Here is the superAntiSpyware scan log (minus the some low threat embarrassing tracking cookies), which by the way, didn't show up again in a spyware sweep after running crap cleaner earlier today. So I fugured it would do no harm to not include them in this log.

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com
    Generated 02/11/2008 at 07:25 PM
    Application Version : 3.9.1008
    Core Rules Database Version : 3399
    Trace Rules Database Version: 1391
    Scan type : Complete Scan
    Total Scan Time : 01:07:53
    Memory items scanned : 806
    Memory threats detected : 2
    Registry items scanned : 7866
    Registry threats detected : 97
    File items scanned : 62460
    File threats detected : 314
    Rogue.AntiSpyKit
    C:\PROGRAM FILES\ANTISPYKIT 5.2\ANTISPYKIT 5.2.EXE
    C:\PROGRAM FILES\ANTISPYKIT 5.2\ANTISPYKIT 5.2.EXE
    [AntiSpyKit 5.2] C:\PROGRAM FILES\ANTISPYKIT 5.2\ANTISPYKIT 5.2.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\AntiSpyKit 5.2.exe
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{99965386-DDBA-7C5F-F6AD-E71795A53C28}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{F4912433-A9D2-A9E9-563F-305BAA81AD6B}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{1BB4ACBE-B6B2-8F60-DEAE-2D5C9B599990}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{7D63EF79-091A-21B4-26BB-2B5212AC91B7}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{3377CDAA-33F3-7FB5-8DCB-A5733F1E8738}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{291B8F25-FCA4-D263-3FBB-F6E9963CD971}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{0E94FCC9-65BA-2304-B53B-C4DD32D41787}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{678EEC79-84BC-7A73-4A07-2B40017E159F}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{7B89EB84-E8C5-D9DB-C792-90228F55A9FD}
    HKCR\CLS ID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{E5B3D94C-6983-2235-2A37-87E44D4D98A3}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{3E9CFD46-348D-5EC1-EAF5-445CB02DD8E6}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{8E9DE80C-805A-461F-6FD8-AAAD5E757839}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{9EAFC35B-F333-70D8-74E4-B094FA23B2E7}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{230FBE28-6A66-414C-AE97-126A99602FDB}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{23239E7F-A4AB-E4ED-FB1B-1FEF5801E9C5}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{11B5D7CE-C5B7-9E11-852E-3A5A58E1D259}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{C58C0142-25A2-7370-FC60-2F85831C6A35}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{BDAE6ABF-D991-F2AB-D063-CF29DC1E990F}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{2EBBB9D8-48E7-1C34-B1F2-115154D3DECA}
    & nbsp;HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{42ECF855-4CD7-73E2-741C-498410667329}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{3254CA73-07E7-34A9-7562-C6E127061AFB}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{4D096D89-DF2C-615F-8AD7-12A611A56C79}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{1245F44F-0D84-FED4-4791-65130B664B50}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{AFDEB37F-C0C7-4924-04BC-95FA42879A21}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{0B2645BE-A2C1-8FA0-E88D-EC70329D4821}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{6EF821C1-3612-1AEB-B4CB-CE869E52238C}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{522624BA-7C5D-41D9-DF3D-E7C2E3ABA95E}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{2E029ED9-BCFB-8CB3-505D-8800678A020E}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{D1AB2654-82B4-4640-88AB-339D3 4A4E45D}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{E384FB3C-EB02-0C49-A79E-21918E22967C}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{DD052636-6CE8-D627-DF20-7EF84304AB96}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}#{F0D8DAF1-313E-BF4A-88EB-1AA238DC95C9}
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\ebjaLdnq
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\glsyaejaZdhHv
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\gsqiEZNdx
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\gthhakrt
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\InprocServer32
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\InprocServer32#InprocServer32
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\kWbvlwzo
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\NhpPbvsq
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\ouXllmqlulcv
    HKCR\C LSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\qaTeyvqtDI
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\qiKyzvfxKj
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\rvrvvgxz
    HKCR\CLSID\{3935B537-3E6D-04ED-ABB3-ACB16A699E3B}\xcqcs
    HKLM\Software\AntiSpyKit 5.2
    HKLM\Software\AntiSpyKit 5.2#Language
    HKLM\Software\AntiSpyKit 5.2#FirstStart
    HKLM\Software\AntiSpyKit 5.2#registered
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#DisplayIcon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#DisplayVersion
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#NSIS:StartMenuDir
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#URLInfoAbout
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntiSpyKit 5.2#Publisher
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#AntiSpyKit 5.2 [ "C:\Program Files\AntiSpyKit 5.2\AntiSpyKit 5.2.exe" /h ]
    C:\Program Files\AntiSpyKit 5.2\db.dat
    C:\Program Files\AntiSpyKit 5.2\DbgHelp.Dll
    C:\Program Files\AntiSpyKit 5.2\generalConfig.xml
    C:\Program Files\AntiSpyKit 5.2\ignored.lst
    C:\Program Files\AntiSpyKit 5.2\Lang\English.ini
    C:\Program Files\AntiSpyKit 5.2\Lang
    C:\Program Files\AntiSpyKit 5.2\Logs\scan_log_02102008-232555.html
    C:\Program Files\AntiSpyKit 5.2\Logs\scan_log_02102008-233849.html
    C:\Program Files\AntiSpyKit 5.2\Logs\scan_log_02102008-234839.html
    C:\Program Files\AntiSpyKit 5.2\Logs
    C:\Program Files\AntiSpyKit 5.2\monitorConfig.xml
    C:\Program Files\AntiSpyKit 5.2\msvcp71.dll
    C:\Program Files\AntiSpyKit 5.2\msvcr71.dll
    C:\Program Files\AntiSpyKit 5.2\Quarantine\backup 10.02.2008 23-54-50.nfo
    C:\Program Files\AntiSpyKit 5.2\Quarantine\backup 10.02.2008 23-54-50.zlb
    C:\Program Files\AntiSpyKit 5.2\Quarantine
    C:\Program Files\AntiSpyKit 5.2\scannerConfig.xml
    C:\Program Files\AntiSpyKit 5.2\uninst.exe
    C:\Program Files\AntiSpyKit 5.2\usageStats.xml
    C:\Program Files\AntiSpyKit 5.2
    C:\Users\T\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AntiSpyKit 5.2
    C:\Users\T\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AntiSpyKit 5.2.lnk
    C:\Users\T\Desktop\AntiSpyKit 5.2.lnk
    C:\Users\T\AppData\Roaming\Microsoft\Windows\Start Menu\AntiSpyKit 5.2.lnk
    C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANTISPYKIT 5.2\ANTISPYKIT 5.2.LNK
    C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\PROGRAMS\ANTISPYKIT 5.2\ANTISPYKIT 5.2.LNK
    Adware.E404 Helper/Variant-A
    C:\PROGRAM FILES\HELPER\1202697106.DLL
    C:\PROGRAM FILES\HELPER\1202697106.DLL
    HKLM\Software\Classes\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\InprocServer32
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\InprocServer32#ThreadingModel
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\ProgID
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\Programmable
    HKCR\CLSID\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}\VersionIndependentProgID
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F10587E9-0E47-4CBE-ABCD-7DD20B862223}
    Adware.Tracking Cookie
    Trojan.Security Toolbar
    C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url
    Trojan.DNSChanger-Codec
    HKCR\CLSID\E404.e404mgr
    HKCR\CLSID\E404.e404mgr#UserId
    Trojan.Media-Codec/V4
    HKCR\videoPl.chl
    HKCR\videoPl.chl\CLSID
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#ProductionEnvironment
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#DisplayIcon
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#DisplayVersion
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MultiMedia Software#Publisher
    Adware.E404 Helper/Hij
    HKCR\E404.e404mgr
    HKCR\E404.e404mgr\CLSID
    HKCR\E404.e404mgr\CurVer
    HKCR\E404.e404mgr.1
    HKCR\E404.e404mgr.1\CLSID
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\0\win32
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\FLAGS
    HKCR\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}\1.0\HELPDIR
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\ProxyStubClsid32
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib
    HKCR\Interface\{F7D09218-46D7-4D3D-9B7F-315204CD0836}\TypeLib#Version
    Browser Hijacker.Favorites
    C:\$RECYCLE.BIN\S-1-5-21-2785799777-3489074118-2922591132-1000\$R1NDFRQ.URL
    C:\$RECYCLE.BIN\S-1-5-21-2785799777-3489074118-2922591132-1000\$R6Z2AL9.URL
    C:\$RECYCLE.BIN\S-1-5-21-2785799777-3489074118-2922591132-1000\$RXKWTY4.URL
    C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\ONLINE SECURITY GUIDE.URL
    C:\USERS\T\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\VIRTUALIZED\C\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\ONLINE SECURITY GUIDE.URL
    Trojan.Unclassifed/LAF-Variant
    C:\USERS\T\APPDATA\LOCAL\TEMP\LAF2.EXE
    C:\Windows\Prefetch\LAF2.EXE-85165D31.pf


    So we ran crap cleaner then his trial version of Nortons and it too only found a few cookies.
    Ran superantispyware again today and it found nothing but I doubt that we're out of the woods yet.
    Had him download and install HJT and ran it through your scanner and it said there were some suspicious entries, and here we are.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:24:58 PM, on 2/12/2008
    Platform: Windows Vista (WinNT 6.00.1904)
    MSIE: Internet Explorer v7.00 (7.00.6000.16575)
    Boot mode: Normal
    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\SBC\update\SST.exe
    C:\Program Files\Common Files\AOL\1199482975\ee\aolsoftware.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Vongo\Tray.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Internet Explorer\IEUser.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [SBC_McciTrayApp] C:\Program Files\SBC\update\SST.exe
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199482975\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Vongo Tray.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
    O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
    --
    End of file - 10587 bytes

    As of right now he claims the "Trojan Security Toolbar" is No longer flashing on his browser and Norton poped up to tell him his homepoage has changed we reset it and Norton calmed down.

    Let me know what you guys come up with.
    And as always,
    Thanks, Jeff

  2. #2
    Member Help2Go Moderator Mich's Avatar
    Join Date
    Dec 2002
    Location
    Toronto Canada
    Posts
    2,131
    Points
    495

    Default

    Hi Jeff, my own personal opinion of course, perhaps you should have your friend visit us here?

    Going through logs is usually more than a 1 answer process here, that makes it a little hard to do with someone acting as a middle man.

    Have your friend download and run CCleaner again on the default settings, after that to follow this tutorial
    Have I helped you? Please consider making a donation to keep Help2Go running and ad-free

    To do is to be - Socrates; To be is to do - Plato; Do be do be do - Sinatra; Scooby Dooby Do - Scooby; Yabba Dabba Do - Flintstone

  3. #3
    Member
    Join Date
    Jan 2006
    Location
    Michigan
    Posts
    83
    Points
    0

    Default

    Sorry for not getting back but, it seems he doesn't want to join up.
    Also, Pandascan and House call won't work on Vista.
    He sad the "PopUp tool Bar" hasn't repeared.
    Made a cd of all the different scan tools out there for him to install and run.
    I'll see how it goes.

    Thanks,
    I think?

    Jeff

  4. #4
    Member Oddjob's Avatar
    Join Date
    May 2004
    Location
    London, U.K.
    Posts
    1,979
    Points
    248

    Default

    Due to lack of posts from the original poster this thread is closed. Should the original poster wish it to be reopened please PM a moderator.

    Everyone else please start your own new topic in the forum.

    Thank you.

    OJ
    PLEASE DONATE. Help keep our site alive without ads.

    Help keep your computer protected. Read this > http://www.help2go.com/article152.html